Re: [TLS] Review of PR #209

Andrei Popov <> Wed, 16 September 2015 18:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 73CCE1B4102 for <>; Wed, 16 Sep 2015 11:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RIot5qVAUMjN for <>; Wed, 16 Sep 2015 11:11:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C33D11B4100 for <>; Wed, 16 Sep 2015 11:11:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=2PDa8kSv6ZP8b9f5IDWS+49KmJBtdm9vpOSK89fraBM=; b=JWBG2T4wXzfyIIuvxoOCk9VXXKFh7cn/88HwgfhDdg9dkKZVDqrrtjh3+/wVNZn+wGcFRWLwuM+NbonBmlnQ5r0n8DyfHFUerdpMiNEc/3jZuJEeBYBfHYSnLu8xNnVYcHnzC2joj3kfPkuJjjYYPt5hRbD8gsB3TEy4nLSuZH4=
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 16 Sep 2015 18:11:06 +0000
Received: from ([]) by ([]) with mapi id 15.01.0268.017; Wed, 16 Sep 2015 18:11:06 +0000
From: Andrei Popov <>
To: Martin Thomson <>, Ilari Liusvaara <>
Thread-Topic: [TLS] Review of PR #209
Thread-Index: AQHQxuqZE5b0AgbP4UGzDBeqZzcHy54+TSMggAFOUoCAACZ9gIAABXig
Date: Wed, 16 Sep 2015 18:11:06 +0000
Message-ID: <>
References: <> <> <20150916153041.GA14682@LK-Perkele-VII> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: [2001:4898:80e8:4::1d2]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1396; 5:hLWRBMB2+gZQ84lPhQ0NqKLzxjHtJr301zHtQKsRThSui8KEGqTZl0HvvRkX9dWorYvX4mkekupObSTlgpRQhMfOFllPvWGYEiu/iaHiFtWIPn7AHdskKYzX6HA3cYX+iqNpunFC8hi0KH+oqwByQw==; 24:W8p8Whi3pn2IOPqM7ORj0FQ5vFRtI3wrmQp7Hphz2vuLRA2IJITDqiGobztsAgfW7M7WMabP+Odd8sM36KvgFnSTL0oTMYC/WvzzuJ7o4pk=; 20:k5wbM7RyclWDh0CGs1fWQ8ioNVR3bpky8TF8lzTmfN/BkQ/DY1TmpMRZ7LV17ATVPAiPJ1s4/R3EliGzZBCySw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1396;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(8121501046)(520078)(520075)(3002001); SRVR:BLUPR03MB1396; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1396;
x-forefront-prvs: 07013D7479
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51444003)(13464003)(199003)(189002)(24454002)(377454003)(86362001)(5003600100002)(76176999)(5001830100001)(11100500001)(5001770100001)(2950100001)(62966003)(97736004)(102836002)(86612001)(87936001)(10400500002)(74316001)(77096005)(5001960100002)(189998001)(2900100001)(81156007)(92566002)(4001540100001)(76576001)(68736005)(64706001)(5001860100001)(5002640100001)(33656002)(5007970100001)(106116001)(46102003)(10090500001)(77156002)(8990500004)(122556002)(105586002)(106356001)(99286002)(5005710100001)(10290500002)(54356999)(40100003)(19580405001)(93886004)(101416001)(50986999)(19580395003)(5004730100002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1396;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2015 18:11:06.1201 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1396
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Review of PR #209
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Sep 2015 18:11:10 -0000

Martin's point makes sense to me: applications that need to do authentication upfront can still do that immediately after the handshake.



-----Original Message-----
From: Martin Thomson [] 
Sent: Wednesday, September 16, 2015 10:48 AM
To: Ilari Liusvaara <>
Cc: Andrei Popov <>om>;
Subject: Re: [TLS] Review of PR #209

On 16 September 2015 at 08:30, Ilari Liusvaara <> wrote:
> Problem with pulling client auth out of the handshake is that it 
> complicates applications that can't change identities involved with 
> active connection.

Why would that be unsupported here?  The server can still send CertificateRequest immediately after its Finished.  That looks exactly like it does today, only the order has changed.

> As then the application needs to ensure that the authentication occurs 
> between TLS handshake and actually starting up the protocol.

I'm not sure that is necessarily a problem.  If the claim is that the authentication attests to everything prior to its appearance, then you have no problem.  I think that claim is reasonable, but I'm happy to discuss it.

>> 2. The client can send Certificate and CertificateVerify at any time 
>> application data is permitted, regardless of whether the server had 
>> previously sent CertificateRequest.
> CertificateRequest contains the permitted signature algorithms for the 
> PoP signature, which TLS library needs to verify before dumping the 
> certificate chain on application (which can then figure out things 
> like trust anchors).
> Without CertificateRequest, one has little idea what algorithms are 
> acceptable there.

Arguably, signature_algorithms covers that adequately.  Though I'll grant that certificate chain validation often happens in a separate component to the TLS stuff.

> Basically, one must clear the pipeline before changing identities, and 
> with protocols like HTTP/2, this is extremely expensive (seemingly 
> even more expensive than establishing a new connecion).

There's been some confusion about this with HTTP/2.  I think that if you adopt the position that authentication applies to the entire session - even retroactively - then the only remaining concern is the correlation one.  If you have three tabs to the site open where all of them are making requests and you see a certificate request, which one do you pop the dialog on?

> Also, it should sign the certificate, to avoid possible weirdness due 
> to signatures not properly binding the key (some schemes do, most 
> don't).

I agree with this.