IETF Logo Mail Archive

[TLS] TLS-OBC proposal

Dirk Balfanz <balfanz@google.com> Mon, 22 August 2011 17:52 UTC

Return-Path: <balfanz@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8D421F8BC5 for <tls@ietfa.amsl.com>; Mon, 22 Aug 2011 10:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1I+6HsTB3qN9 for <tls@ietfa.amsl.com>; Mon, 22 Aug 2011 10:52:03 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 1386421F8B17 for <tls@ietf.org>; Mon, 22 Aug 2011 10:52:03 -0700 (PDT)
Received: from wpaz17.hot.corp.google.com (wpaz17.hot.corp.google.com [172.24.198.81]) by smtp-out.google.com with ESMTP id p7MHr8Wa003765 for <tls@ietf.org>; Mon, 22 Aug 2011 10:53:08 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1314035588; bh=TccDs5IiFC/qk0VJGTFuTfPNgXg=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=PY4JZ+b+WcHplckqvx0ntRUdIqVRgPZzY1dzRUud5qiP6XmDDyOSLzBtVmGwvPebb Eqm7RMJfX9nSo2gs+me7Q==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:date:message-id:subject:from:to: content-type:x-system-of-record; b=fIzQHTEtiG1zCvV0l6eCcIHtvg1zb0cNNA9YUnLhJ662LhCcC0Yn0C7W4/hbyWxOy +5YG6DOHXOKwjt4go1FXg==
Received: from yib2 (yib2.prod.google.com [10.243.65.66]) by wpaz17.hot.corp.google.com with ESMTP id p7MHr7J7006731 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Mon, 22 Aug 2011 10:53:07 -0700
Received: by yib2 with SMTP id 2so3628431yib.28 for <tls@ietf.org>; Mon, 22 Aug 2011 10:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:date:message-id:subject:from:to:content-type; bh=gaQj7US4nfbP2UA2r+vpvzWBoZkZv7/gSRfwBoORwAo=; b=jk0G+yss/GI3xzeyyRWwiyYbR1OUELd628ikyv5DcpdiepBzD7gVwqqwOHW5ZOmNe5 8mC+2l8RIxh1LE/b+xMA==
Received: by 10.91.160.39 with SMTP id m39mr2616496ago.17.1314035586909; Mon, 22 Aug 2011 10:53:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.91.160.39 with SMTP id m39mr2616472ago.17.1314035585841; Mon, 22 Aug 2011 10:53:05 -0700 (PDT)
Received: by 10.90.56.4 with HTTP; Mon, 22 Aug 2011 10:53:05 -0700 (PDT)
Date: Mon, 22 Aug 2011 10:53:05 -0700
Message-ID: <CADHfa2AMOeShxH_k5ZEB3DUVJAnOqvZmLMg5Yz8smtBDGkQsNg@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="0016e6407cd651481b04ab1bc013"
X-System-Of-Record: true
Subject: [TLS] TLS-OBC proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2011 17:52:04 -0000

Dear TLS-WG,

I few weeks ago I presented a proposal for an "origin-bound certificates"
TLS extension at IETF 81. It's much easier to understand what this extension
is trying to accomplish when presented in a broader context of web
authentication (which I tried to give in Quebec), so I put together a little
web site that is supposed to do just that for those who couldn't be at the
IETF meeting: http://browserauth.net (This took me a little while, hence the
delay in sending out the I-D).

Anyway, here is the I-D: http://tools.ietf.org/html/draft-balfanz-tls-obc,
which I submit for your comments/feedback. (Again, remember to read
http://browserauth.net for some context.)

All feedback is welcome, of course, but if you can't think of anything to
comment on, I have a couple particular questions:

- in Section 2.1.1 we currently stipulate that the client include the origin
of the origin-bound cert as part of the OBC X.509 extension. When we
implemented this, we didn't really know what to do with that data on the
server side. If the client also uses TLS-SNI, then we could imagine
comparing the SNI and OBC origins in some manner on the server side, but
there isn't really a vehicle to signal an error back to the client saying
"your SNI and OBC origins don't match". Similarly, we could perhaps at some
higher layer compare the HTTP "Host" header with the OBC origin, but then
again - what do you do when they don't match? Respond with a 400 at the HTTP
layer? An alternative to the current language in the I-D would be to simply
mark the cert as origin-bound, but without putting the origin itself into
the cert. Any thoughts?

- What do you think of the privacy-enhancing power of using per-origin
certs? The idea there is that different domains see different "identities"
(public keys) for the same client. Of course, if two domains choose to
collaborate, they can probably find a way to correlate the two identities
they see for the same client. This is similar to cookies, where normally
"identities" (cookies) for one domain are not revealed to another domain
unless, of course, they choose to collaborate. How much privacy would we
really lose if we just used one certificate for all origins? It would
certainly make the design and implementation simpler. (I tend to favor
per-origin certs, but I'm curious as to what other people think.)

Thanks for your consideration!

Dirk.

v2.23.0 | Report a Bug | By Email