Re: Client-Cert Header draft from Eric Rescorla on 2020-04-17 (ietf-http-wg@w3.org from April to June 2020)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 17 Apr 2020 15:30:24 -0700
To: Mike Bishop <mbishop@evequefou.be>
Cc: Brian Campbell <bcampbell@pingidentity.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABcZeBNTgB9PiTn8nnGyQcZOG6W19aaZnwJh09VEJcceS=8-7w@mail.gmail.com>

On Fri, Apr 17, 2020 at 12:23 PM Mike Bishop <mbishop@evequefou.be> wrote:

> Despite the distaste for client certificates from some quarters, they are
> still both used and useful.  I’m certainly interested in seeing this
> progress.
>
>
>
> In today’s situation, the intermediary checks that the cert matches the
> rules it has been given to authenticate clients, and only forwards the
> requests from valid clients.  Arguably, the origin is offloading less trust
> in this draft’s model – the intermediary is responsible for validating that
> the client possesses the claimed certificate, but might leave the origin to
> decide what scope of access the certificate actually grants.  That allows
> finer-grained access control, but also allows greater ability to send
> requests back to the origin.  It also opens the door for intermediaries
> which don’t support this header to accidentally forward requests containing
> it.  Requiring intermediaries to drop it doesn’t get you much, since only
> those intermediaries aware of the spec will comply by dropping the header.
> To help address these, I’d like to see this mix in something that the
> intermediary holds and the client doesn’t, such as an exporter from its TLS
> connection to the server.
>

I'm sure unsurprisingly to nobody, I second Mike's comments here.

-Ekr


>
> But all that is refinement – the core concept here is beneficial, and I’d
> like to see more engagement here.
>
>
>
> *From:* Brian Campbell <bcampbell@pingidentity.com>
> *Sent:* Wednesday, April 15, 2020 5:01 PM
> *To:* HTTP Working Group <ietf-http-wg@w3.org>
> *Subject:* Client-Cert Header draft
>
>
>
> Hello HTTP Working Group,
>
>
>
> I've somewhat inadvertently found myself working on this draft
> https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/,
> which aspires to define a "Client-Cert" HTTP header field that allows a TLS
> terminating reverse proxy to convey information about the client
> certificate of a mutually-authenticated TLS connection to an origin server
> in a common and predictable manner.
>
>
>
> I presented the concept
> <https://datatracker.ietf.org/meeting/107/materials/slides-107-secdispatch-client-cert-http-header-00>
> at the recent virtual IETF 107 secdispatch meeting
> <https://datatracker.ietf.org/meeting/107/materials/minutes-107-secdispatch-00>
> and the outcome from that was basically that there seems to be some
> interest in pursuing the work and the suggestion that the conversation be
> taken to the HTTPbis WG (and also keep TLS WG involved - presumably if the
> work progresses). And that's what brings me here. I also hope to get a
> little bit of time at one of the upcoming virtual interims to
> present/discuss the draft.
>
>
>
> Thanks,
>
> Brian
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

Received on Friday, 17 April 2020 22:31:17 UTC