Re: [TLS] Better TLS Client Authentication
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 26 May 2022 01:00 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FF49C3A3D40 for <tls@ietfa.amsl.com>; Wed, 25 May 2022 18:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.302
X-Spam-Level:
X-Spam-Status: No, score=-6.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3hGciMFnQmn for <tls@ietfa.amsl.com>; Wed, 25 May 2022 18:00:21 -0700 (PDT)
Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B912C397F7F for <tls@ietf.org>; Wed, 25 May 2022 18:00:21 -0700 (PDT)
Received: by mail-yb1-f171.google.com with SMTP id q184so512092ybg.11 for <tls@ietf.org>; Wed, 25 May 2022 18:00:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SiFmZ26pmSSIONkDHCNhXy19jxkgqXtFwKfJ3ntLTZ0=; b=qSKKWVMY/bw6ntV9uEo0y4Y2182/E3l28+d3iu/KyCTnQTssBHm2I6nb0GzKRc2kvm +6LvEOIuoSh9j62HbJr7zLPqNOY3v/wbhfFInK9en4LCamzBQt6kKv2IhsFj9/uxWyIQ qk5SOFfvB7/ovitB6wFv2BEFueYwmIfKJU0Orgh4DI63q5QNRNzA1IMiphC055ow5GhR c0g0HGhj6rNswMQnV/QnHQN58NLWIsRx1p4HzGtQ6X3DRYNF3cvNBmkBCgO/h77RN1XE UV23eFBcIQEUmF7U7FvpiSOGyyko3/Ti1H6vDtjyJID7yJ5ChhxZCmPpXnue7WR6XAf+ /5Yw==
X-Gm-Message-State: AOAM532n/f9MH9JZtQqIUgpmx4BTSWIKtNK+QIz9tkTKByVZPGiLdCMq J99tLJm8ygCdeMo2uBT0spVpkP4BtJzByxJwanU=
X-Google-Smtp-Source: ABdhPJy9xGlfwxCTT2mc9fzV+b8XktLjlIPI7NGE/wcHlFGQOBk8SxHmLtfcddezmVrQmMMfqJ8k2T5GV9B+z6oBk+c=
X-Received: by 2002:a25:b747:0:b0:653:4a3a:db28 with SMTP id e7-20020a25b747000000b006534a3adb28mr9980455ybm.82.1653526820338; Wed, 25 May 2022 18:00:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiWnpZ7R3X_FvZijwK=WEcSnTZNEEkX19GdKvkmXwt0NA@mail.gmail.com> <MN2PR00MB0478B4440612CD370100E39A95D79@MN2PR00MB0478.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0478B4440612CD370100E39A95D79@MN2PR00MB0478.namprd00.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 25 May 2022 21:00:09 -0400
Message-ID: <CAMm+LwjAbn2P3aHC4bsD0cZfGNru8WXiVYKYY_rm9WLy3k13gg@mail.gmail.com>
To: Tim Cappalli <Tim.Cappalli@microsoft.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0c1fa05dfdfb6f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c21IiXRcdJEZPlPzyl94mwNZ3-s>
Subject: Re: [TLS] Better TLS Client Authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2022 01:00:22 -0000
If we are looking at installed footprint, then TLS Client Auth wins. Don't accuse me of re-inventing the wheel because TLS Client Auth predates FIDO by decades. It is a completely different application though. FIDO was designed to enable use of physical authenticator tokens. As far as I can see, soft tokens are an afterthought, they don't have a strategy for provisioning multiple devices with a private key bound to the same account. My starting point here was that I was looking at how to make use of the Mesh to support FIDO auth without the need for a physical token. That is the route I expected to take. It was only when I looked into it that I suddenly realized that I don't need any of that, I can do everything I need with legacy browsers and legacy servers. The only thing that changes is a client enrollment app on the client side and an authorization module in the server. No protocol changes, just a certificate profile. At this point FIDO has far less deployed base than TLS Client Auth, I am happy to support FIDO as well but why wouldn't we want both? I really don't think I am the person suffering from Not Invented Here. I can provide the same key mobility capabilities in WebAuthn so that users can register for a Web site with their phone browser and then log in from their laptop without requiring an additional registration while maintaining the End-to-End security of the private keys. But that would require some significant extensions to FIDO and be more of a FIDO3. The security properties of WebAuthn and TLS Client Auth are very different.TLS Client Auth is not limited to Web for a start. We could use it to secure IMAP, POP3 and SUBMIT client auth. On Tue, May 24, 2022 at 1:11 AM Tim Cappalli <Tim.Cappalli@microsoft.com> wrote: > You mentioned FIDO, but I didn't see a reason why you don't want to use > it. The industry has largely accepted the mature FIDO standards stack > (WebAuthn & CTAP) as the strong authentication method that replaces > passwords in a privacy preserving and phishing resistant manner. > > > > Why create something new, especially using technologies that are not very > user friendly? > > > > tim > > > > *From: *TLS <tls-bounces@ietf.org> on behalf of Phillip Hallam-Baker < > phill@hallambaker.com> > *Date: *Sunday, May 22, 2022 at 23:28 > *To: *tls@ietf.org <tls@ietf.org> > *Subject: *[TLS] Better TLS Client Authentication > > I am looking for people interested in discussing the following proposal to > create a profile of TLS Client Authentication certificates to enable > transparent Web Site authentication in Philadelphia: > > > > I have a three step plan for eliminating Password Authentication > > > > 1) Deploy an open standards based, E2E secure password vault > > 2) Transition Web sites to use of public key authentication > > 3) Deploy a 2FA type scheme to address 'ceremony' use cases > > > > I don't want to get into detail here, but I believe the trick to > eliminating passwords is to deploy a password management solution in phase > 1 that creates a sufficiently large base of users whose devices are > provisioned with the necessary private keys to make use of public key auth > practical. > > > > So, I had assumed that this was all about enabling FIDO. But when I look > at what I want to achieve and what legacy deployments provide, I suddenly > realized I can do everything I need using TLS client auth. The only > question is what the BEST way to do it is going to be. > > > > > > So I have running code that can provision key pairs and credentials to > every device Alice owns: > > > > https://www.youtube.com/watch?v=zrBv717w8yY > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DzrBv717w8yY&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C8d2d1c84b14944a8b65308da3c3a07e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637888517206896679%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4V4ijtshBNU5dTiZ49BgQibcjpXnaRtgpjvuvgLolCQ%3D&reserved=0> > > > > It would not take a great deal of extra effort to provision certificates > into the Windows/MAC/etc keystores so that IE, Edge, Firefox, Chrome, > Safari, etc. etc. can all make use of the certificates. Its just a question > of writing a script. > > > > > > I am pretty sure I can get 'something' to work. But I would appreciate > some help from folk who are closer to the real-world implementations. > > > > Reading through the specs, I think we can make it so that after an > (optional) one time registration, Alice can just use the Web site without > the need to ever log in ever again. > > > > The only reason Alice would ever need to repeat registration is if the Web > Site had some policy requiring Alice to affirm that yes, this really is her > device and she agrees to terms. That is what I call 'ceremony' and it is > not an authentication issue. I have another way of addressing that issue. > > > > > > As far as I can tell, all that I really need is to write a certificate > profile for BTCA certificates. > > > > The thing that I am dropping here is the notion that certificates are > bound to anything other than a key. So all this is telling the site is that > this is the same person who came to the site before. It is not providing > the user credential PKIX is really all about. > > > > I do have some questions though. In particular whether using X.448/Ed448 > certs is practical. > > > > The big downside to my current approach is that the certs that are used > are going to be super-linking identifiers. But we are currently losing that > fight. > > > > >
- [TLS] Better TLS Client Authentication Phillip Hallam-Baker
- Re: [TLS] Better TLS Client Authentication Anders Rundgren
- Re: [TLS] Better TLS Client Authentication Tim Cappalli
- Re: [TLS] Better TLS Client Authentication Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Better TLS Client Authentication Jonathan Hoyland
- Re: [TLS] Better TLS Client Authentication Phillip Hallam-Baker
- Re: [TLS] Better TLS Client Authentication Phillip Hallam-Baker
- Re: [TLS] Better TLS Client Authentication Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Better TLS Client Authentication Phillip Hallam-Baker