IETF Logo Mail Archive

Re: [TLS] Renegotiation and client authentication

"henry.story@bblfish.net" <henry.story@bblfish.net> Sun, 09 March 2014 17:14 UTC

Return-Path: <henry.story@bblfish.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C65B1A02AD for <tls@ietfa.amsl.com>; Sun, 9 Mar 2014 10:14:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5dx4holyqv0k for <tls@ietfa.amsl.com>; Sun, 9 Mar 2014 10:13:59 -0700 (PDT)
Received: from mail-wg0-f41.google.com (mail-wg0-f41.google.com [74.125.82.41]) by ietfa.amsl.com (Postfix) with ESMTP id D7BAD1A02A7 for <tls@ietf.org>; Sun, 9 Mar 2014 10:13:58 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id n12so7558445wgh.12 for <tls@ietf.org>; Sun, 09 Mar 2014 10:13:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=OIc6wXkPgqxl8XHPx1V19a2MAgmDTbAYkzHyn1gfnFo=; b=nFU2XQdv2T7jEfl9AEcHIQ+xn8LoiKVE/ttm6KL6DzJnz0aX19deW3iNdQoANBU1iW DSlBE4wW3OryuCjHGGntEYkqpehX3J6odVt48McLnn7vV+Ex2jt/oqa76eppTtN6gngR Zz1J9e+uNBqPGvS7FJEgoAkNneOfd5PzfnLCmEX1ReholpGcVyeST8fC8j7nLO3I+tWv c4lUR7t+TCUnbooZzjT9R/I45trNRiUZNuGai2VbSKI+vftqr/b8YbGYsnHPLW/76WPI DWo12NM8Knv5g1aQPLUnaEr8HK0yVkB6NpG+nwq/JhqM6en7f+QphjyTv76nR1UnXyW7 7eTQ==
X-Gm-Message-State: ALoCoQmdBgqcprDL8R5XVpY4GMoFvnlvE3krlbFRoahLHSnkDURtPbDm3baeJVH2K7X1HEtj4ikq
X-Received: by 10.180.185.197 with SMTP id fe5mr6007138wic.56.1394385233173; Sun, 09 Mar 2014 10:13:53 -0700 (PDT)
Received: from bblfish.home (AAubervilliers-651-1-65-22.w86-218.abo.wanadoo.fr. [86.218.56.22]) by mx.google.com with ESMTPSA id fo6sm4291848wib.7.2014.03.09.10.13.51 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 09 Mar 2014 10:13:51 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Content-Type: text/plain; charset="us-ascii"
From: "henry.story@bblfish.net" <henry.story@bblfish.net>
In-Reply-To: <CABkgnnXmOyTH3=R0DkGuOUFCOv2a92ZK_7uG4tx9nALTd2pF=g@mail.gmail.com>
Date: Sun, 09 Mar 2014 18:13:14 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <7561FE8E-B27D-4EB6-9E57-0D9A4F4236CC@bblfish.net>
References: <CABkgnnV6idrFx_=HugBvGifC-+QLdf8ao-EhsuyCG_atNe7Kkg@mail.gmail.com> <004a01cf3aea$2505d050$6f1170f0$@augustcellars.com> <CABkgnnXmOyTH3=R0DkGuOUFCOv2a92ZK_7uG4tx9nALTd2pF=g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Q1ruOxurw_ya4NKMGUgGWb1tqEM
Cc: Jim Schaad <ietf@augustcellars.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Renegotiation and client authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Mar 2014 17:14:01 -0000

On 8 Mar 2014, at 17:25, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 8 March 2014 16:19, Jim Schaad <ietf@augustcellars.com> wrote:
>> There is a major requirement for renegotiation for protection of the client
>> credentials that is being used in various EAP methods as well.  HTTP is not
>> the only use of this.
> 
> I'd be interested in learning whether a similar mechanism would suffice for you.
> 
> Nonetheless, this is a decision that is being made for HTTP.
> Presumably EAP could continue to use renegotiation.
> 
> I recommend you explain your use case for renegotiation, since it's at
> risk in TLS 1.3.

Btw, I have a use case for renegotiation that I would like to check here.
The WebID over TLS spec needs it as things stand at present:

http://www.w3.org/2005/Incubator/webid/spec/tls/#authentication-sequence

It's all a question of politeness: of when one should ask a client for its identity.
We need to be able to allow a well behaved site to respect people's desire for anonymity
as long as possible.
	On many sites most pages may not need client authentication at all, and only a few 
pages (which may only be accessible after a longer browse through the site) may require it. Not
having client authentication renegotiation would require the client to authenticate to the 
site before even having seen the first page. This would be akin to not allowing someone 
into a shop before they showed their ID. It may be fine in a war/military situation, but not in a 
commercial  environment. In all shops I know of one allows people to browse what is available
without bothering them for their identity. Allowing a client to browser information is what
is going to allow the client to make a decision as to the value of revealing her identity.

Also some pages MUST NOT have client authentication. For the WebID protocol this would
be the WebID profile page. Having client authentication on that page could result in an
infinite loop, since servers can be clients too in that spec. Consider what would happen
in step 6 of the spec without renegotiation:
  If Alice's server was required to authenticate to get Bob's profile, and used the WebID
enabled certificate of Alice, then Bob's server would need to authenticate Alice. This would
require it to get Alice's profile. But if that also required authentication we'd be back at 
step 6 of the diagram mentioned above, and there would be deadlock.
 

----

But perhaps with "Client Authentication Request Extension for (D)TLS" [1] mentioned earlier in this
thread the HTTP2.0 spec could be updated to allow the server in a 401 to express it's capacity
to accept TLS authentication too - perhaps even WebID certificate authentication. 
In which case browsers would be able to offer that option to their end users.

-----

Perhaps this would also solve the current problem with the need for servers to be set up in WANT or NEED 
mode (which is also a problem of politeness) and which I think is tied to 
section 7.4.6 of RFC5246 [2]. If a server is in WANT mode and asks the client for a certificate,
but the client does not wish to authenticate, then the server can continue - by for example politely
returning an HTTP 401 and a human readable error message, or by redirecting to another page 
( a login page with username-password for example ). In NEED mode the server breaks down the connection
in an ugly way - since the error handling of TLS is much less advanced than that of HTTP.
I have not yet worked out why some clients - such as curl or Opera ) only send a certificate when 
the server is in NEED mode, and not in WANT mode. ( please let me know ).

But again with "Client Authentication Request Extension for DTLS" that could be left to the HTTP
layer to ask the client for authentication, and so perhaps that problem would go away too...

Henry


[1] http://datatracker.ietf.org/doc/draft-thomson-tls-care/
[2] http://tools.ietf.org/html/rfc5246#page-55

7.4.6.  Client Certificate

   When this message will be sent:

      This is the first message the client can send after receiving a
      ServerHelloDone message.  This message is only sent if the server
      requests a certificate.  If no suitable certificate is available,
      the client MUST send a certificate message containing no
      certificates.  That is, the certificate_list structure has a
      length of zero.  If the client does not send any certificates, the
      server MAY at its discretion either continue the handshake without
      client authentication, or respond with a fatal handshake_failure
      alert.  Also, if some aspect of the certificate chain was
      unacceptable (e.g., it was not signed by a known, trusted CA), the
      server MAY at its discretion either continue the handshake
      (considering the client unauthenticated) or send a fatal alert.


> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

Social Web Architect
http://bblfish.net/

v2.23.0 | Report a Bug | By Email