IETF Logo Mail Archive

[TLS] Request mTLS Flag

Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 23 October 2023 15:22 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01C61C151545 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2023 08:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxHExCdndhPM for <tls@ietfa.amsl.com>; Mon, 23 Oct 2023 08:22:40 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55F9EC15153F for <tls@ietf.org>; Mon, 23 Oct 2023 08:22:39 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1c77449a6daso28108405ad.0 for <tls@ietf.org>; Mon, 23 Oct 2023 08:22:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698074558; x=1698679358; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=SiaEYZzoK19M4jKYQbBOnm8heCbn4dCNwLjr3sBM+bk=; b=KJo5gz726lhPwPE6VMQYiZsPuuCb9slhcgd/nyxOF6zYhzEEXD0K7UkNAzimMqjbNh Br1Q5B9txuBRueRpoM/mFjJaRRc/eTs/7lBZHZxw2trUohvyVAk7ztsPPeQO4xA6Lh+w B1imOpFJmREDwwXMdnyvUCLxPKcT26pyrX1yEwGX+dibfHXO276g3c2Fvq11KHnDj3UF CXN8uTu4v6lB9tm3EX8PoSEnr+2VpGbeiLH2xR3bFnPhc3IkaILEGOuXM2rzu7wbmXlS KrJKsNKhZDdYnDITW/eBuqH3+vho+rqNJy+L81AY1Z1IN0qN0Npc0jtplmMFKW7UXUzf 3bhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698074558; x=1698679358; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=SiaEYZzoK19M4jKYQbBOnm8heCbn4dCNwLjr3sBM+bk=; b=KNnUcBQPgyXlCLGaCq4m2Y0jpMlU/jl6/aL+0P1DCvPAwOTx2ni88x9JDF+di6QaYU pa64kOn6l64ioRAU0XISRH3MkyzaD8XwjpVRrAAAogSr9RbI3xVM0zIOT4CG8Oon30/N 0J4rOXdZYE3lVqjIi+eAXnBELT6qq/KnI3gsANoEaGc+cRXUiRC543aubRhEOAXDZS0U AWrftVEVV22ajWM24w/Qk/K23rD8N5uR3isJ5D7h8lQjmReBJUyix5KAtFF2SZ76lA0N jo35eew912Esgq4FscjwPhLlPjLbAbJ4h/Nx8mBiBNVxdp95iMvA71n8RaWkKRw3MK9P ozfA==
X-Gm-Message-State: AOJu0YyCd/6PZ4MbsmOj7JCO7ki6IOsIWZuLdtfxjnvwnsNnQEsm3hU7 jv439izl0pdHboZbSKQkFKkuJdpOuffbkdkXF3lPts22dSU=
X-Google-Smtp-Source: AGHT+IEZt3KSfX30FxVx2PbVBjigbAUHrm/Qs6/LEG/0mup5dBpXxX0Kz/vdIviXn7cR8KhTkiS3PVncH70xfi51Z8M=
X-Received: by 2002:a17:902:f095:b0:1bc:6c8:cded with SMTP id p21-20020a170902f09500b001bc06c8cdedmr6942566pla.67.1698074558125; Mon, 23 Oct 2023 08:22:38 -0700 (PDT)
MIME-Version: 1.0
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 23 Oct 2023 16:22:25 +0100
Message-ID: <CACykbs3TMM6W_K2zHnOjPwuuhxa8ZUnSz2BqvgSGfEpNs71Edg@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d6da8f060863cae2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9e2S95H9YgtHp5HhqdlNqmQP0_w>
Subject: [TLS] Request mTLS Flag
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 15:22:41 -0000

Hey TLSWG,

I've just posted a new draft
<https://www.ietf.org/archive/id/draft-jhoyla-req-mtls-flag-00.html> that
defines a TLS Flag
<https://www.ietf.org/archive/id/draft-ietf-tls-tlsflags-12.html> that
provides a hint to the server that the client supports mTLS / is configured
with a client certificate.

Usually the server has no way to know in advance whether a given inbound
connection is from a client with a certificate. If the server unexpectedly
requests a certificate from a human user, most users wouldn’t know what to
do. To avoid this many servers never send the CertificateRequest message in
the server’s first flight, or set up dedicated endpoints used only by bots.
If client authentication is necessary it can be negotiated later using a
higher layer either through post-handshake auth or with an Exported
Authenticator, but both of those options add round trips to the connection.

At Cloudflare we’re exploring ways to quickly identify clients. Having an
explicit signal from the client that it has an mTLS certificate on offer
reduces round-trips to find out, avoids unnecessarily probing clients that
have no certificate, etc. I think this would be an ideal use case for the
TLS Flags extension.

I have a pair of interoperable implementations (one based on boringssl and
one based on Go TLS) which I plan to open source before Prague. Obviously
these include implementations of the TLS Flags extension, which hopefully
will help drive that work forward too.

Regards,

Jonathan

v2.23.0 | Report a Bug | By Email