[TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)

To: mrex at sap.com
Subject: [TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)
From: Chris Newman <Chris.Newman at Sun.COM>
Date: Wed, 11 Nov 2009 15:59:26 -0800
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911070100.nA710jJO018486 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911070100.nA710jJO018486 at fs4113.wdf.sap.corp>
Sender: Chris.Newman at Sun.COM

--On November 7, 2009 2:00:45 +0100 Martin Rex <mrex at sap.com> wrote:

Should we ask for an additional port to be officially allocated
to http-over-ssl-with-client-cert


This is a good idea.

HTTP authentication is particularly badly designed, but we can't really fixit so we have to live with it. Having a separate port forHTTP-with-client-cert-mandatory where the server can "just know" thatclient certs will be present in the initial handshake and will never berenegotiated, and the client can "just know" it has to prompt the user forclient cert selection removes some of the need for all the security"fudging" HTTP does and thus is an overall security improvement, IMHO.

I would not want other protocols to copy this mess, however -- applicationprotocols should have a clean and simple state transition between "notauthenticated" and "authenticated" state. POP, IMAP, XMPP, LDAP, BEEP andeven Telnet did this better than HTTP.


		- Chris

References:
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Martin Rex

Prev by Date: Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
Next by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Next by thread: [TLS] Comments on draft-rescorla-tls-renegotiate.txt
Index(es):
- Date
- Thread

[TLS] Register port for https+client cert (was Re: draft-rescorla-tls-renegotiate.txt)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.