Re: [TLS] Making post-handshake messages optional in TLS 1.3 (#676)

Daniel Kahn Gillmor <> Wed, 12 October 2016 07:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F82C12946F for <>; Wed, 12 Oct 2016 00:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c_DgK9PEqed6 for <>; Wed, 12 Oct 2016 00:11:07 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A5194129421 for <>; Wed, 12 Oct 2016 00:11:07 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPSA id 45550F98C; Wed, 12 Oct 2016 03:11:06 -0400 (EDT)
Received: by (Postfix, from userid 1000) id 14B09200CC; Wed, 12 Oct 2016 00:10:58 -0700 (PDT)
From: Daniel Kahn Gillmor <>
To: Nick Sullivan <>, Hannes Tschofenig <>, "" <>
In-Reply-To: <>
References: <> <> <>
Date: Wed, 12 Oct 2016 03:10:54 -0400
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [TLS] Making post-handshake messages optional in TLS 1.3 (#676)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Oct 2016 07:11:09 -0000

On Tue 2016-10-11 13:26:02 -0400, Nick Sullivan wrote:
> The major thing that this proposal achieves is that it makes post-handshake
> auth an optional part of the implementation. Instead of this, I would also
> be in favor of a simpler change that modifies the text to say that
> post-handshake CertificateRequest messages are fatal by default and only
> permitted if the application permits their use in a given context (say if
> the application is HTTP 1.1, only directly after requests).
> Embedded implementations may choose to simply fail on unexpected
> CertificateRequests, and that way not have to implement any code around
> post-handshake finished messages or updating the transcript when one
> arrives.
> This default wording should also apply to other types of post-handshake
> messages, though NST and KU could be exceptions that should always be
> supported and non-fatal.

I don't see the advantage of putting this on the wire during the intial

In the HTTP case, either (a) the requested resource wants a new
authentication or (b) it does not.  If it does not want new
authentication (b), no CertificateRequest message will be forthcoming.
If it does want new authentication, then either (a.1) it requires it
(meaning the HTTP request will fail if the client can't offer a good
cert), or (a.2) it just hopes to send a different response based on some
new authentication. in (a.1), the request will simply fail when the
client can't send a client cert.  So the the client needs to know how to
at least reject it gracefully.  This is the case even when the client
fully implements client auth anyway, since it might not have a client
cert available.

I don't think it's too much to ask that implementations be able to
reject a post-handshake CertificateRequest gracefully, even if they have
no intention of ever implementing a proper Client Certificate response.

Changes to the wire format here only seems to give a small advantage to
the server in one corner case for HTTP (a.2, when the client has no
implementation of post-handshake client certs): the server can
confidently send the certRequest, knowing that the client will know how
to deal with it.  But now clients will also need to decide whether they
should indicate "i do post-handshake client auth" even if they have no
likely client certs available at the time of session establishment, and
to keep track of how they signaled over the lifetime of the session (how
does this interact with session resumption?).  I don't think that's a
complexity win overall.

If we make it clear that TLS 1.3 clients MUST at least know how to
gracefully reject a post-handshake Certificate Request, i think that
leaves the ecosystem as a whole with less complexity, and reduces the
fiddliness of the wire format.