W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2015

Re: Client Certificates - re-opening discussion

From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 19 Sep 2015 11:17:36 -0700
Message-ID: <CABcZeBPNxEA6O324tnF3dbUCLD-a7uUvWYYjO1pnYwAm9cN2eA@mail.gmail.com>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Mark Nottingham <mnot@mnot.net>, Henry Story <henry.story@co-operating.systems>, HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Sep 19, 2015 at 12:18 AM, Stefan Eissing <
stefan.eissing@greenbytes.de> wrote:

>
> > Am 18.09.2015 um 22:57 schrieb Ilari Liusvaara <
> ilari.liusvaara@elisanet.fi>:
> >
> >> On Fri, Sep 18, 2015 at 01:48:50PM -0700, Eric Rescorla wrote:
> >>> On Fri, Sep 18, 2015 at 10:05 AM, Mark Nottingham <mnot@mnot.net>
> wrote:
> >>>
> >>> Hi Henry,
> >>>
> >>> Thanks, but this is a much more narrowly-scoped discussion -- how to
> make
> >>> client certs as they currently operate work in HTTP/2.
> >>
> >>
> >> Is this a question about HTTP/2's limitations versus HTTP/1.1 or about
> >> deficiencies
> >> in HTTP/1.1 that HTTP/2 has not fixed?
> >
> > I think this is about the extra limitations of HTTP/2 regarding client
> > authentication caused by major design differences between HTTP/1.1 and
> > HTTP/2.
> >
> > Client certs in HTTP/1.1 aren't too great, but at least those don't
> > seem to even remotely have the same problems as client certs in HTTP/2
> > (especially when in web environment).
>
> Just to have everyone on the same page. The problems - as we see them in
> httpd - are
>
> 1. http/1.1 requests may trigger client certs which may require
> renegotiation. Processing is no longer  sequential with http/2, causing
> conflicts.


Well, presently renegotiation is illegal in HTTP/2, so this is a
non-problem.

However, I suppose if we land TLS 1.3 PR#209 it will come back.

-Ekr


> Even if mutexed what does connection state and h2 stream have to say to
> each other and for how long?
>
> 2. connection reuse for different hosts is much more likely as a lot of
> sites have a long list of subjectAltNames. That raises the likelihood of
> conflicts as described above.
>
> Any advice on how to address this in an interoperable way is appreciated.
>
> //Stefan
Received on Saturday, 19 September 2015 18:18:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:46 UTC