Re: [TLS] Renegotiation and client authentication
Yoav Nir <ynir.ietf@gmail.com> Mon, 10 March 2014 11:35 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47BE01A03FA for <tls@ietfa.amsl.com>; Mon, 10 Mar 2014 04:35:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCYzYWy83DtU for <tls@ietfa.amsl.com>; Mon, 10 Mar 2014 04:35:19 -0700 (PDT)
Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8F81A03D5 for <tls@ietf.org>; Mon, 10 Mar 2014 04:35:18 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id x48so8486094wes.35 for <tls@ietf.org>; Mon, 10 Mar 2014 04:35:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xQQ5FvxZXgvvwwTTceC3H+wBG69V6lslk77scX6WjtM=; b=D8P3G9EKZ7hshzr3h0dEaRJQ3nNv3fk9CN73XRH5dGQrdvwAWsg1Nimop1Grg4rCfF 1DGUxHv5M1kjzlnVy61+NnF10BompDFB7iVW8Sz48r5i9h8wWrDWA1hJiWUrY/B/+8MR EsJrOE6SLs9gtncfGQwkpmgMokNlh86cMUvZ7KAZPkOvwurEuEHWq3aP0x5fgn2wJ/EG gLDjXg12DBV9+kyOdmFBHneSc+5YdVDwkNBMpU89Wo7UVTCOp8aRSqJJAyj4Cf/uJkz3 dzY5/fuAbMIrZ0auqGGfH4rf+Tc5o+MOt8VaeKnLiTeUCpVOTQuFMC+KE8VFKoFSLPdW 8IFA==
MIME-Version: 1.0
X-Received: by 10.180.210.171 with SMTP id mv11mr7602929wic.44.1394451313407; Mon, 10 Mar 2014 04:35:13 -0700 (PDT)
Received: by 10.194.89.1 with HTTP; Mon, 10 Mar 2014 04:35:13 -0700 (PDT)
In-Reply-To: <CABkgnnXr==DOYPmVh6smK-yzL-cF6kCtt1GCVfBoSFN3XFDVNg@mail.gmail.com>
References: <CABkgnnV6idrFx_=HugBvGifC-+QLdf8ao-EhsuyCG_atNe7Kkg@mail.gmail.com> <506B0C5A-1EC6-427D-9FCB-8F19F85DA8C6@gmail.com> <CABkgnnXr==DOYPmVh6smK-yzL-cF6kCtt1GCVfBoSFN3XFDVNg@mail.gmail.com>
Date: Mon, 10 Mar 2014 13:35:13 +0200
Message-ID: <CAGvU-a6L7fiZXRD_V-_aqos6FGUF8BGwhazKPLtu2mKGoRSw7A@mail.gmail.com>
From: Yoav Nir <ynir.ietf@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c25d363138b404f43effa3"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4jq02_NEOy5W_2-foK73rgGVLyU
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Renegotiation and client authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 11:35:21 -0000
On Mon, Mar 10, 2014 at 10:14 AM, Martin Thomson <martin.thomson@gmail.com>wrote: > On 9 March 2014 23:22, Yoav Nir <ynir.ietf@gmail.com> wrote: > > 1. Always request a client certificate > > FYI, most software has a secondary configuration on this point: > whether to reject the connection if a certificate is not provided. > This makes the request from the server optional to comply with (or > not). > Yes, but the user experience is the same whether the server has marked the client authentication as optional or mandatory - the browser pops us a certificate selector, and you don't want that on the landing page. > You also need a document describing how HTML or HTTP is used to trigger > such a connection > > http://datatracker.ietf.org/doc/draft-thomson-httpbis-catch/ > I would have preferred a response code (like "4xx client authentication needed"), but this works as well. How does the server tell new clients (that support this extension) apart from older clients, for which you still have to use renegotiation (in TLS 1.2 or course...)? Sending this to old clients would result in breakage. Yoav
- [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Jim Schaad
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Adam Langley
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication henry.story@bblfish.net
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Daniel Kahn Gillmor
- Re: [TLS] Renegotiation and client authentication Yoav Nir
- Re: [TLS] Renegotiation and client authentication Watson Ladd
- Re: [TLS] Renegotiation and client authentication Ilari Liusvaara
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Nikos Mavrogiannopoulos
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Yoav Nir
- Re: [TLS] Renegotiation and client authentication Yoav Nir
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Anders Rundgren
- Re: [TLS] Renegotiation and client authentication Salz, Rich
- Re: [TLS] Renegotiation and client authentication Martin Thomson
- Re: [TLS] Renegotiation and client authentication Salz, Rich
- Re: [TLS] Renegotiation and client authentication Geoffrey Keating
- Re: [TLS] Renegotiation and client authentication Bill Frantz
- Re: [TLS] Renegotiation and client authentication Salz, Rich
- Re: [TLS] Renegotiation and client authentication Daniel Kahn Gillmor
- Re: [TLS] Renegotiation and client authentication Salz, Rich
- Re: [TLS] Renegotiation and client authentication Bill Frantz
- Re: [TLS] Renegotiation and client authentication Yoav Nir
- Re: [TLS] Renegotiation and client authentication Nikos Mavrogiannopoulos