- From: Yoav Nir <synp71@live.com>
- Date: Tue, 4 Feb 2014 09:25:17 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: "Ludin, Stephen" <sludin@akamai.com>, Mike Belshe <mike@belshe.com>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <BLU0-SMTP364EE2287F3CA4F97739D1CB1AA0@phx.gbl>
On 3/2/14 7:23 PM, Martin Thomson wrote:
> On 3 February 2014 04:20, Yoav Nir <synp71@live.com> wrote:
>> I don't think I can speak for all of those people, but I can speak for some.
>> Client certificates on the web usually involve some user interaction. Even
>> when not, they're rare. So I think we can live with needing another,
>> non-coalesced connection for the certificate authentication. This would
>> require some way for the server to know during the TLS handshake that this
>> handshake requires a TLS handshake. Special ALPN string? An extension? An
>> SCSV? Either way, the client would have to signal the server that it wants
>> to present a client certificate. It would also require server-to-client
>> signaling that client authentication is required at the HTTP (rather than
>> TLS) layer.
> I wasn't going to leap to solutions so soon.
And you call yourself an engineer? :-)
You did ask what restrictions would be acceptable.
> It's not a lack of possibilities that is the problem here. It's a
> lack of clarity around what the desired behaviour is. If, as you
> suggest, this is a problem that can be detected for a given request,
> how do we then extrapolate that to other interactions with the same
> origin? Why would we? This is, of course, always the issue with
> client certificates.
This is an issue with all forms of client or user authentication. Once
I've entered my password for GMail (where I need to be authenticated so
as to get my messages rather than yours), I seem to get personalized
service from other Google services. At least my name appears everywhere.
And there are those creepy content sites where the list of my Facebook
friends who have read or liked this article appears on the right.
The issue here is not the form of user authentication. It's the form of
session management that we use based on cookies. Once the user has
authenticated, her browser gets a cookie, and all future requests are
"blessed" as part of the same session.
I guess for websites with user authentication, regardless of whether
that authentication happens at the TLS layer with client certificates,
at the HTTP layer with Basic, Digest or MutualAuth, or at the
application layer with forms, the process is something like this:
* A user connects to the web site. For the moment I'll ignore
connection coalescing and assume that website=origin.
* Depending on the website, we either establish a non-authenticated
session (by planting a cookie) or not. Either way, to get at the
really interesting stuff, the user needs to log in.
* So they can fill in a form, or click something that causes the
authentication dialog box to pop up, or click something that causes
the certificate picker to pop up.
* Once they complete the authentication, they get to an authenticated
session. That means that authorization for future requests in the
same session are handled according to user permissions.
There are several issues with the current mechanism for session
management: Other browser windows shared the same cookie, so you can't
have two or more different sessions simultaneously with the same origin.
Also the user cannot terminate a session unless the application provides
this capability. But without going (again) into all of the reasons why
we should have a serious look at how HTTP sessions are managed, there is
nothing special about client certificates.
Yoav
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 4 February 2014 07:25:49 UTC