Re: [TLS] In-handshake CertificateRequest and 0-RTT
David Benjamin <davidben@chromium.org> Thu, 12 May 2016 02:42 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0362012D5BE for <tls@ietfa.amsl.com>; Wed, 11 May 2016 19:42:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.695
X-Spam-Level:
X-Spam-Status: No, score=-3.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2G0H9IbT2y4 for <tls@ietfa.amsl.com>; Wed, 11 May 2016 19:42:08 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95BBC12D177 for <tls@ietf.org>; Wed, 11 May 2016 19:42:08 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id d62so78675844iof.2 for <tls@ietf.org>; Wed, 11 May 2016 19:42:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LzrYhLZljvDNh1sbiHB6O9qX+A6aTHcAVW8ZmAp09xI=; b=cxnBm4sLR3u5qBLSPuXSjmCv7lj/R6cjZ+5Wpuf6ZsaHLnI3IeNBhDr3VqR6W7YKjZ OmfZYwQJU6MG1Suj2hxSydL7ZGi+fXbumtQtiK/NIY/PzmhJqVilD9bqBs1KeilGeN+o 3PHiBvE7tGXwvzmhtN0BFziJZl1t4OmGqTp4s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LzrYhLZljvDNh1sbiHB6O9qX+A6aTHcAVW8ZmAp09xI=; b=NqcktOA63vv5Km2NvINvwC6uUHiZj+v2WmqwHeUSuqX1fL4Xlq+3he3ftS/ze1+uMa zbAcuaGRGh0BfqqFDhP3t3m/hFPAUPB3pm9JrbY5CcUK6Jql+eXL2NkkECpETHdOYwyj Xl9BHpwcch3lEMSh4ByVGOyDY3Y5yfuncv9KL+oKAbmV/U7Jn01d2QiawS8rnSJc8yBo CbsUhTEXmdtUtlh5zsbzN3ReorEwKMSh4nPMyzx6XysEhEF9mU4opMLcol6MlJFzuDJ2 YpA/5u/xAIHIyQFkhNPJmMnaZlldajxoHGuSnyjTaW9x5JMdeeFfgABY+9qASrzezmb/ ebVg==
X-Gm-Message-State: AOPr4FUA018ti52eZM6yk1x9jWlz68/xbZzKcUJKc4iNX29ulbOYW5SNnoAngAWC3Em+ObtgaiOb6ci524T+aOIs
X-Received: by 10.107.161.68 with SMTP id k65mr6488679ioe.110.1463020927850; Wed, 11 May 2016 19:42:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaD870fuNuVnhnbKBEk3Vc4G7_AfR+mOAtvLwDYNtNgcwA@mail.gmail.com> <CABkgnnXUZaO001_-taHJ2QaLDWiJNofrbw33DKj-aScymQRaVg@mail.gmail.com>
In-Reply-To: <CABkgnnXUZaO001_-taHJ2QaLDWiJNofrbw33DKj-aScymQRaVg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 12 May 2016 02:41:58 +0000
Message-ID: <CAF8qwaAScbEPVLSJCaRvkE44DTAzqXpYOKodsveCkzc6479=tw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a1140f96ab47e6605329c1a15"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/A4jDG7qPTMvH7l5SdPQI0DIDPhg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] In-handshake CertificateRequest and 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 02:42:11 -0000
On Wed, May 11, 2016 at 9:25 PM Martin Thomson <martin.thomson@gmail.com> wrote: > I think that this is a fine way to simplify, but I have a wrinkle to add. > > I would rather this be formulated as: a client cannot authenticate > using Certificate[+Verify] unless the server does so first. > > The reason that I want that is this issue > https://github.com/tlswg/tls13-spec/issues/443 I want to be able to > do 0-RTT but have the server continue to prove that it has the private > key (maybe some clients will do that occasionally). For those, I > think that reciprocating is reasonable. It doesn't significantly > change the state machine in that case. > > I hope to write a draft explaining this soon, so that folks can see > what it costs/looks like. > Sure, if we end up doing something on the server, mirroring sounds reasonable enough. (This would just be for re-asserting the private key and not switching certificates, right?) > On 12 May 2016 at 06:44, David Benjamin <davidben@chromium.org> wrote: > > The 0-RTT handshake originally had two places with a client Certificate + > > CertificateVerify: in the 0-RTT flow and in the second Finished block in > > response to a server CertificateRequest. We've dropped the first now. I > > propose we drop the second too. Client auth with 0-RTT is solely carried > > over via resumption. (I mentioned this previously, but with 0-RTT looking > > closer to resumption and the IETF 95 decision on 0.5-RTT data, I think > the > > case is clearer.) > > > We accepted the retroactive auth issue in post-handshake auth, but I > think > > we should limit it to that. For implementations, BoringSSL made accepting > > renego an opt-in feature. I expect we'd do the same for post-handshake > auth. > > I totally agree about the post-handshake stuff. I'm somewhat inclined > to ask that it be made an extension so that you can cleanly opt out. > For HTTP, doing it in an extension the obvious way doesn't quite work. Whether Chrome is willing to do renego depends on how ALPN resolves (we leave it at its default off state and, after the initial handshake but before we could consume a HelloRequest, toggle it off). Supposing post-handshake auth is still used for HTTP/1.1 + TLS 1.3 (am I right that this is the plan?), we'd be in a similar situation. The ClientHello would say post-handshake auth is allowed, but we may end up in a state where it isn't anyway. (I think implicitness is fine, though an extension seem fine too. The application already gets to impose other restrictions on the use of TLS like "the first application data record should begin with G, E, T, space".) > > For specs, one might specify that post-handshake authentication is > > forbidden. HTTP/2 did this for renegotiation. I haven't been following > the > > HTTP/2 client cert saga as closely, but > draft-thomson-http2-client-certs-02 > > is the current plan, right? If so, HTTP/2 should forbid TLS-level > > post-handshake auth too. > > We're doubling down on that idea and considering allowing the server > to authenticate too. See > https://mikebishop.github.io/http2-client-certs/ (you might recognize > some similarity to the SPDY CREDENTIAL frame if you squint hard > enough). >
- [TLS] In-handshake CertificateRequest and 0-RTT David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Martin Thomson
- Re: [TLS] In-handshake CertificateRequest and 0-R… David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Martin Thomson
- Re: [TLS] In-handshake CertificateRequest and 0-R… Eric Rescorla
- Re: [TLS] In-handshake CertificateRequest and 0-R… David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Eric Rescorla
- Re: [TLS] In-handshake CertificateRequest and 0-R… David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Andrei Popov