idnits 2.17.1 draft-ietf-httpbis-client-cert-field-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (25 January 2022) is 819 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7540 (Obsoleted by RFC 9113) -- Obsolete informational reference (is this intentional?): RFC 8740 (Obsoleted by RFC 9113) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP B. Campbell 3 Internet-Draft Ping Identity 4 Intended status: Informational M. Bishop, Ed. 5 Expires: 29 July 2022 Akamai 6 25 January 2022 8 Client-Cert HTTP Header Field 9 draft-ietf-httpbis-client-cert-field-01 11 Abstract 13 This document defines HTTP extension header fields that allow a TLS 14 terminating reverse proxy to convey the client certificate 15 information of a mutually-authenticated TLS connection to the origin 16 server in a common and predictable manner. 18 About This Document 20 This note is to be removed before publishing as an RFC. 22 Status information for this document may be found at 23 https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-cert- 24 field/. 26 Discussion of this document takes place on the HTTP Working Group 27 mailing list (mailto:ietf-http-wg@w3.org), which is archived at 28 https://lists.w3.org/Archives/Public/ietf-http-wg/. Working Group 29 information can be found at https://httpwg.org/. 31 Source for this draft and an issue tracker can be found at 32 https://github.com/httpwg/http-extensions/labels/client-cert-field. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on 29 July 2022. 50 Copyright Notice 52 Copyright (c) 2022 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 57 license-info) in effect on the date of publication of this document. 58 Please review these documents carefully, as they describe your rights 59 and restrictions with respect to this document. Code Components 60 extracted from this document must include Revised BSD License text as 61 described in Section 4.e of the Trust Legal Provisions and are 62 provided without warranty as described in the Revised BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 69 2. HTTP Header Fields and Processing Rules . . . . . . . . . . . 4 70 2.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 5 71 2.2. Client-Cert HTTP Header Field . . . . . . . . . . . . . . 5 72 2.3. Client-Cert-Chain HTTP Header Field . . . . . . . . . . . 6 73 2.4. Processing Rules . . . . . . . . . . . . . . . . . . . . 6 74 3. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 75 3.1. Header Field Compression . . . . . . . . . . . . . . . . 8 76 3.2. Header Block Size . . . . . . . . . . . . . . . . . . . . 8 77 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 78 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 79 5.1. HTTP Field Name Registrations . . . . . . . . . . . . . . 9 80 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 81 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 82 6.2. Informative References . . . . . . . . . . . . . . . . . 10 83 Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 12 84 Appendix B. Considerations Considered . . . . . . . . . . . . . 13 85 B.1. Field Injection . . . . . . . . . . . . . . . . . . . . . 14 86 B.2. The Forwarded HTTP Extension . . . . . . . . . . . . . . 14 87 B.3. The Whole Certificate and Certificate Chain . . . . . . . 14 88 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 15 89 Appendix D. Document History . . . . . . . . . . . . . . . . . . 16 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 92 1. Introduction 94 A fairly common deployment pattern for HTTPS applications is to have 95 the origin HTTP application servers sit behind a reverse proxy that 96 terminates TLS connections from clients. The proxy is accessible to 97 the internet and dispatches client requests to the appropriate origin 98 server within a private or protected network. The origin servers are 99 not directly accessible by clients and are only reachable through the 100 reverse proxy. The backend details of this type of deployment are 101 typically opaque to clients who make requests to the proxy server and 102 see responses as though they originated from the proxy server itself. 103 Although HTTPS is also usually employed between the proxy and the 104 origin server, the TLS connection that the client establishes for 105 HTTPS is only between itself and the reverse proxy server. 107 The deployment pattern is found in a number of varieties such as 108 n-tier architectures, content delivery networks, application load 109 balancing services, and ingress controllers. 111 Although not exceedingly prevalent, TLS client certificate 112 authentication is sometimes employed and in such cases the origin 113 server often requires information about the client certificate for 114 its application logic. Such logic might include access control 115 decisions, audit logging, and binding issued tokens or cookies to a 116 certificate, and the respective validation of such bindings. The 117 specific details from the certificate needed also vary with the 118 application requirements. In order for these types of application 119 deployments to work in practice, the reverse proxy needs to convey 120 information about the client certificate to the origin application 121 server. A common way this information is conveyed in practice today 122 is by using non-standard fields to carry the certificate (in some 123 encoding) or individual parts thereof in the HTTP request that is 124 dispatched to the origin server. This solution works but 125 interoperability between independently developed components can be 126 cumbersome or even impossible depending on the implementation choices 127 respectively made (like what field names are used or are 128 configurable, which parts of the certificate are exposed, or how the 129 certificate is encoded). A well-known predictable approach to this 130 commonly occurring functionality could improve and simplify 131 interoperability between independent implementations. 133 This document aspires to standardize two HTTP header fields, Client- 134 Cert and Client-Cert-Chain, which a TLS terminating reverse proxy 135 (TTRP) adds to requests sent to the backend origin servers. The 136 Client-Cert field value contains the end-entity client certificate 137 from the mutually-authenticated TLS connection between the 138 originating client and the TTRP. Optionally, the Client-Cert-Chain 139 field value contains the certificate chain used for validation of the 140 end-entity certificate. This enables the backend origin server to 141 utilize the client certificate information in its application logic. 142 While there may be additional proxies or hops between the TTRP and 143 the origin server (potentially even with mutually-authenticated TLS 144 connections between them), the scope of the Client-Cert header field 145 is intentionally limited to exposing to the origin server the 146 certificate that was presented by the originating client in its 147 connection to the TTRP. 149 1.1. Requirements Notation and Conventions 151 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 152 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 153 "OPTIONAL" in this document are to be interpreted as described in 154 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 155 capitals, as shown here. 157 1.2. Terminology 159 Phrases like TLS client certificate authentication or mutually- 160 authenticated TLS are used throughout this document to refer to the 161 process whereby, in addition to the normal TLS server authentication 162 with a certificate, a client presents its X.509 certificate [RFC5280] 163 and proves possession of the corresponding private key to a server 164 when negotiating a TLS connection or the resumption of such a 165 connection. In contemporary versions of TLS [RFC8446] [RFC5246] this 166 requires that the client send the Certificate and CertificateVerify 167 messages during the handshake and for the server to verify the 168 CertificateVerify and Finished messages. 170 HTTP/2 restricts TLS 1.2 renegotiation (Section 9.2.1 of [RFC7540]) 171 and prohibits TLS 1.3 post-handshake authentication [RFC8740]. 172 However, they are sometimes used to implement reactive client 173 certificate authentication in HTTP/1.1 [RFC7230] where the server 174 decides whether to request a client certificate based on the HTTP 175 request. HTTP application data sent on such a connection after 176 receipt and verification of the client certificate is also mutually- 177 authenticated and thus suitable for the mechanisms described in this 178 document. 180 2. HTTP Header Fields and Processing Rules 182 This document designates the following headers, defined further in 183 Section 2.2 and Section 2.3 respectively, to carry the client 184 certificate information of a mutually-authenticated TLS connection 185 from a reverse proxy to origin server. 187 Client-Cert: Conveys the end-entity certificate used by the client 188 in the TLS handshake with the reverse proxy from the reverse proxy 189 to the origin server. 191 Client-Cert-Chain: Conveys the certificate chain used for validation 192 of the end-entity certificate used by the client in the TLS 193 handshake from the reverse proxy to the origin server. 195 2.1. Encoding 197 The headers in this document encode certificates as Structured Field 198 Byte Sequences (Section 3.3.5 of [RFC8941]) where the value of the 199 binary data is a DER encoded [ITU.X690.1994] X.509 certificate 200 [RFC5280]. In effect, this means that the binary DER certificate is 201 encoded using base64 (without line breaks, spaces, or other 202 characters outside the base64 alphabet) and delimited with colons on 203 either side. 205 Note that certificates are often stored encoded in a textual format, 206 such as the one described in Section 5.1 of [RFC7468], which is 207 already nearly compatible with a Structured Field Byte Sequence; if 208 so, it will be sufficient to replace ---(BEGIN|END) CERTIFICATE--- 209 with : and remove line breaks in order to generate an appropriate 210 item. 212 2.2. Client-Cert HTTP Header Field 214 In the context of a TLS terminating reverse proxy deployment, the 215 proxy makes the TLS client certificate available to the backend 216 application with the Client-Cert HTTP header field. This field 217 contains the end-entity certificate used by the client in the TLS 218 handshake. 220 Client-Cert is an Item Structured Header [RFC8941]. Its value MUST 221 be a Byte Sequence (Section 3.3.5 of [RFC8941]). Its ABNF is: 223 Client-Cert = sf-binary 225 The value of the header is encoded as described in Section 2.1. 227 The Client-Cert header field is only for use in HTTP requests and 228 MUST NOT be used in HTTP responses. It is a single HTTP header field 229 value as defined in Section 3.2 of [RFC7230], which MUST NOT have a 230 list of values or occur multiple times in a request. 232 2.3. Client-Cert-Chain HTTP Header Field 234 In the context of a TLS terminating reverse proxy deployment, the 235 proxy MAY make the certificate chain used for validation of the end- 236 entity certificate available to the backend application with the 237 Client-Cert-Chain HTTP header field. This field contains 238 certificates used by the proxy to validate the certificate used by 239 the client in the TLS handshake. These certificates might or might 240 not have been provided by the client during the TLS handshake. 242 Client-Cert-Chain is a List Structured Header [RFC8941]. Each item 243 in the list MUST be a Byte Sequence (Section 3.3.5 of [RFC8941]) 244 encoded as described in Section 2.1. 246 The header's ABNF is: 248 Client-Cert-Chain = sf-list 250 The Client-Cert-Chain header field is only for use in HTTP requests 251 and MUST NOT be used in HTTP responses. It MAY have a list of values 252 or occur multiple times in a request. For header compression 253 purposes, it might be advantageous to split lists into multiple 254 instances. 256 The first certificate in the list SHOULD directly certify the end- 257 entity certificate provided in the Client-Cert header; each following 258 certificate SHOULD directly certify the one immediately preceding it. 259 Because certificate validation requires that trust anchors be 260 distributed independently, a certificate that specifies a trust 261 anchor MAY be omitted from the chain, provided that the server is 262 known to possess any omitted certificates. 264 However, for maximum compatibility, servers SHOULD be prepared to 265 handle potentially extraneous certificates and arbitrary orderings. 267 2.4. Processing Rules 269 This section outlines the applicable processing rules for a TLS 270 terminating reverse proxy (TTRP) that has negotiated a mutually- 271 authenticated TLS connection to convey the client certificate from 272 that connection to the backend origin servers. Use of the technique 273 is to be a configuration or deployment option and the processing 274 rules described herein are for servers operating with that option 275 enabled. 277 A TTRP negotiates the use of a mutually-authenticated TLS connection 278 with the client, such as is described in [RFC8446] or [RFC5246], and 279 validates the client certificate per its policy and trusted 280 certificate authorities. Each HTTP request on the underlying TLS 281 connection are dispatched to the origin server with the following 282 modifications: 284 1. The client certificate is placed in the Client-Cert header field 285 of the dispatched request, as described in Section 2.2. 287 2. If so configured, the validation chain of the client certificate 288 is placed in the Client-Cert-Chain header field of the request, 289 as described in Section 2.3. 291 3. Any occurrence of the Client-Cert or Client-Cert-Chain header 292 fields in the original incoming request MUST be removed or 293 overwritten before forwarding the request. An incoming request 294 that has a Client-Cert or Client-Cert-Chain header field MAY be 295 rejected with an HTTP 400 response. 297 Requests made over a TLS connection where the use of client 298 certificate authentication was not negotiated MUST be sanitized by 299 removing any and all occurrences of the Client-Cert and Client-Cert- 300 Chain header fields prior to dispatching the request to the backend 301 server. 303 Backend origin servers may then use the Client-Cert header field of 304 the request to determine if the connection from the client to the 305 TTRP was mutually-authenticated and, if so, the certificate thereby 306 presented by the client. 308 Forward proxies and other intermediaries MUST NOT add the Client-Cert 309 or Client-Cert-Chain header fields to requests, or modify an existing 310 Client-Cert or Client-Cert-Chain header field. Similarly, clients 311 MUST NOT employ the Client-Cert or Client-Cert-Chain header field in 312 requests. 314 When the value of the Client-Cert request header field is used to 315 select a response (e.g., the response content is access-controlled), 316 the response MUST either be uncacheable (e.g., by sending Cache- 317 Control: no-store) or be designated for selective reuse only for 318 subsequent requests with the same Client-Cert header value by sending 319 a Vary: Client-Cert response header. If a TTRP encounters a response 320 with a client-cert field name in the Vary header field, it SHOULD 321 prevent the user agent from caching the response by transforming the 322 value of the Vary response header field to *. 324 3. Deployment Considerations 325 3.1. Header Field Compression 327 If the client certificate header field is generated by an 328 intermediary on a connection that compresses fields (e.g., using 329 HPACK [RFC7541] or QPACK [I-D.ietf-quic-qpack]) and more than one 330 client's requests are multiplexed into that connection, it can reduce 331 compression efficiency significantly, due to the typical size of the 332 field value and its variation between clients. Recipients that 333 anticipate connections with these characteristics can mitigate the 334 efficiency loss by increasing the size of the dynamic table. If a 335 recipient does not do so, senders may find it beneficial to always 336 send the field value as a literal, rather than entering it into the 337 dynamic table. 339 3.2. Header Block Size 341 A server in receipt of a larger header block than it is willing to 342 handle can send an HTTP 431 (Request Header Fields Too Large) status 343 code per Section 5 of [RFC6585]. Due to the typical size of the 344 field values containing certificate data, recipients may need to be 345 configured to allow for a larger maximum header block size. An 346 intermediary generating client certificate header fields on 347 connections that allow for advertising the maximum acceptable header 348 block size (e.g. HTTP/2 [RFC7540] or HTTP/3 [I-D.ietf-quic-http]) 349 should account for the additional size of header block of the 350 requests it sends vs. requests it receives by advertising a value to 351 its clients that is sufficiently smaller so as to allow for the 352 addition of certificate data. 354 4. Security Considerations 356 The header fields described herein enable a TTRP and backend or 357 origin server to function together as though, from the client's 358 perspective, they are a single logical server side deployment of 359 HTTPS over a mutually-authenticated TLS connection. Use of the 360 header fields outside that intended use case, however, may undermine 361 the protections afforded by TLS client certificate authentication. 362 Therefore, steps MUST be taken to prevent unintended use, both in 363 sending the header field and in relying on its value. 365 Producing and consuming the Client-Cert and Client-Cert-Chain header 366 fields SHOULD be configurable options, respectively, in a TTRP and 367 backend server (or individual application in that server). The 368 default configuration for both should be to not use the header fields 369 thus requiring an "opt-in" to the functionality. 371 In order to prevent field injection, backend servers MUST only accept 372 the Client-Cert and Client-Cert-Chain header fields from a trusted 373 TTRP (or other proxy in a trusted path from the TTRP). A TTRP MUST 374 sanitize the incoming request before forwarding it on by removing or 375 overwriting any existing instances of the fields. Otherwise, 376 arbitrary clients can control the field values as seen and used by 377 the backend server. It is important to note that neglecting to 378 prevent field injection does not "fail safe" in that the nominal 379 functionality will still work as expected even when malicious actions 380 are possible. As such, extra care is recommended in ensuring that 381 proper field sanitation is in place. 383 The communication between a TTRP and backend server needs to be 384 secured against eavesdropping and modification by unintended parties. 386 The configuration options and request sanitization are necessarily 387 functionally of the respective servers. The other requirements can 388 be met in a number of ways, which will vary based on specific 389 deployments. The communication between a TTRP and backend or origin 390 server, for example, might be authenticated in some way with the 391 insertion and consumption of the Client-Cert and Client-Cert-Chain 392 header fields occurring only on that connection. Alternatively the 393 network topology might dictate a private network such that the 394 backend application is only able to accept requests from the TTRP and 395 the proxy can only make requests to that server. Other deployments 396 that meet the requirements set forth herein are also possible. 398 5. IANA Considerations 400 5.1. HTTP Field Name Registrations 402 Please register the following entries in the "Hypertext Transfer 403 Protocol (HTTP) Field Name Registry" defined by 404 [I-D.ietf-httpbis-semantics]: 406 * Field name: Client-Cert 408 * Status: permanent 410 * Specification document: Section 2 of [this document] 412 * Field name: Client-Cert-Chain 414 * Status: permanent 416 * Specification document: Section 2 of [this document] 418 6. References 419 6.1. Normative References 421 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 422 Requirement Levels", BCP 14, RFC 2119, 423 DOI 10.17487/RFC2119, March 1997, 424 . 426 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 427 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 428 May 2017, . 430 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 431 Housley, R., and W. Polk, "Internet X.509 Public Key 432 Infrastructure Certificate and Certificate Revocation List 433 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 434 . 436 [ITU.X690.1994] 437 International Telecommunications Union, "Information 438 Technology - ASN.1 encoding rules: Specification of Basic 439 Encoding Rules (BER), Canonical Encoding Rules (CER) and 440 Distinguished Encoding Rules (DER)", ITU-T Recommendation 441 X.690, 1994. 443 [RFC8941] Nottingham, M. and P-H. Kamp, "Structured Field Values for 444 HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021, 445 . 447 6.2. Informative References 449 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 450 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 451 . 453 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 454 (TLS) Protocol Version 1.2", RFC 5246, 455 DOI 10.17487/RFC5246, August 2008, 456 . 458 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 459 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 460 DOI 10.17487/RFC7540, May 2015, 461 . 463 [RFC8740] Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, 464 DOI 10.17487/RFC8740, February 2020, 465 . 467 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 468 Protocol (HTTP/1.1): Message Syntax and Routing", 469 RFC 7230, DOI 10.17487/RFC7230, June 2014, 470 . 472 [RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX, 473 PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468, 474 April 2015, . 476 [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for 477 HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, 478 . 480 [I-D.ietf-quic-qpack] 481 Krasic, C. '., Bishop, M., and A. Frindell, "QPACK: Header 482 Compression for HTTP/3", Work in Progress, Internet-Draft, 483 draft-ietf-quic-qpack-21, 2 February 2021, 484 . 487 [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status 488 Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, 489 . 491 [I-D.ietf-quic-http] 492 Bishop, M., "Hypertext Transfer Protocol Version 3 493 (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- 494 quic-http-34, 2 February 2021, 495 . 498 [I-D.ietf-httpbis-semantics] 499 Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP 500 Semantics", Work in Progress, Internet-Draft, draft-ietf- 501 httpbis-semantics-19, 12 September 2021, 502 . 505 [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", 506 RFC 7239, DOI 10.17487/RFC7239, June 2014, 507 . 509 [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T. 510 Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication 511 and Certificate-Bound Access Tokens", RFC 8705, 512 DOI 10.17487/RFC8705, February 2020, 513 . 515 Appendix A. Example 517 In a hypothetical example where a TLS client presents the client and 518 intermediate certificate from Figure 1 when establishing a mutually- 519 authenticated TLS connection with the TTRP, the proxy would send the 520 Client-Cert field shown in {#example-header} to the backend. Note 521 that line breaks and whitespace have been added to the field value in 522 Figure 2 for display and formatting purposes only. 524 -----BEGIN CERTIFICATE----- 525 MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJMZXQncyBB 526 dXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0yMDAx 527 MTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZI 528 zj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p 529 5Be5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIw 530 ADAfBgNVHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMC 531 BsAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1w 532 bGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMje 533 SkC3dFCOOB8TAiEAx/kHSB4urmiZ0NX5r5XarmPk0wmuydBVoU4hBVZ1yhk= 534 -----END CERTIFICATE----- 535 -----BEGIN CERTIFICATE----- 536 MIIB5jCCAYugAwIBAgIBFjAKBggqhkjOPQQDAjBWMQswCQYDVQQGEwJVUzEbMBkG 537 A1UECgwSTGV0J3MgQXV0aGVudGljYXRlMSowKAYDVQQDDCFMZXQncyBBdXRoZW50 538 aWNhdGUgUm9vdCBBdXRob3JpdHkwHhcNMjAwMTE0MjEzMjMwWhcNMzAwMTExMjEz 539 MjMwWjA6MRswGQYDVQQKDBJMZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxB 540 IEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJf+aA54 541 RC5pyLAR5yfXVYmNpgd+CGUTDp2KOGhc0gK91zxhHesEYkdXkpS2UN8Kati+yHtW 542 CV3kkhCngGyv7RqjZjBkMB0GA1UdDgQWBBRm3WjLa38lbEYCuiCPct0ZaSED2DAf 543 BgNVHSMEGDAWgBTEA2Q6eecKu9g9yb5glbkhhVINGDASBgNVHRMBAf8ECDAGAQH/ 544 AgEAMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDAgNJADBGAiEA5pLvaFwRRkxo 545 mIAtDIwg9D7gC1xzxBl4r28EzmSO1pcCIQCJUShpSXO9HDIQMUgH69fNDEMHXD3R 546 RX5gP7kuu2KGMg== 547 -----END CERTIFICATE----- 548 -----BEGIN CERTIFICATE----- 549 MIICBjCCAaygAwIBAgIJAKS0yiqKtlhoMAoGCCqGSM49BAMCMFYxCzAJBgNVBAYT 550 AlVTMRswGQYDVQQKDBJMZXQncyBBdXRoZW50aWNhdGUxKjAoBgNVBAMMIUxldCdz 551 IEF1dGhlbnRpY2F0ZSBSb290IEF1dGhvcml0eTAeFw0yMDAxMTQyMTI1NDVaFw00 552 MDAxMDkyMTI1NDVaMFYxCzAJBgNVBAYTAlVTMRswGQYDVQQKDBJMZXQncyBBdXRo 553 ZW50aWNhdGUxKjAoBgNVBAMMIUxldCdzIEF1dGhlbnRpY2F0ZSBSb290IEF1dGhv 554 cml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFoaHU+Z5bPKmGzlYXtCf+E6 555 HYj62fORaHDOrt+yyh3H/rTcs7ynFfGn+gyFsrSP3Ez88rajv+U2NfD0o0uZ4Pmj 556 YzBhMB0GA1UdDgQWBBTEA2Q6eecKu9g9yb5glbkhhVINGDAfBgNVHSMEGDAWgBTE 557 A2Q6eecKu9g9yb5glbkhhVINGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE 558 AwIBhjAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRF 559 YGMg1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc 560 -----END CERTIFICATE----- 562 Figure 1: Certificate Chain (with client certificate first) 564 Client-Cert: :MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJ 565 MZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0 566 yMDAxMTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZ 567 Izj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p5Be 568 5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIwADAfBgN 569 VHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0 570 lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1wbGUuY29tMAoGCCq 571 GSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMjeSkC3dFCOOB8TAiEAx/k 572 HSB4urmiZ0NX5r5XarmPk0wmuydBVoU4hBVZ1yhk=: 574 Figure 2: Header Field in HTTP Request to Origin Server 576 If the proxy were configured to also include the certificate chain, 577 it would also include this header: 579 Client-Cert-Chain: :MIIB5jCCAYugAwIBAgIBFjAKBggqhkjOPQQDAjBWMQsw 580 CQYDVQQGEwJVUzEbMBkGA1UECgwSTGV0J3MgQXV0aGVudGljYXRlMSowKAYDVQQ 581 DDCFMZXQncyBBdXRoZW50aWNhdGUgUm9vdCBBdXRob3JpdHkwHhcNMjAwMTE0Mj 582 EzMjMwWhcNMzAwMTExMjEzMjMwWjA6MRswGQYDVQQKDBJMZXQncyBBdXRoZW50a 583 WNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEG 584 CCqGSM49AwEHA0IABJf+aA54RC5pyLAR5yfXVYmNpgd+CGUTDp2KOGhc0gK91zx 585 hHesEYkdXkpS2UN8Kati+yHtWCV3kkhCngGyv7RqjZjBkMB0GA1UdDgQWBBRm3W 586 jLa38lbEYCuiCPct0ZaSED2DAfBgNVHSMEGDAWgBTEA2Q6eecKu9g9yb5glbkhh 587 VINGDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO 588 PQQDAgNJADBGAiEA5pLvaFwRRkxomIAtDIwg9D7gC1xzxBl4r28EzmSO1pcCIQC 589 JUShpSXO9HDIQMUgH69fNDEMHXD3RRX5gP7kuu2KGMg==:, :MIICBjCCAaygAw 590 IBAgIJAKS0yiqKtlhoMAoGCCqGSM49BAMCMFYxCzAJBgNVBAYTAlVTMRswGQYDV 591 QQKDBJMZXQncyBBdXRoZW50aWNhdGUxKjAoBgNVBAMMIUxldCdzIEF1dGhlbnRp 592 Y2F0ZSBSb290IEF1dGhvcml0eTAeFw0yMDAxMTQyMTI1NDVaFw00MDAxMDkyMTI 593 1NDVaMFYxCzAJBgNVBAYTAlVTMRswGQYDVQQKDBJMZXQncyBBdXRoZW50aWNhdG 594 UxKjAoBgNVBAMMIUxldCdzIEF1dGhlbnRpY2F0ZSBSb290IEF1dGhvcml0eTBZM 595 BMGByqGSM49AgEGCCqGSM49AwEHA0IABFoaHU+Z5bPKmGzlYXtCf+E6HYj62fOR 596 aHDOrt+yyh3H/rTcs7ynFfGn+gyFsrSP3Ez88rajv+U2NfD0o0uZ4PmjYzBhMB0 597 GA1UdDgQWBBTEA2Q6eecKu9g9yb5glbkhhVINGDAfBgNVHSMEGDAWgBTEA2Q6ee 598 cKu9g9yb5glbkhhVINGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBh 599 jAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRFYGMg 600 1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc: 602 Figure 3: Certificate Chain in HTTP Request to Origin Server 604 Appendix B. Considerations Considered 605 B.1. Field Injection 607 This draft requires that the TTRP sanitize the fields of the incoming 608 request by removing or overwriting any existing instances of the 609 Client-Cert and Client-Cert-Chain header fields before dispatching 610 that request to the backend application. Otherwise, a client could 611 inject its own values that would appear to the backend to have come 612 from the TTRP. Although numerous other methods of detecting/ 613 preventing field injection are possible; such as the use of a unique 614 secret value as part of the field name or value or the application of 615 a signature, HMAC, or AEAD, there is no common general standardized 616 mechanism. The potential problem of client field injection is not at 617 all unique to the functionality of this draft, and it would therefore 618 be inappropriate for this draft to define a one-off solution. In the 619 absence of a generic standardized solution existing currently, 620 stripping/sanitizing the fields is the de facto means of protecting 621 against field injection in practice today. Sanitizing the fields is 622 sufficient when properly implemented and is a normative requirement 623 of Section 4. 625 B.2. The Forwarded HTTP Extension 627 The Forwarded HTTP header field defined in [RFC7239] allows proxy 628 components to disclose information lost in the proxying process. The 629 TLS client certificate information of concern to this draft could 630 have been communicated with an extension parameter to the Forwarded 631 field; however, doing so would have had some disadvantages that this 632 draft endeavored to avoid. The Forwarded field syntax allows for 633 information about a full chain of proxied HTTP requests, whereas the 634 Client-Cert and Client-Cert-Chain header fields of this document are 635 concerned only with conveying information about the certificate 636 presented by the originating client on the TLS connection to the TTRP 637 (which appears as the server from that client's perspective) to 638 backend applications. The multi-hop syntax of the Forwarded field is 639 expressive but also more complicated, which would make processing it 640 more cumbersome, and more importantly, make properly sanitizing its 641 content as required by Section 4 to prevent field injection 642 considerably more difficult and error-prone. Thus, this draft opted 643 for a flatter and more straightforward structure. 645 B.3. The Whole Certificate and Certificate Chain 647 Different applications will have varying requirements about what 648 information from the client certificate is needed, such as the 649 subject and/or issuer distinguished name, subject alternative 650 name(s), serial number, subject public key info, fingerprint, etc.. 651 Furthermore, some applications, such as [RFC8705], make use of the 652 entire certificate. In order to accommodate the latter and ensure 653 wide applicability by not trying to cherry-pick particular 654 certificate information, this draft opted to pass the full encoded 655 certificate as the value of the Client-Cert field. 657 The handshake and validation of the client certificate (chain) of the 658 mutually-authenticated TLS connection is performed by the TTRP. With 659 the responsibility of certificate validation falling on the TTRP, the 660 end-entity certificate is oftentimes sufficient for the needs of the 661 origin server. The separate Client-Cert-Chain field can convey the 662 certificate chain for deployments that require such information. 664 Appendix C. Acknowledgements 666 The authors would like to thank the following individuals who've 667 contributed in various ways ranging from just being generally 668 supportive of bringing forth the draft to providing specific feedback 669 or content: 671 * Evan Anderson 673 * Annabelle Backman 675 * Alan Frindell 677 * Rory Hewitt 679 * Fredrik Jeansson 681 * Benjamin Kaduk 683 * Torsten Lodderstedt 685 * Kathleen Moriarty 687 * Mark Nottingham 689 * Erik Nygren 691 * Mike Ounsworth 693 * Matt Peterson 695 * Eric Rescorla 697 * Justin Richer 699 * Michael Richardson 700 * Joe Salowey 702 * Rich Salz 704 * Mohit Sethi 706 * Rifaat Shekh-Yusef 708 * Travis Spencer 710 * Nick Sullivan 712 * Martin Thomson 714 * Peter Wu 716 * Hans Zandbelt 718 Appendix D. Document History 720 To be removed by the RFC Editor before publication as an RFC 722 draft-ietf-httpbis-client-cert-field-01 724 * Use RFC 8941 Structured Field Values for HTTP 726 * Introduce a separate header that can convey the certificate chain 728 * Add considerations on header compression and size 730 * Describe interaction with caching 732 * Fill out IANA Considerations with HTTP field name registrations 734 * Discuss renegotiation 736 draft-ietf-httpbis-client-cert-field-00 738 * Initial WG revision 740 * Mike Bishop added as co-editor 742 draft-bdc-something-something-certificate-05 744 * Change intended status of the draft to Informational 746 * Editorial updates and (hopefully) clarifications 747 * Update reference from draft-ietf-oauth-mtls to RFC8705 749 draft-bdc-something-something-certificate-03 751 * Expanded further discussion notes to capture some of the feedback 752 in and around the presentation of the draft in SECDISPATCH at IETF 753 107 and add those who've provided such feedback to the 754 acknowledgements 756 draft-bdc-something-something-certificate-02 758 * Editorial tweaks + further discussion notes 760 draft-bdc-something-something-certificate-01 762 * Use the RFC v3 Format or die trying 764 draft-bdc-something-something-certificate-00 766 * Initial draft after a time constrained and rushed secdispatch 767 presentation (https://datatracker.ietf.org/meeting/106/materials/ 768 slides-106-secdispatch-securing-protocols-between-proxies-and- 769 backend-http-servers-00) at IETF 106 in Singapore with the 770 recommendation to write up a draft (at the end of the minutes 771 (https://datatracker.ietf.org/meeting/106/materials/minutes- 772 106-secdispatch)) and some folks expressing interest despite the 773 rather poor presentation 775 Authors' Addresses 777 Brian Campbell 778 Ping Identity 780 Email: bcampbell@pingidentity.com 782 Mike Bishop (editor) 783 Akamai 785 Email: mbishop@evequefou.be