Re: [TLS] Summary of discussion regarding spontaneuous authentication

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 28 October 2014 09:55 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0052C1A1AE5 for <tls@ietfa.amsl.com>; Tue, 28 Oct 2014 02:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1IzYPRPjHMm for <tls@ietfa.amsl.com>; Tue, 28 Oct 2014 02:55:13 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09A331A1AD7 for <tls@ietf.org>; Tue, 28 Oct 2014 02:55:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1414490113; x=1446026113; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=Sa7sAzSrLdia90aqXHDXaNKdcfKnKyYZ6+f7IMC1D4M=; b=O7AWW+A2M2ZEnwjaJM6om7uMqWvRHuMQHnowJaHetDHSq06yaQgEmE8d 3ElHw1/SjLg36kIds7UhWAhzTm0u3T5zyUJi8Rzw4eoNFGzNmcDsLxMNs BonD0f+sX8hSrwPvkFBBinRbcjbx2tEIp+8FJM7ZM0kuacXlvvgY0ikKe 4=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="286160515"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing
Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 28 Oct 2014 22:55:10 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.15]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.03.0174.001; Tue, 28 Oct 2014 22:55:10 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Summary of discussion regarding spontaneuous authentication
Thread-Index: Ac/ylUIT3mNYoSbWTeamZIOhdRBC4g==
Date: Tue, 28 Oct 2014 09:55:08 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9D9E37@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ZbaeWcxxtfyjZJ9eKddLkKF-L8g
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 09:55:17 -0000

Eric Rescorla <ekr@rtfm.com> writes:

>If we make this change, we could still leave CertificateRequest in place, but
>it could be empty, just indicating that the server wants some kind of client
>auth and let the client decide. 

Just as a data point, I've always done it that way, the client provides
whatever cert it has to get in and the server decides whether it'll allow
access.  I've never had any reports of problems so far.

(Caveat: Given the almost nonexistent use of client certs the sample size
there probably isn't very large).

Peter.