[TLS] Request mTLS Flag
Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 23 October 2023 15:22 UTC
Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01C61C151545 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2023 08:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxHExCdndhPM for <tls@ietfa.amsl.com>; Mon, 23 Oct 2023 08:22:40 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55F9EC15153F for <tls@ietf.org>; Mon, 23 Oct 2023 08:22:39 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1c77449a6daso28108405ad.0 for <tls@ietf.org>; Mon, 23 Oct 2023 08:22:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698074558; x=1698679358; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=SiaEYZzoK19M4jKYQbBOnm8heCbn4dCNwLjr3sBM+bk=; b=KJo5gz726lhPwPE6VMQYiZsPuuCb9slhcgd/nyxOF6zYhzEEXD0K7UkNAzimMqjbNh Br1Q5B9txuBRueRpoM/mFjJaRRc/eTs/7lBZHZxw2trUohvyVAk7ztsPPeQO4xA6Lh+w B1imOpFJmREDwwXMdnyvUCLxPKcT26pyrX1yEwGX+dibfHXO276g3c2Fvq11KHnDj3UF CXN8uTu4v6lB9tm3EX8PoSEnr+2VpGbeiLH2xR3bFnPhc3IkaILEGOuXM2rzu7wbmXlS KrJKsNKhZDdYnDITW/eBuqH3+vho+rqNJy+L81AY1Z1IN0qN0Npc0jtplmMFKW7UXUzf 3bhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698074558; x=1698679358; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=SiaEYZzoK19M4jKYQbBOnm8heCbn4dCNwLjr3sBM+bk=; b=KNnUcBQPgyXlCLGaCq4m2Y0jpMlU/jl6/aL+0P1DCvPAwOTx2ni88x9JDF+di6QaYU pa64kOn6l64ioRAU0XISRH3MkyzaD8XwjpVRrAAAogSr9RbI3xVM0zIOT4CG8Oon30/N 0J4rOXdZYE3lVqjIi+eAXnBELT6qq/KnI3gsANoEaGc+cRXUiRC543aubRhEOAXDZS0U AWrftVEVV22ajWM24w/Qk/K23rD8N5uR3isJ5D7h8lQjmReBJUyix5KAtFF2SZ76lA0N jo35eew912Esgq4FscjwPhLlPjLbAbJ4h/Nx8mBiBNVxdp95iMvA71n8RaWkKRw3MK9P ozfA==
X-Gm-Message-State: AOJu0YyCd/6PZ4MbsmOj7JCO7ki6IOsIWZuLdtfxjnvwnsNnQEsm3hU7 jv439izl0pdHboZbSKQkFKkuJdpOuffbkdkXF3lPts22dSU=
X-Google-Smtp-Source: AGHT+IEZt3KSfX30FxVx2PbVBjigbAUHrm/Qs6/LEG/0mup5dBpXxX0Kz/vdIviXn7cR8KhTkiS3PVncH70xfi51Z8M=
X-Received: by 2002:a17:902:f095:b0:1bc:6c8:cded with SMTP id p21-20020a170902f09500b001bc06c8cdedmr6942566pla.67.1698074558125; Mon, 23 Oct 2023 08:22:38 -0700 (PDT)
MIME-Version: 1.0
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 23 Oct 2023 16:22:25 +0100
Message-ID: <CACykbs3TMM6W_K2zHnOjPwuuhxa8ZUnSz2BqvgSGfEpNs71Edg@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d6da8f060863cae2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9e2S95H9YgtHp5HhqdlNqmQP0_w>
Subject: [TLS] Request mTLS Flag
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 15:22:41 -0000
Hey TLSWG, I've just posted a new draft <https://www.ietf.org/archive/id/draft-jhoyla-req-mtls-flag-00.html> that defines a TLS Flag <https://www.ietf.org/archive/id/draft-ietf-tls-tlsflags-12.html> that provides a hint to the server that the client supports mTLS / is configured with a client certificate. Usually the server has no way to know in advance whether a given inbound connection is from a client with a certificate. If the server unexpectedly requests a certificate from a human user, most users wouldn’t know what to do. To avoid this many servers never send the CertificateRequest message in the server’s first flight, or set up dedicated endpoints used only by bots. If client authentication is necessary it can be negotiated later using a higher layer either through post-handshake auth or with an Exported Authenticator, but both of those options add round trips to the connection. At Cloudflare we’re exploring ways to quickly identify clients. Having an explicit signal from the client that it has an mTLS certificate on offer reduces round-trips to find out, avoids unnecessarily probing clients that have no certificate, etc. I think this would be an ideal use case for the TLS Flags extension. I have a pair of interoperable implementations (one based on boringssl and one based on Go TLS) which I plan to open source before Prague. Obviously these include implementations of the TLS Flags extension, which hopefully will help drive that work forward too. Regards, Jonathan
- [TLS] Request mTLS Flag Jonathan Hoyland
- Re: [TLS] Request mTLS Flag David Benjamin
- Re: [TLS] Request mTLS Flag Jonathan Hoyland
- Re: [TLS] Request mTLS Flag David Benjamin
- Re: [TLS] Request mTLS Flag Jonathan Hoyland
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Andrei Popov
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Andrei Popov
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Rob Sayre
- Re: [TLS] Request mTLS Flag Watson Ladd
- Re: [TLS] Request mTLS Flag Jonathan Hoyland
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Peter Gutmann
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag David Benjamin
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Andrei Popov
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag David Benjamin
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Peter Gutmann
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Jonathan Hoyland
- Re: [TLS] Request mTLS Flag Ilari Liusvaara
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Andrei Popov
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Peter Gutmann
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Andrei Popov
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni
- Re: [TLS] Request mTLS Flag Ilari Liusvaara
- Re: [TLS] Request mTLS Flag David Benjamin
- Re: [TLS] Request mTLS Flag Rob Sayre
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Viktor Dukhovni
- Re: [TLS] Request mTLS Flag Viktor Dukhovni
- Re: [TLS] [EXTERNAL] Re: Request mTLS Flag Peter Gutmann
- Re: [TLS] Request mTLS Flag David Benjamin
- Re: [TLS] Request mTLS Flag Mohit Sethi
- Re: [TLS] Request mTLS Flag Viktor Dukhovni
- Re: [TLS] Request mTLS Flag Peter Gutmann
- Re: [TLS] Request mTLS Flag Viktor Dukhovni
- Re: [TLS] Request mTLS Flag Peter Gutmann