IETF Logo Mail Archive

[TLS] Authenticating the client-facing server with an IP-based certificate

Christopher Wood <caw@heapingbits.net> Wed, 21 April 2021 00:34 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 740283A00D5 for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 17:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=a7KwyEMB; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=KX/nrREQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xcKNte9_zzDW for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 17:34:28 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C08E3A00C4 for <TLS@ietf.org>; Tue, 20 Apr 2021 17:34:28 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 430751FC3 for <TLS@ietf.org>; Tue, 20 Apr 2021 20:34:25 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute4.internal (MEProxy); Tue, 20 Apr 2021 20:34:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm1; bh=kWVXMUSkR+jjYT8mPpUsIe4xzn07TZhe38VARIzLo0o=; b=a7KwyEMB 5E/STB28h5WV8SYLV7vnyBexrk7pF90Zh7Y4R10sWV/aVG0R8hbibheyWUox4vB/ BG0EQmrB3uP2Z3pLWrn/BNZQkflV+ydoZAxQBSRbdliUyIZqHl+0KsSQ9ogcLdUv hbEfSurOhBz1uEM0xHbjVbIbUKOmI9uML4VgNpc80MPEy5G1CiR/NbHSQvXoox6I hXFIr6F/LbpC35JypOvf40YYFyYjzBAxNrd7d1KRATO3mHFtllyzjmWsuep4cLPi X8AmvRVPkiHyA20/cVS+EaHMG/dKt4+NlsWYswvtK8RKxpKcMssPfVu6ff6S1NPu dz3ugNzfe+KfUg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=kWVXMUSkR+jjYT8mPpUsIe4xzn07T Zhe38VARIzLo0o=; b=KX/nrREQqbrZ0IW43YHEg7idBVYye5jcg/SIhSfJ4pAzX TM0iIVdOj490IIfieofPg1OTe+v0j1TptW8Xk+6Hky+3oWDOHdRcRutHILxE1afV lR5NYaWBKEkcVAityH899TMt9spYmE1I3lzknWcExcxZV+DXXh10liRcgyFKl9Et BZ6kJ11CPUJzZSBS61dlpaRhywkESOOseuSNU9pHb04Ii0XnhU62bzSIA+Vqmkd1 Lm+n3sW0yWFDsPIZNHtRxpcc+XCp1Bok+nL/D28MadFAKeukhhtOlrhsv7UlWiQb 6IyTdP/L80NDJt1askE5rv4hzL8GxUHe9qTI2OTfQ==
X-ME-Sender: <xms:EHN_YOOgO1UrjM764LVROwdP_F5iU8GpqzjXRePEidN8-B_RZUxm1A> <xme:EHN_YM-OKVCBH-9h7IROrqONWpm27iSs3m-lM9i2OEVVP1pv6fAFBCTt3oJD1YCsU 0KW77YyY1I1HPekUYs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddtjedgfeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgifsehh vggrphhinhhgsghithhsrdhnvghtqeenucggtffrrghtthgvrhhnpeefleekheeffffhhe eiieejgefgkedtffetjeekledtheffteeukedvtedtfeejgeenucffohhmrghinhepghhi thhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:EHN_YFQgNJi4AdGcyTjD090UOgkRbT_hO4t7879dgbUb5XNnCebTtw> <xmx:EHN_YOunkI0lTOmRBnZ5v3IzkLF2lKwxqiIT_T1_IOrJPJLRbOiYmA> <xmx:EHN_YGdlXBBGGEAbqL_S6-etMgkywb7tYihjMdFvTmK0kci55Dh80Q> <xmx:EHN_YAolvM-52lzRvFr_jdFCGrd8_p5AkFR9Ab7up5OM4aMr-BZfww>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6313C160069; Tue, 20 Apr 2021 20:34:24 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-380-gda4c716772-fm-20210419.004-gda4c7167
Mime-Version: 1.0
Message-Id: <38f4c969-90d8-478e-9c3d-0bdf538dabed@www.fastmail.com>
Date: Tue, 20 Apr 2021 17:33:47 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <TLS@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wxsh_QykUiSY6jkkDE34SuPEcvA>
Subject: [TLS] Authenticating the client-facing server with an IP-based certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 00:34:33 -0000

Issue #424 tracks whether or not we want to allow clients to authenticate client-facing servers with an IP-based certificate:

   https://github.com/tlswg/draft-ietf-tls-esni/issues/424

There are a number of different proposals for _how_ we might enable this, varying in how the name and addresses are encoded in ECHConfig structures, how these interact with atypical client connection setups (through a proxy, for example), and so on. Complexity abounds. 

Taking a step back, it would be great if we could reach consensus on whether or not this is a use case we actually want to solve. If it's not, then the design space seems quite smaller and more manageable in comparison. To that end, it would be great if folks could chime in here whether or not they support this particular use case (with rationale as needed).  

Thanks!
Chris (no hat)

v2.23.0 | Report a Bug | By Email