IETF Logo Mail Archive

Re: [TLS] Making TLS-Client-Certificate-Authentication Useful

Yoav Nir <ynir@checkpoint.com> Tue, 09 October 2012 05:38 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D5BD21F84FE for <tls@ietfa.amsl.com>; Mon, 8 Oct 2012 22:38:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.524
X-Spam-Level:
X-Spam-Status: No, score=-10.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDnH4qlKIMmN for <tls@ietfa.amsl.com>; Mon, 8 Oct 2012 22:38:41 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 4602721F84F8 for <tls@ietf.org>; Mon, 8 Oct 2012 22:38:41 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q995caIF009103; Tue, 9 Oct 2012 07:38:36 +0200
X-CheckPoint: {5073B6F6-E-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([194.29.34.26]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 9 Oct 2012 07:38:35 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Henry Story <henry.story@bblfish.net>
Date: Tue, 09 Oct 2012 07:38:37 +0200
Thread-Topic: [TLS] Making TLS-Client-Certificate-Authentication Useful
Thread-Index: Ac2l4FMH22NDOtetTIu/olm0V3ZE4g==
Message-ID: <47C5C925-A6CB-4516-8E5D-DDDAF4216288@checkpoint.com>
References: <5072C194.5070800@telia.com> <CABcZeBMOR9A9ANTjKS2NzQxeUZoeU2JteY7KNHhiURUEWmN_=w@mail.gmail.com> <B197327F-266B-41DD-9D6F-16B83A77A7EF@bblfish.net> <CABcZeBPMnJbYnOsRHm=EOdjhkC-qU+uYiBLN9J-c=wb4qsy+4g@mail.gmail.com> <03BCABFC-1307-4761-98C1-32456B31AE49@bblfish.net> <CABcZeBMiSdwW8shy+rbLp=DE_sz1zLOe81H=iNzGATTjF621ZQ@mail.gmail.com>
In-Reply-To: <CABcZeBMiSdwW8shy+rbLp=DE_sz1zLOe81H=iNzGATTjF621ZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] Making TLS-Client-Certificate-Authentication Useful
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2012 05:38:42 -0000

On Oct 8, 2012, at 8:05 PM, Eric Rescorla wrote:

> On Mon, Oct 8, 2012 at 11:03 AM, Henry Story <henry.story@bblfish.net> wrote:
>>> Again, I'd encourage you to describe a set of use cases that demand a change
>>> to TLS and show that there is real interest in them from site operators and the
>>> like.
>> 
>> I don't think there is anything actually needing change at the TLS layer.
> 
> Oh, good. In that case this is off-topic for this mailing list.

<plug type="shameless">

There may be another mailing list where this may be on-topic: the http-auth mailing list [1]. That one is concerned with authentication at the HTTP layer. There's also a BoF planned for Atlanta.

Note that the kind of auth discussed there is not in HTML or JS either, so plugging WebID is not really appropriate there either. However, well-supported arguments why HTTP is the wrong layer for authentication *are* appropriate for that list. Also, discussion of the UI requirements for authentication are very appropriate both on that list and at the BoF, because modifying browsers to allow customization of the authentication dialog is possible in HTTP (and HTML), but would be very strange in TLS.

If you believe you have UI expertise, and would like to discuss it in the Atlanta BoF, please contact Derek Atkins or me directly. 

</plug>

Apologies for hijacking this thread for plugging our BoF. I promise to do this only this once (at least on this mailing list)

Yoav

[1] https://www.ietf.org/mailman/listinfo/http-auth

v2.23.0 | Report a Bug | By Email