IETF Logo Mail Archive

Re: [TLS] Renegotiation and client authentication

Yoav Nir <ynir.ietf@gmail.com> Mon, 10 March 2014 11:35 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47BE01A03FA for <tls@ietfa.amsl.com>; Mon, 10 Mar 2014 04:35:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCYzYWy83DtU for <tls@ietfa.amsl.com>; Mon, 10 Mar 2014 04:35:19 -0700 (PDT)
Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8F81A03D5 for <tls@ietf.org>; Mon, 10 Mar 2014 04:35:18 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id x48so8486094wes.35 for <tls@ietf.org>; Mon, 10 Mar 2014 04:35:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xQQ5FvxZXgvvwwTTceC3H+wBG69V6lslk77scX6WjtM=; b=D8P3G9EKZ7hshzr3h0dEaRJQ3nNv3fk9CN73XRH5dGQrdvwAWsg1Nimop1Grg4rCfF 1DGUxHv5M1kjzlnVy61+NnF10BompDFB7iVW8Sz48r5i9h8wWrDWA1hJiWUrY/B/+8MR EsJrOE6SLs9gtncfGQwkpmgMokNlh86cMUvZ7KAZPkOvwurEuEHWq3aP0x5fgn2wJ/EG gLDjXg12DBV9+kyOdmFBHneSc+5YdVDwkNBMpU89Wo7UVTCOp8aRSqJJAyj4Cf/uJkz3 dzY5/fuAbMIrZ0auqGGfH4rf+Tc5o+MOt8VaeKnLiTeUCpVOTQuFMC+KE8VFKoFSLPdW 8IFA==
MIME-Version: 1.0
X-Received: by 10.180.210.171 with SMTP id mv11mr7602929wic.44.1394451313407; Mon, 10 Mar 2014 04:35:13 -0700 (PDT)
Received: by 10.194.89.1 with HTTP; Mon, 10 Mar 2014 04:35:13 -0700 (PDT)
In-Reply-To: <CABkgnnXr==DOYPmVh6smK-yzL-cF6kCtt1GCVfBoSFN3XFDVNg@mail.gmail.com>
References: <CABkgnnV6idrFx_=HugBvGifC-+QLdf8ao-EhsuyCG_atNe7Kkg@mail.gmail.com> <506B0C5A-1EC6-427D-9FCB-8F19F85DA8C6@gmail.com> <CABkgnnXr==DOYPmVh6smK-yzL-cF6kCtt1GCVfBoSFN3XFDVNg@mail.gmail.com>
Date: Mon, 10 Mar 2014 13:35:13 +0200
Message-ID: <CAGvU-a6L7fiZXRD_V-_aqos6FGUF8BGwhazKPLtu2mKGoRSw7A@mail.gmail.com>
From: Yoav Nir <ynir.ietf@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c25d363138b404f43effa3"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4jq02_NEOy5W_2-foK73rgGVLyU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Renegotiation and client authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 11:35:21 -0000

On Mon, Mar 10, 2014 at 10:14 AM, Martin Thomson
<martin.thomson@gmail.com>wrote:

> On 9 March 2014 23:22, Yoav Nir <ynir.ietf@gmail.com> wrote:
> >  1. Always request a client certificate
>
> FYI, most software has a secondary configuration on this point:
> whether to reject the connection if a certificate is not provided.
> This makes the request from the server optional to comply with (or
> not).
>

Yes, but the user experience is the same whether the server has marked the
client authentication as optional or mandatory - the browser pops us a
certificate selector, and you don't want that on the landing page.

> You also need a document describing how HTML or HTTP is used to trigger
> such a connection
>
> http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/
>

I would have preferred a response code (like "4xx client authentication
needed"), but this works as well.

How does the server tell new clients (that support this extension) apart
from older clients, for which you still have to use renegotiation (in TLS
1.2 or course...)? Sending this to old clients would result in breakage.

Yoav

v2.23.0 | Report a Bug | By Email