Re: [TLS] Asking the browser for a different certificate
Martin Rex <mrex@sap.com> Fri, 26 March 2010 23:41 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C9113A68D6 for <tls@core3.amsl.com>; Fri, 26 Mar 2010 16:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.239
X-Spam-Level:
X-Spam-Status: No, score=-7.239 tagged_above=-999 required=5 tests=[AWL=-0.720, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yXacLqMMVWHW for <tls@core3.amsl.com>; Fri, 26 Mar 2010 16:41:16 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 66DB13A6782 for <tls@ietf.org>; Fri, 26 Mar 2010 16:41:16 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o2QNfVHG001490 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 27 Mar 2010 00:41:31 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201003262341.o2QNfTVA000078@fs4113.wdf.sap.corp>
To: henry.story@bblfish.net
Date: Sat, 27 Mar 2010 00:41:29 +0100
In-Reply-To: <B6FBE60E-803D-4430-B2A7-6BDB42FF0447@bblfish.net> from "Story Henry" at Mar 24, 10 11:49:05 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2010 23:41:17 -0000
Story Henry wrote: > > > IMHO there are a number of defects in the TLS protocol related > > to client certificate authentication, and some of them should probably > > be fixed at the TLS protocol level. But fixes at the TLS protocol > > level may take a huge amount of time before they become a useful > > feature in the installed base... > > > > - the TLS client can not indicate that it posseses a client cert > > (so a server has to probe--and by probing create a > > bad user experience for users without client cert) > > TLS renegotiation has been abused in the past to reduce the > > bad user experience side of the problem. > > > > - the TLS client can not indicate that it does _not_ posess or > > is firmly determined to not send a client cert > > > > - the TLS server can not recommend to the TLS client that the client > > should offer a user a possibility to change his selection of > > client certificate for the current handshake. > > Yes. I am now looking for hacks to help people with defective browsers > participate in a world of secure client certificates. The only one up > till now I found was to have multiple server ports open each with a > different server key. You mean a server listening on multiple TCP ports for HTTP-over-TLS incoming requests, with different TLS server certificates for each of these TCP ports and different requirement levels for client certificate? The purpose of "different server certs for each TCP port" is not clear to me. rfc-2818 server endpoint identification does not distinguish ports. Depending on how much cross-referencing there is from the content on those different ports, and how much parallel access there is from a single user to contents on seperate ports, you may run into a TLS session caching issue with some browsers. Some Web Browsers do not distinguish TCP server ports (present in the URL) in their client side TLS session caching. Some blindly assume that servers on the same host share their TLS session cache and therefore exhibit frequent full TLS handshakes when multiple distinct servers on the same host are concurrently accessed (and probably flushing each TLS session where TLS session resume fails). -Martin
- Re: [TLS] Asking the browser for a different cert… Story Henry
- [TLS] Asking the browser for a different certific… Story Henry
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Wan-Teh Chang
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Michael D'Errico
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Dale Gustafson
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Bruno Harbulot
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray