[TLS] In-handshake CertificateRequest and 0-RTT
David Benjamin <davidben@chromium.org> Wed, 11 May 2016 20:45 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9E1212D7FE for <tls@ietfa.amsl.com>; Wed, 11 May 2016 13:45:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.695
X-Spam-Level:
X-Spam-Status: No, score=-3.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IWuNVJ3qcRO for <tls@ietfa.amsl.com>; Wed, 11 May 2016 13:44:58 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BECC712D5C0 for <tls@ietf.org>; Wed, 11 May 2016 13:44:58 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id 190so70253034iow.1 for <tls@ietf.org>; Wed, 11 May 2016 13:44:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=/P7WDR+722Rs+VGZp/ToRZOS30RBgsjo6P+o7hZdcy0=; b=aGczyjPHk4iFdM2iozdoYyhgeAc4uOsRGeAteAhFolwzUfCPs+Qt0ZzMUJIOTupIEC QwrHN1LENxvcVXl8KDAV0xxPTzAp70EK8LdMR8MUEzJOXKhCceJHDYti6dhGV+o2s1SX Nb76tRiGEASwNkNfJmBxG7IFYCXqOq8PPNBt0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/P7WDR+722Rs+VGZp/ToRZOS30RBgsjo6P+o7hZdcy0=; b=a00b7nsrh9sRym0QD4fG0/YrF7zWyrSyeLEb5thNfUKA+SqUWN/5GW8ABilDngxnNb ddEQkF9ED693FusJ/4wMMwnuJdCqOKtfJ9XO+DIanR5j56jLnxjob2p74I1ZbRnHshHk /NLp6zXZoQ2rM9Xu/l84hLV5I3ZeESA+szwTGViApR5kBze5Xg9YGhUS6kPfPUBev99a 6sgHrCnF9zwLjV6uLXgsnhx1W9sMNv6ugOLgyOA9JBk6rEcES1EOZ5rueLtyD1d/2c97 gBK7Xc+AAvn2vZEl5CcDUXhWx3w013UgrqWHwON2X6pabXs+H+jMvaqVWI8JjqRPsIHn fJiQ==
X-Gm-Message-State: AOPr4FVjZI9OjNiObf8z52CFj1wt443ZlDi79FCnvLYMNL3ZY79Yftk2qpIzHBeBkXcz4l+L8eoZzza13dsKnAfj
X-Received: by 10.36.11.84 with SMTP id 81mr6531857itd.76.1462999498014; Wed, 11 May 2016 13:44:58 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Wed, 11 May 2016 20:44:47 +0000
Message-ID: <CAF8qwaD870fuNuVnhnbKBEk3Vc4G7_AfR+mOAtvLwDYNtNgcwA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140c338630a730532971d73"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bl6dQKLMFdAeBXRnQEMS7xu3BMc>
Subject: [TLS] In-handshake CertificateRequest and 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 20:45:01 -0000
The 0-RTT handshake originally had two places with a client Certificate + CertificateVerify: in the 0-RTT flow and in the second Finished block in response to a server CertificateRequest. We've dropped the first now. I propose we drop the second too. Client auth with 0-RTT is solely carried over via resumption. (I mentioned this previously, but with 0-RTT looking closer to resumption and the IETF 95 decision on 0.5-RTT data, I think the case is clearer.) This makes 6.2.3 more consistent with 6.2.2 where neither side authenticates in a resumption handshake. 0-RTT is much more similar to resumption with most parameters carrying over anyway. 1-RTT client auth in a 0-RTT handshake also invites more of the retroactive auth confusion as with post-handshake auth. The client stream switches from unauthenticated to authenticated. I believe this was one of the reasons we agreed at IETF 95 to discourage/forbid (not sure which) sending 0.5-RTT data following a CertificateRequest. In-handshake CertificateRequest either requires this discouraged situation or accepting 0-RTT data without sending 0.5-RTT data, which is largely pointless. We accepted the retroactive auth issue in post-handshake auth, but I think we should limit it to that. For implementations, BoringSSL made accepting renego an opt-in feature. I expect we'd do the same for post-handshake auth. For specs, one might specify that post-handshake authentication is forbidden. HTTP/2 did this for renegotiation. I haven't been following the HTTP/2 client cert saga as closely, but draft-thomson-http2-client-certs-02 is the current plan, right? If so, HTTP/2 should forbid TLS-level post-handshake auth too. In both cases, excluding post-handshake auth should exclude any transition from unauthenticated to authenticated in the stream. Instead, if you want to change authentication state, send a post-handshake CertificateRequest, as you would have normally. David
- [TLS] In-handshake CertificateRequest and 0-RTT David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Martin Thomson
- Re: [TLS] In-handshake CertificateRequest and 0-R… David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Martin Thomson
- Re: [TLS] In-handshake CertificateRequest and 0-R… Eric Rescorla
- Re: [TLS] In-handshake CertificateRequest and 0-R… David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Eric Rescorla
- Re: [TLS] In-handshake CertificateRequest and 0-R… David Benjamin
- Re: [TLS] In-handshake CertificateRequest and 0-R… Andrei Popov