Re: [TLS] HTTPS client-certificate-authentication in browsers

Anders Rundgren <anders.rundgren@telia.com> Wed, 27 July 2011 04:22 UTC

Return-Path: <anders.rundgren@telia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A45EE11E8079 for <tls@ietfa.amsl.com>; Tue, 26 Jul 2011 21:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.569
X-Spam-Level:
X-Spam-Status: No, score=-3.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y++hNqyb+VJJ for <tls@ietfa.amsl.com>; Tue, 26 Jul 2011 21:22:57 -0700 (PDT)
Received: from smtp-out21.han.skanova.net (smtp-out21.han.skanova.net [195.67.226.208]) by ietfa.amsl.com (Postfix) with ESMTP id DCEA511E8074 for <tls@ietf.org>; Tue, 26 Jul 2011 21:22:56 -0700 (PDT)
Received: from [192.168.0.202] (81.232.44.37) by smtp-out21.han.skanova.net (8.5.133) (authenticated as u36408181) id 4DEDBD7B00E0E364; Wed, 27 Jul 2011 06:22:55 +0200
Message-ID: <4E2F928E.7060106@telia.com>
Date: Wed, 27 Jul 2011 06:22:38 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: tls@ietf.org
References: <201107261911.p6QJB3Dv011457@fs4113.wdf.sap.corp> <4E2F1B65.2080404@telia.com> <4E2F5BA0.4020507@fifthhorseman.net>
In-Reply-To: <4E2F5BA0.4020507@fifthhorseman.net>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2011 04:22:57 -0000

On 2011-07-27 02:28, Daniel Kahn Gillmor wrote:
> On 07/26/2011 09:54 PM, Anders Rundgren wrote:
>> It actually quite hard writing an HTTPS CCA based web app that
>> has similar login and session characteristics as one using password
>> authentication.
> 
> What's so hard about it?  Designate a URL (e.g.
> http://example.com/login) that triggers a request for client-side
> certificates.  When the user visits that URL with an acceptable
> client-side certificate, set a session cookie, and redirect them back to
> the page they were coming from.
> 
> When the user is not logged in, show them a login link that points to
> the designated URL.
> 
> When they are logged in, show them a logout link that takes them to a
> URL that clears the session cookie.
> 
> Am i missing something that makes this approach difficult or wrong?

Unlike a web application using passwords as authentication method, you
must run the HTTPS login on another port (which typically conflicts
with standard firwewall settings), and if you want logout to work
you need to kill the TLS cache in the client using methods that
at best 1 out of 100 000 "Web Programmers" have ever heard about:

Extract from a web-app of mine:

     if (document.all == null) // FF, Opera, etc
       {
          if (window.crypto) window.crypto.logout();
       }
     else // MSIE 6+
       {
          document.execCommand('ClearAuthenticationCache');
       };

We are (de-facto) stuck with stuff that (from this perspective NB) hasn't
progressed much since Netscape introduced SSL back in 1995.

Anders