IETF Logo Mail Archive

Re: [TLS] TLS-OBC proposal

Dirk Balfanz <balfanz@google.com> Thu, 25 August 2011 06:30 UTC

Return-Path: <balfanz@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E50921F8AF4 for <tls@ietfa.amsl.com>; Wed, 24 Aug 2011 23:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uf2gevS552c3 for <tls@ietfa.amsl.com>; Wed, 24 Aug 2011 23:30:14 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 573DD21F8AF2 for <tls@ietf.org>; Wed, 24 Aug 2011 23:30:14 -0700 (PDT)
Received: from hpaq6.eem.corp.google.com (hpaq6.eem.corp.google.com [172.25.149.6]) by smtp-out.google.com with ESMTP id p7P6VOsd028799 for <tls@ietf.org>; Wed, 24 Aug 2011 23:31:24 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1314253884; bh=VFiOOswkuK45IYI1RuVeogQL0l0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=XonMBsvYDBAhOdE5uBna4TdKM3Jsii4kWRiUmlOWaPSaexOWuUpQyvlgeXoY3GH9j vKBEoGhEzJ2o41kfmtpDw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=nFC2XpjFr1kgkFdIG00tf+kiKYod8C55KAIKL5dwlM6TFAb6HazxWFDvzNUkGrghY RVBDk3fdiiqEtjDXpXPMQ==
Received: from gyc15 (gyc15.prod.google.com [10.243.49.143]) by hpaq6.eem.corp.google.com with ESMTP id p7P6VL0Z009548 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <tls@ietf.org>; Wed, 24 Aug 2011 23:31:22 -0700
Received: by gyc15 with SMTP id 15so2960161gyc.25 for <tls@ietf.org>; Wed, 24 Aug 2011 23:31:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tIkOpka2XLt2oBzOYc+u5PCoTjAYkRgk1AaKpfSzAaw=; b=Io0L5wDGwaAaK1sWjBdDR7QUBkSFjpK2r7Z+j7aFZa0Rdrl+Y8DadcKzvEMTKJBQy4 7ON037QSRWVtGIJOyp2Q==
Received: by 10.91.47.27 with SMTP id z27mr1600606agj.98.1314253881244; Wed, 24 Aug 2011 23:31:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.91.47.27 with SMTP id z27mr1600602agj.98.1314253881015; Wed, 24 Aug 2011 23:31:21 -0700 (PDT)
Received: by 10.90.56.4 with HTTP; Wed, 24 Aug 2011 23:31:20 -0700 (PDT)
In-Reply-To: <7BAD42FE4F789E2903A528D5@nifty-silver.local>
References: <CADHfa2AMOeShxH_k5ZEB3DUVJAnOqvZmLMg5Yz8smtBDGkQsNg@mail.gmail.com> <7BAD42FE4F789E2903A528D5@nifty-silver.local>
Date: Wed, 24 Aug 2011 23:31:20 -0700
Message-ID: <CADHfa2CaLaY3QaRHheiWkvQgT1ovtFj4rnhXk0F5sFiYi1x7Vw@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: Chris Newman <chris.newman@oracle.com>
Content-Type: multipart/alternative; boundary="001485f91e0eb8fdac04ab4e93b1"
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] TLS-OBC proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 06:30:15 -0000

On Tue, Aug 23, 2011 at 9:58 PM, Chris Newman <chris.newman@oracle.com>wrote:

> TLS client certificate authentication is used sometimes with email. Indeed
> it's a significant reason this draft is needed:
> draft-melnikov-pop3-over-tls-**01.txt.
>
> Some mail clients associate a single TLS client certificate with a "mail
> account" and would not benefit from OBC. Some mail clients store TLS client
> certificates in a pool and one has to be selected for a given account when
> the server requests a client certificate. Such mail clients would benefit
> from OBC. However, the two most widely deployed open source TLS stacks
> (OpenSSL & NSS) are changing very slowly. I'm skeptical that OBC provides
> enough benefit to actually get implemented and deployed in such TLS stacks.
> Do you know of implementers sufficiently interested in the feature that they
> would be willing to contribute code to OpenSSL and NSS?
>

As a proof-of-concept, we're putting support for TLS-OBC both into OpenSSL
and NSS. Whether that will ever land in the main branches depends on whether
our proof-of-concept is successful (demonstrates acceptable utility and
performance), and I guess also to a degree on whether groups like this one
find the proposal worthwhile. As you point out, there is a bit of a
chicken-and-egg problem going on here, but we _are_ writing the code for
this as we speak both for OpenSSL and NSS.

Dirk.



>
>                - Chris
>
>
> --On August 22, 2011 10:53:05 -0700 Dirk Balfanz <balfanz@google.com>
> wrote:
>
>  Dear TLS-WG,
>>
>> I few weeks ago I presented a proposal for an "origin-bound certificates"
>> TLS extension at IETF 81. It's much easier to understand what this
>> extension is trying to accomplish when presented in a broader context of
>> web authentication (which I tried to give in Quebec), so I put together a
>> little web site that is supposed to do just that for those who couldn't
>> be at the IETF meeting: http://browserauth.net (This took me a little
>> while, hence the delay in sending out the I-D).
>>
>> Anyway, here is the I-D: http://tools.ietf.org/html/**
>> draft-balfanz-tls-obc <http://tools.ietf.org/html/draft-balfanz-tls-obc>,
>> which I submit for your comments/feedback. (Again, remember to read
>> http://browserauth.net for some context.)
>>
>> All feedback is welcome, of course, but if you can't think of anything to
>> comment on, I have a couple particular questions:
>>
>> - in Section 2.1.1 we currently stipulate that the client include the
>> origin of the origin-bound cert as part of the OBC X.509 extension. When
>> we implemented this, we didn't really know what to do with that data on
>> the server side. If the client also uses TLS-SNI, then we could imagine
>> comparing the SNI and OBC origins in some manner on the server side, but
>> there isn't really a vehicle to signal an error back to the client saying
>> "your SNI and OBC origins don't match". Similarly, we could perhaps at
>> some higher layer compare the HTTP "Host" header with the OBC origin, but
>> then again - what do you do when they don't match? Respond with a 400 at
>> the HTTP layer? An alternative to the current language in the I-D would
>> be to simply mark the cert as origin-bound, but without putting the
>> origin itself into the cert. Any thoughts?
>>
>> - What do you think of the privacy-enhancing power of using per-origin
>> certs? The idea there is that different domains see different "identities"
>> (public keys) for the same client. Of course, if two domains choose to
>> collaborate, they can probably find a way to correlate the two identities
>> they see for the same client. This is similar to cookies, where normally
>> "identities" (cookies) for one domain are not revealed to another domain
>> unless, of course, they choose to collaborate. How much privacy would we
>> really lose if we just used one certificate for all origins? It would
>> certainly make the design and implementation simpler. (I tend to favor
>> per-origin certs, but I'm curious as to what other people think.)
>>
>> Thanks for your consideration!
>>
>> Dirk.
>>
>>
>
>
>
>

v2.23.0 | Report a Bug | By Email