IETF Logo Mail Archive

[TLS] In-handshake CertificateRequest and 0-RTT

David Benjamin <davidben@chromium.org> Wed, 11 May 2016 20:45 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9E1212D7FE for <tls@ietfa.amsl.com>; Wed, 11 May 2016 13:45:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.695
X-Spam-Level:
X-Spam-Status: No, score=-3.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IWuNVJ3qcRO for <tls@ietfa.amsl.com>; Wed, 11 May 2016 13:44:58 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BECC712D5C0 for <tls@ietf.org>; Wed, 11 May 2016 13:44:58 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id 190so70253034iow.1 for <tls@ietf.org>; Wed, 11 May 2016 13:44:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=/P7WDR+722Rs+VGZp/ToRZOS30RBgsjo6P+o7hZdcy0=; b=aGczyjPHk4iFdM2iozdoYyhgeAc4uOsRGeAteAhFolwzUfCPs+Qt0ZzMUJIOTupIEC QwrHN1LENxvcVXl8KDAV0xxPTzAp70EK8LdMR8MUEzJOXKhCceJHDYti6dhGV+o2s1SX Nb76tRiGEASwNkNfJmBxG7IFYCXqOq8PPNBt0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/P7WDR+722Rs+VGZp/ToRZOS30RBgsjo6P+o7hZdcy0=; b=a00b7nsrh9sRym0QD4fG0/YrF7zWyrSyeLEb5thNfUKA+SqUWN/5GW8ABilDngxnNb ddEQkF9ED693FusJ/4wMMwnuJdCqOKtfJ9XO+DIanR5j56jLnxjob2p74I1ZbRnHshHk /NLp6zXZoQ2rM9Xu/l84hLV5I3ZeESA+szwTGViApR5kBze5Xg9YGhUS6kPfPUBev99a 6sgHrCnF9zwLjV6uLXgsnhx1W9sMNv6ugOLgyOA9JBk6rEcES1EOZ5rueLtyD1d/2c97 gBK7Xc+AAvn2vZEl5CcDUXhWx3w013UgrqWHwON2X6pabXs+H+jMvaqVWI8JjqRPsIHn fJiQ==
X-Gm-Message-State: AOPr4FVjZI9OjNiObf8z52CFj1wt443ZlDi79FCnvLYMNL3ZY79Yftk2qpIzHBeBkXcz4l+L8eoZzza13dsKnAfj
X-Received: by 10.36.11.84 with SMTP id 81mr6531857itd.76.1462999498014; Wed, 11 May 2016 13:44:58 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Wed, 11 May 2016 20:44:47 +0000
Message-ID: <CAF8qwaD870fuNuVnhnbKBEk3Vc4G7_AfR+mOAtvLwDYNtNgcwA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140c338630a730532971d73"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bl6dQKLMFdAeBXRnQEMS7xu3BMc>
Subject: [TLS] In-handshake CertificateRequest and 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 20:45:01 -0000

The 0-RTT handshake originally had two places with a client Certificate +
CertificateVerify: in the 0-RTT flow and in the second Finished block in
response to a server CertificateRequest. We've dropped the first now. I
propose we drop the second too. Client auth with 0-RTT is solely carried
over via resumption. (I mentioned this previously, but with 0-RTT looking
closer to resumption and the IETF 95 decision on 0.5-RTT data, I think the
case is clearer.)

This makes 6.2.3 more consistent with 6.2.2 where neither side
authenticates in a resumption handshake. 0-RTT is much more similar to
resumption with most parameters carrying over anyway.

1-RTT client auth in a 0-RTT handshake also invites more of the retroactive
auth confusion as with post-handshake auth. The client stream switches from
unauthenticated to authenticated. I believe this was one of the reasons we
agreed at IETF 95 to discourage/forbid (not sure which) sending 0.5-RTT
data following a CertificateRequest. In-handshake CertificateRequest either
requires this discouraged situation or accepting 0-RTT data without sending
0.5-RTT data, which is largely pointless.

We accepted the retroactive auth issue in post-handshake auth, but I think
we should limit it to that. For implementations, BoringSSL made accepting
renego an opt-in feature. I expect we'd do the same for post-handshake
auth. For specs, one might specify that post-handshake authentication is
forbidden. HTTP/2 did this for renegotiation. I haven't been following the
HTTP/2 client cert saga as closely, but draft-thomson-http2-client-certs-02
is the current plan, right? If so, HTTP/2 should forbid TLS-level
post-handshake auth too.

In both cases, excluding post-handshake auth should exclude any transition
from unauthenticated to authenticated in the stream. Instead, if you want
to change authentication state, send a post-handshake CertificateRequest,
as you would have normally.

David

v2.23.0 | Report a Bug | By Email