IETF Logo Mail Archive

[TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)

Chris Newman <Chris.Newman@Sun.COM> Wed, 11 November 2009 23:59 UTC

Return-Path: <Chris.Newman@Sun.COM>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 392FF3A63C9 for <tls@core3.amsl.com>; Wed, 11 Nov 2009 15:59:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.746
X-Spam-Level:
X-Spam-Status: No, score=-5.746 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_56=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlaBjGPhfzI4 for <tls@core3.amsl.com>; Wed, 11 Nov 2009 15:59:01 -0800 (PST)
Received: from sca-es-mail-2.sun.com (sca-es-mail-2.Sun.COM [192.18.43.133]) by core3.amsl.com (Postfix) with ESMTP id 2108F3A69DF for <tls@ietf.org>; Wed, 11 Nov 2009 15:59:01 -0800 (PST)
Received: from fe-sfbay-10.sun.com ([192.18.43.129]) by sca-es-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nABNxTkf021847 for <tls@ietf.org>; Wed, 11 Nov 2009 15:59:29 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-disposition: inline
Content-type: text/plain; CHARSET="US-ASCII"; format="flowed"
Received: from conversion-daemon.fe-sfbay-10.sun.com by fe-sfbay-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KSY00000YJYPY00@fe-sfbay-10.sun.com> for tls@ietf.org; Wed, 11 Nov 2009 15:59:29 -0800 (PST)
Received: from [10.0.1.3] ([unknown] [10.1.110.5]) by fe-sfbay-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KSY00LL9YN2Y8B0@fe-sfbay-10.sun.com>; Wed, 11 Nov 2009 15:59:29 -0800 (PST)
Date: Wed, 11 Nov 2009 15:59:26 -0800
From: Chris Newman <Chris.Newman@Sun.COM>
In-reply-to: <200911070100.nA710jJO018486@fs4113.wdf.sap.corp>
Sender: Chris.Newman@Sun.COM
To: mrex@sap.com
Message-id: <5F1B41A60D9D4613F01568C9@446E7922C82D299DB29D899F>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
References: <200911070100.nA710jJO018486@fs4113.wdf.sap.corp>
Cc: tls@ietf.org
Subject: [TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 23:59:02 -0000

--On November 7, 2009 2:00:45 +0100 Martin Rex <mrex@sap.com> wrote:
> Should we ask for an additional port to be officially allocated
> to http-over-ssl-with-client-cert

This is a good idea.

HTTP authentication is particularly badly designed, but we can't really fix 
it so we have to live with it.  Having a separate port for 
HTTP-with-client-cert-mandatory where the server can "just know" that 
client certs will be present in the initial handshake and will never be 
renegotiated, and the client can "just know" it has to prompt the user for 
client cert selection removes some of the need for all the security 
"fudging" HTTP does and thus is an overall security improvement, IMHO.

I would not want other protocols to copy this mess, however -- application 
protocols should have a clean and simple state transition between "not 
authenticated" and "authenticated" state.  POP, IMAP, XMPP, LDAP, BEEP and 
even Telnet did this better than HTTP.

		- Chris

v2.23.0 | Report a Bug | By Email