Re: [TLS] [Fwd: WWW-Authenticate challenge for client-certificates]

Joe Orton <jorton@redhat.com> Fri, 22 January 2010 11:43 UTC

Return-Path: <jorton@redhat.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B2F03A68FF for <tls@core3.amsl.com>; Fri, 22 Jan 2010 03:43:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhURI220Sfef for <tls@core3.amsl.com>; Fri, 22 Jan 2010 03:43:32 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by core3.amsl.com (Postfix) with ESMTP id 855043A68D1 for <tls@ietf.org>; Fri, 22 Jan 2010 03:43:32 -0800 (PST)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o0MBhRda012688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 22 Jan 2010 06:43:28 -0500
Received: from turnip.manyfish.co.uk (vpn-8-167.rdu.redhat.com [10.11.8.167]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o0MBhQ8r004208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 Jan 2010 06:43:27 -0500
Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from <jorton@redhat.com>) id 1NYHvB-0001UM-8A; Fri, 22 Jan 2010 11:43:25 +0000
Date: Fri, 22 Jan 2010 11:43:25 +0000
From: Joe Orton <jorton@redhat.com>
To: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
Message-ID: <20100122114325.GA5528@redhat.com>
Mail-Followup-To: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>, tls@ietf.org
References: <4B55C476.1070302@manchester.ac.uk> <20100121165844.GA2878@redhat.com> <hjc1uf$e8g$1@ger.gmane.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <hjc1uf$e8g$1@ger.gmane.org>
User-Agent: Mutt/1.5.20 (2009-08-17)
Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
Cc: tls@ietf.org
Subject: Re: [TLS] [Fwd: WWW-Authenticate challenge for client-certificates]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 11:43:33 -0000

On Fri, Jan 22, 2010 at 11:25:04AM +0000, Bruno Harbulot wrote:
> Yes, but 403 is exactly the problem. That's not really a TLS
> problem, but more of how TLS authentication is handled by HTTP,
> differently from the other HTTP-specified authentication mechanisms

I don't see what difference it makes to have a fake 401 challenge as 
opposed to a 403.  If the client doesn't have a cert to present when 
challenged, the best you can do is present an error page describing to 
them how they obtain a client cert.  The client *already knows* that a 
client cert was requested; telling them again in a fake 401 doesn't add 
additional information.

> In addition, the use of a 401 status code would allow for
> configurations where the server can present two challenges at the
> same time, for example:

Again, that is effectively already possible.  Send a client cert 
request, and a 401 challenge if none is presented.

Regards, Joe