Re: [TLS] Summary of discussion regarding spontaneuous authentication

Tom Ritter <tom@ritter.vg> Wed, 22 October 2014 12:51 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7B11A90F3 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 05:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fT1FKLtjswKT for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 05:51:23 -0700 (PDT)
Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FD0A1A90F8 for <tls@ietf.org>; Wed, 22 Oct 2014 05:51:23 -0700 (PDT)
Received: by mail-ig0-f172.google.com with SMTP id r2so796160igi.17 for <tls@ietf.org>; Wed, 22 Oct 2014 05:51:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iED+OGnGCPMOIpzYPTM4VS2GX0QYIVl0s8Fmf+BlSw0=; b=wZnAzEb4ZHjgOUAkX3AeV4bq6tUvfahTk1YEpEepdbksTvqMrI6ueUOB9R6d53BIvN rPdirccKiZIIVqFYwQdrefXSXGDWr28+/Bh265WD0d7Yw2ewW2TsLgFyVo9w+OhO18dx aIBBZm+mC3EPxHMNO5i1nBoMeUhMNHSW2+dp0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=iED+OGnGCPMOIpzYPTM4VS2GX0QYIVl0s8Fmf+BlSw0=; b=cUdEUUj2OncJhfSJzQoFzLat/At128F1lWCTraDEyH75EZ6pxzqEu9/o/EhJf0WGPO P2zny2N1tbQblQrdS1v+I1PC2lPe1h43H+FhzTQuFiJd+AZk1+RZ836VZcjlh5ogVYaX 4DsVsK3krV4uTT6C1R5mvU/0rJBkGmUmrAEriahj82zvzsYpOcn1XSu+uDWaYkPAHy/w rH4JSwzLnCl8MkmhGGxPC0kezkLGAZqxF6peD9eJRrCNXeaxCBsfU6z+GsH9DkY8kwNR jSaELciM9AT865oWgJ/v2gCrRD3yeo2NdUrp208l1jEOshGqKUw4kexHGOmIUBe4pNvf 12ww==
X-Gm-Message-State: ALoCoQkLpQRUSxChgiO+Uig/0CsdRVmE1Q3OwVdDKLrtPT2wwqy51OienqgvdI764XhO/Ys6uLmf
MIME-Version: 1.0
X-Received: by 10.107.137.36 with SMTP id l36mr2426863iod.61.1413982282609; Wed, 22 Oct 2014 05:51:22 -0700 (PDT)
Received: by 10.107.17.15 with HTTP; Wed, 22 Oct 2014 05:51:22 -0700 (PDT)
Received: by 10.107.17.15 with HTTP; Wed, 22 Oct 2014 05:51:22 -0700 (PDT)
In-Reply-To: <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com>
References: <CABkgnnUAhEV=wLZyTew=ne7VgSq50XYR3Fo5EfjNXc8=_hbpyg@mail.gmail.com> <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com>
Date: Wed, 22 Oct 2014 08:51:22 -0400
Message-ID: <CA+cU71=nWupBE12neJb_szY89K56T2OWs0ZWr5PoU-DpJ555iw@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a113ed040ac92b3050602677a"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/An7ShSeXLBNeWxIrmkyf6cVtlFI
Cc: tls@ietf.org
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 12:51:25 -0000

On Oct 22, 2014 8:07 AM, "Martin Thomson" <martin.thomson@gmail.com> wrote:
>
> I forgot one point that we discussed.
>
> We discussed the removal of the CertificateRequest and we will permit
> the client to unilaterally send authentication.

Will permit it to be absent, or will remove CertificateRequest entirely?

> The theory here is that clients tend to know whether they need to
> authenticate.  Most uses of mutual authentication start with the
> client knowing that they need to authenticate.

Well, the human knows he needs a client certificate for this website, the
Browser does not unless it stores that information. (And still needs to
learn it for first connect)

If CertificateRequest is being removed, it's not clear to me how a browser
would know to include a client cert. An alert and reconnect?  (For other
applications like VPNs, obviously much easier to solve.)

-tom