IETF Logo Mail Archive

Re: [TLS] Better TLS Client Authentication

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 26 May 2022 01:00 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FF49C3A3D40 for <tls@ietfa.amsl.com>; Wed, 25 May 2022 18:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.302
X-Spam-Level:
X-Spam-Status: No, score=-6.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3hGciMFnQmn for <tls@ietfa.amsl.com>; Wed, 25 May 2022 18:00:21 -0700 (PDT)
Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B912C397F7F for <tls@ietf.org>; Wed, 25 May 2022 18:00:21 -0700 (PDT)
Received: by mail-yb1-f171.google.com with SMTP id q184so512092ybg.11 for <tls@ietf.org>; Wed, 25 May 2022 18:00:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SiFmZ26pmSSIONkDHCNhXy19jxkgqXtFwKfJ3ntLTZ0=; b=qSKKWVMY/bw6ntV9uEo0y4Y2182/E3l28+d3iu/KyCTnQTssBHm2I6nb0GzKRc2kvm +6LvEOIuoSh9j62HbJr7zLPqNOY3v/wbhfFInK9en4LCamzBQt6kKv2IhsFj9/uxWyIQ qk5SOFfvB7/ovitB6wFv2BEFueYwmIfKJU0Orgh4DI63q5QNRNzA1IMiphC055ow5GhR c0g0HGhj6rNswMQnV/QnHQN58NLWIsRx1p4HzGtQ6X3DRYNF3cvNBmkBCgO/h77RN1XE UV23eFBcIQEUmF7U7FvpiSOGyyko3/Ti1H6vDtjyJID7yJ5ChhxZCmPpXnue7WR6XAf+ /5Yw==
X-Gm-Message-State: AOAM532n/f9MH9JZtQqIUgpmx4BTSWIKtNK+QIz9tkTKByVZPGiLdCMq J99tLJm8ygCdeMo2uBT0spVpkP4BtJzByxJwanU=
X-Google-Smtp-Source: ABdhPJy9xGlfwxCTT2mc9fzV+b8XktLjlIPI7NGE/wcHlFGQOBk8SxHmLtfcddezmVrQmMMfqJ8k2T5GV9B+z6oBk+c=
X-Received: by 2002:a25:b747:0:b0:653:4a3a:db28 with SMTP id e7-20020a25b747000000b006534a3adb28mr9980455ybm.82.1653526820338; Wed, 25 May 2022 18:00:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiWnpZ7R3X_FvZijwK=WEcSnTZNEEkX19GdKvkmXwt0NA@mail.gmail.com> <MN2PR00MB0478B4440612CD370100E39A95D79@MN2PR00MB0478.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0478B4440612CD370100E39A95D79@MN2PR00MB0478.namprd00.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 25 May 2022 21:00:09 -0400
Message-ID: <CAMm+LwjAbn2P3aHC4bsD0cZfGNru8WXiVYKYY_rm9WLy3k13gg@mail.gmail.com>
To: Tim Cappalli <Tim.Cappalli@microsoft.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0c1fa05dfdfb6f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/c21IiXRcdJEZPlPzyl94mwNZ3-s>
Subject: Re: [TLS] Better TLS Client Authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2022 01:00:22 -0000

If we are looking at installed footprint, then TLS Client Auth wins. Don't
accuse me of re-inventing the wheel because TLS Client Auth predates FIDO
by decades.

It is a completely different application though. FIDO was designed to
enable use of physical authenticator tokens. As far as I can see, soft
tokens are an afterthought, they don't have a strategy for provisioning
multiple devices with a private key bound to the same account.

My starting point here was that I was looking at how to make use of the
Mesh to support FIDO auth without the need for a physical token. That is
the route I expected to take. It was only when I looked into it that I
suddenly realized that I don't need any of that, I can do everything I need
with legacy browsers and legacy servers. The only thing that changes is a
client enrollment app on the client side and an authorization module in the
server.

No protocol changes, just a certificate profile.

At this point FIDO has far less deployed base than TLS Client Auth, I am
happy to support FIDO as well but why wouldn't we want both?
I really don't think I am the person suffering from Not Invented Here.


I can provide the same key mobility capabilities in WebAuthn so that users
can register for a Web site with their phone browser and then log in from
their laptop without requiring an additional registration while maintaining
the End-to-End security of the private keys. But that would require some
significant extensions to FIDO and be more of a FIDO3.

The security properties of WebAuthn and TLS Client Auth are very
different.TLS Client Auth is not limited to Web for a start. We could use
it to secure IMAP, POP3 and SUBMIT client auth.



On Tue, May 24, 2022 at 1:11 AM Tim Cappalli <Tim.Cappalli@microsoft.com>
wrote:

> You mentioned FIDO, but I didn't see a reason why you don't want to use
> it. The industry has largely accepted the mature FIDO standards stack
> (WebAuthn & CTAP) as the strong authentication method that replaces
> passwords in a privacy preserving and phishing resistant manner.
>
>
>
> Why create something new, especially using technologies that are not very
> user friendly?
>
>
>
> tim
>
>
>
> *From: *TLS <tls-bounces@ietf.org> on behalf of Phillip Hallam-Baker <
> phill@hallambaker.com>
> *Date: *Sunday, May 22, 2022 at 23:28
> *To: *tls@ietf.org <tls@ietf.org>
> *Subject: *[TLS] Better TLS Client Authentication
>
> I am looking for people interested in discussing the following proposal to
> create a profile of TLS Client Authentication certificates to enable
> transparent Web Site authentication in Philadelphia:
>
>
>
> I have a three step plan for eliminating Password Authentication
>
>
>
> 1) Deploy an open standards based, E2E secure password vault
>
> 2) Transition Web sites to use of public key authentication
>
> 3) Deploy a 2FA type scheme to address 'ceremony' use cases
>
>
>
> I don't want to get into detail here, but I believe the trick to
> eliminating passwords is to deploy a password management solution in phase
> 1 that creates a sufficiently large base of users whose devices are
> provisioned with the necessary private keys to make use of public key auth
> practical.
>
>
>
> So, I had assumed that this was all about enabling FIDO. But when I look
> at what I want to achieve and what legacy deployments provide, I suddenly
> realized I can do everything I need using TLS client auth. The only
> question is what the BEST way to do it is going to be.
>
>
>
>
>
> So I have running code that can provision key pairs and credentials to
> every device Alice owns:
>
>
>
> https://www.youtube.com/watch?v=zrBv717w8yY
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DzrBv717w8yY&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C8d2d1c84b14944a8b65308da3c3a07e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637888517206896679%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4V4ijtshBNU5dTiZ49BgQibcjpXnaRtgpjvuvgLolCQ%3D&reserved=0>
>
>
>
> It would not take a great deal of extra effort to provision certificates
> into the Windows/MAC/etc keystores so that IE, Edge, Firefox, Chrome,
> Safari, etc. etc. can all make use of the certificates. Its just a question
> of writing a script.
>
>
>
>
>
> I am pretty sure I can get 'something' to work. But I would appreciate
> some help from folk who are closer to the real-world implementations.
>
>
>
> Reading through the specs, I think we can make it so that after an
> (optional) one time registration, Alice can just use the Web site without
> the need to ever log in ever again.
>
>
>
> The only reason Alice would ever need to repeat registration is if the Web
> Site had some policy requiring Alice to affirm that yes, this really is her
> device and she agrees to terms. That is what I call 'ceremony' and it is
> not an authentication issue. I have another way of addressing that issue.
>
>
>
>
>
> As far as I can tell, all that I really need is to write a certificate
> profile for BTCA certificates.
>
>
>
> The thing that I am dropping here is the notion that certificates are
> bound to anything other than a key. So all this is telling the site is that
> this is the same person who came to the site before. It is not providing
> the user credential PKIX is really all about.
>
>
>
> I do have some questions though. In particular whether using X.448/Ed448
> certs is practical.
>
>
>
> The big downside to my current approach is that the certs that are used
> are going to be super-linking identifiers. But we are currently losing that
> fight.
>
>
>
>
>

v2.23.0 | Report a Bug | By Email