IETF Logo Mail Archive

Re: [TLS] TLS-OBC proposal

Dirk Balfanz <balfanz@google.com> Thu, 25 August 2011 06:21 UTC

Return-Path: <balfanz@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E8B021F875E for <tls@ietfa.amsl.com>; Wed, 24 Aug 2011 23:21:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.559
X-Spam-Level:
X-Spam-Status: No, score=-105.559 tagged_above=-999 required=5 tests=[AWL=0.417, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcjva9JmnCgJ for <tls@ietfa.amsl.com>; Wed, 24 Aug 2011 23:21:16 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 64E8921F8754 for <tls@ietf.org>; Wed, 24 Aug 2011 23:21:16 -0700 (PDT)
Received: from hpaq1.eem.corp.google.com (hpaq1.eem.corp.google.com [172.25.149.1]) by smtp-out.google.com with ESMTP id p7P6MSDf006594 for <tls@ietf.org>; Wed, 24 Aug 2011 23:22:28 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1314253348; bh=xST4Kwjz6NgvMdLgOJPPpp9dOp0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=XK0Ezd7C76LV4DFudWCuH9K8m8BwyHnTIYn2sZ8p/xSbUfK+DoLj4mzm2iapeCNk3 Jc1JCwsKMk8sjq0eWqkRg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=LLJyHnHap7MvS6VXnCDTxZY2Tnn9SZesqX6zXst48zEeI6izywxoN7kgRSrMQjRc+ Y4fhHdAqa3AhpMQXI7z6g==
Received: from gwj17 (gwj17.prod.google.com [10.200.10.17]) by hpaq1.eem.corp.google.com with ESMTP id p7P6MQYG009774 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Wed, 24 Aug 2011 23:22:27 -0700
Received: by gwj17 with SMTP id 17so1314135gwj.10 for <tls@ietf.org>; Wed, 24 Aug 2011 23:22:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=h9UzrzSYtPSNb2FIQtY19zOMToWHh2QAAYOJYkd+Svs=; b=eINqFG4KZ/Nd5ah9GmmwfHMtCiaFyl0pF3PnfuGalP18v1kBxiUM7aOcaLI3+L96bc UO9pPcKVWzSnwWnA/H6A==
Received: by 10.91.160.39 with SMTP id m39mr5859054ago.17.1314253345811; Wed, 24 Aug 2011 23:22:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.91.160.39 with SMTP id m39mr5859044ago.17.1314253345524; Wed, 24 Aug 2011 23:22:25 -0700 (PDT)
Received: by 10.90.56.4 with HTTP; Wed, 24 Aug 2011 23:22:25 -0700 (PDT)
In-Reply-To: <CADKevbDYnjzFe8w7MTyQWhBUBRLo_vUROEy2uinjaA3cwpqq9w@mail.gmail.com>
References: <CADHfa2AMOeShxH_k5ZEB3DUVJAnOqvZmLMg5Yz8smtBDGkQsNg@mail.gmail.com> <CADKevbDYnjzFe8w7MTyQWhBUBRLo_vUROEy2uinjaA3cwpqq9w@mail.gmail.com>
Date: Wed, 24 Aug 2011 23:22:25 -0700
Message-ID: <CADHfa2B8ntB9yHWfU2Y_nA4ysx2hAm9--ATKAVnDZh=+O+on-w@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: Chris Richardson <chris@randomnonce.org>
Content-Type: multipart/alternative; boundary="0016e6407cd6cec15e04ab4e731e"
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] TLS-OBC proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 06:21:18 -0000

On Tue, Aug 23, 2011 at 4:25 PM, Chris Richardson <chris@randomnonce.org>wrote:

> I think the draft is inconsistent with respect to the
> certificate_authorities list.
>
> From section 3.3: "[if both sides include the extension], client and
> server are considered to have negotiated origin-bound client
> certificates for the session."
>
> No problem there.
>
> From section 3.4: "the server MAY use an empty "certificate_authorities"
> list"
>
> Should that be a MUST, or at least a SHOULD?  If OBC has been
> negotiated, why would a CA-signed cert be used?
>

Agreed. I'll fix it. Probably a SHOULD, just in case some servers find it
hard to turn off their standard list of CAs?


>
> From section 3.4: [the client] MUST ignore the "certificate_authorities"
> list
>
> No problem there, but it again makes me think the server SHOULD/MUST
> send an empty list.
>
> Section 3.5: If the "certificate_authorities" list in the Certificate
> Request is empty, that certificate SHOULD be an origin-bound
> certificate, and it should be selected by the client without any
> assistance or approval by the end-user. If the
> "certificate_authorities" list in the Certificate Request is not
> empty, the client MAY select a regular certificate for inclusion in
> the Client Certificate message, and MAY involve the end-user in the
> certificate selection process."
>
> The client MUST ignore the list, but MAY take action based upon the
> content of the list?
>

Good catch - you're seeing a bad merge of two different versions of this
section. The one I meant to be in there is the one where the client MUST
ignore the list (long story...:-).

I'll collect more comments for now (instead of fixing it right away), but I
will make sure that gets fixed in the next draft.

Dirk.



>
> Chris
>
>
> On Mon, Aug 22, 2011 at 1:53 PM, Dirk Balfanz <balfanz@google.com> wrote:
> >
> > Dear TLS-WG,
> > I few weeks ago I presented a proposal for an "origin-bound certificates"
> TLS extension at IETF 81. It's much easier to understand what this extension
> is trying to accomplish when presented in a broader context of web
> authentication (which I tried to give in Quebec), so I put together a little
> web site that is supposed to do just that for those who couldn't be at the
> IETF meeting: http://browserauth.net (This took me a little while, hence
> the delay in sending out the I-D).
> > Anyway, here is the I-D:
> http://tools.ietf.org/html/draft-balfanz-tls-obc, which I submit for your
> comments/feedback. (Again, remember to read http://browserauth.net for
> some context.)
> > All feedback is welcome, of course, but if you can't think of anything to
> comment on, I have a couple particular questions:
> > - in Section 2.1.1 we currently stipulate that the client include the
> origin of the origin-bound cert as part of the OBC X.509 extension. When we
> implemented this, we didn't really know what to do with that data on the
> server side. If the client also uses TLS-SNI, then we could imagine
> comparing the SNI and OBC origins in some manner on the server side, but
> there isn't really a vehicle to signal an error back to the client saying
> "your SNI and OBC origins don't match". Similarly, we could perhaps at some
> higher layer compare the HTTP "Host" header with the OBC origin, but then
> again - what do you do when they don't match? Respond with a 400 at the HTTP
> layer? An alternative to the current language in the I-D would be to simply
> mark the cert as origin-bound, but without putting the origin itself into
> the cert. Any thoughts?
> > - What do you think of the privacy-enhancing power of using per-origin
> certs? The idea there is that different domains see different "identities"
> (public keys) for the same client. Of course, if two domains choose to
> collaborate, they can probably find a way to correlate the two identities
> they see for the same client. This is similar to cookies, where normally
> "identities" (cookies) for one domain are not revealed to another domain
> unless, of course, they choose to collaborate. How much privacy would we
> really lose if we just used one certificate for all origins? It would
> certainly make the design and implementation simpler. (I tend to favor
> per-origin certs, but I'm curious as to what other people think.)
> > Thanks for your consideration!
> > Dirk.
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>

v2.23.0 | Report a Bug | By Email