IETF Logo Mail Archive

Re: [TLS] Summary of discussion regarding spontaneuous authentication

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 22 October 2014 19:20 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983991AD1BA for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 12:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3EiwFUwTr-A for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 12:20:07 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0116.outbound.protection.outlook.com [65.55.169.116]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA1D1AD03D for <tls@ietf.org>; Wed, 22 Oct 2014 12:20:06 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB418.namprd03.prod.outlook.com (10.141.92.13) with Microsoft SMTP Server (TLS) id 15.0.1054.13; Wed, 22 Oct 2014 19:20:04 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.1054.004; Wed, 22 Oct 2014 19:20:04 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Joseph Salowey <joe@salowey.net>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] Summary of discussion regarding spontaneuous authentication
Thread-Index: AQHP7fDMBbHKs/HZikCNW7QhrPmUL5w8OvCAgAAaHACAACXv0A==
Date: Wed, 22 Oct 2014 19:20:04 +0000
Message-ID: <4d4ef6ab70914023988340e2ca9f02d1@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com> <20141022151819.44A791AF05@ld9781.wdf.sap.corp> <CAOgPGoABYDNRNuga5Y2s=8eBFTAp3CD48bsSSv5Wy986XE=Pkw@mail.gmail.com>
In-Reply-To: <CAOgPGoABYDNRNuga5Y2s=8eBFTAp3CD48bsSSv5Wy986XE=Pkw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [2001:4898:80e8:ed31::3]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB418;
x-exchange-antispam-report-test: UriScan:;
x-forefront-prvs: 037291602B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(3905003)(377454003)(199003)(189002)(24454002)(19609705001)(40100003)(15975445006)(87936001)(2656002)(85306004)(108616004)(92566001)(122556002)(85852003)(19580395003)(86362001)(19580405001)(15202345003)(76576001)(74316001)(19300405004)(106116001)(33646002)(19617315012)(105586002)(16236675004)(107046002)(99396003)(120916001)(106356001)(76482002)(21056001)(80022003)(95666004)(46102003)(99286002)(64706001)(86612001)(20776003)(4396001)(54356999)(31966008)(50986999)(97736003)(76176999)(101416001)(19625215002)(2501002)(24736002)(562404015); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB418; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_4d4ef6ab70914023988340e2ca9f02d1BL2PR03MB419namprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/RSZyOxdZyWU2ibLfUk_Qgb5zDs8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 19:20:16 -0000

I have the same concern as Joe: not all applications have a mechanism in place to request TLS client auth; such apps would not be able to use TLS1.3. Nor is it desirable to update all the application protocols that use TLS client auth. We need this mechanism in the TLS handshake, and perhaps we can do better than CertificateRequest: certificate type and trusted issuers list are not the only useful credential selection criteria.

Cheers,

Andrei

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Joseph Salowey
Sent: Wednesday, October 22, 2014 9:52 AM
To: mrex@sap.com
Cc: tls@ietf.org
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication


On Wed, Oct 22, 2014 at 8:18 AM, Martin Rex <mrex@sap.com<mailto:mrex@sap.com>> wrote:
Martin Thomson wrote:
>
> We discussed the removal of the CertificateRequest and we will permit
> the client to unilaterally send authentication.
>
> The theory here is that clients tend to know whether they need to
> authenticate.

This looks like a bad idea to me.
The by far most important information in the current CertificateRequest
handshake message is the "certification_authorities" field, which indicates
certificate issuers which the server considers acceptable.
In SSLv3 and TLSv1.0 the certificate_authorities field was required
to be non-empty and no (server) behaviour was defined for the meaning
of an empty certification_authorities field in CertificateRequest.

The TLSv1.1 and TLSv1.2 specification contain a defect in that they
modified the PDU definition to allow an empty certification_authorities
field in CertificateRequest, but failed to define (require) a server
behaviour when the server does not send this information.
Without the requirement, that the serer MUST NOT abort the TLS handshake
when sending an empty certificate_authorities and receiving a certificate
which it does not trust, the use of an empty certificate_authorities
field does not make sense.


With recent versions of Lync, Microsoft seems to automatically create a
Lync-specific "SSL client identity" that works for nothing but Lync, but
will successfully interfere with SSL client credentials selections when
browsers are using an SSL client identity for accessing regular Web sites.

To make SSL client certificate authentication work reasonably
a CertificateRequest that conveys acceptable certificate_authorities
for the specific handshake is absolutely necessary.

Apple Safari seems to be notoriously broken when it comes to SSL client
certificate selection, because it fails to process the certificate_authorities
field from a CertificateRequest handshake message and remove obviously
unacceptable certs from the list of credentials that the user is
presented to select from.   I've had customers report connection
failures to our AppServers, and from the server-side error messages
I could see that the client was trying to connect with some appleid
certificate that our server didn't trust (and certainly never announced
in the CertificateRequest.certificate_authorities field.

Microsoft had a similar problem in WinHTTP in 2005
http://support.microsoft.com/kb/909425/en

After WinHTTP was fixed to provide the necessary information
to application callers, it is still necessary for application callers
to actually _use_ that information to select only acceptable certificates,
and that seems to take years to happen.
This is the fix for Office/WebDAV:
http://support.microsoft.com/kb/2647954/en

And Apple Safari 4 Windows also still has this bug today.


With the certificate_authorities field in the current CertificateRequest
handshake message, these are only (fixable) bugs.  With the removal
of the CertificateRequest handshake message, this problem would be
promoted to a TLSv1.3 protocol design flaw, and become unfixable.

[Joe]  I'm also concerned that removing the certificate request in favor of some application indication will leave behind applications that do not currently have a mechanism to communicate this.   If we are going to remove the certificate request I think we will need to communicate this information in the handshake itself or perhaps have a "reconnection request".




-Martin

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email