I agree with David: a different client auth mechanism is in the works for HTTP/2.
Cheers, Andrei From: David Benjamin [mailto:david...@chromium.org] Sent: Wednesday, February 15, 2017 11:52 AM To: David Wong <davidwong.cry...@gmail.com>; Andrei Popov <andrei.po...@microsoft.com> Cc: Cas Cremers <cas.crem...@cs.ox.ac.uk>; tls@ietf.org Subject: Re: [TLS] Awkward Handshake: Possible mismatch of client/server view on client authentication in post-handshake mode in Revision 18 On Wed, Feb 15, 2017 at 2:49 PM David Wong <davidwong.cry...@gmail.com<mailto:davidwong.cry...@gmail.com>> wrote: On Feb 15 2017, at 7:27 pm, Andrei Popov <andrei.po...@microsoft.com<mailto:andrei.po...@microsoft.com>> wrote: Yes, I agree that it is useful to mention this in the spec. It would be nice is to have two different PRs solving this issue. One mentioning this as a potential issue that the application must be aware of. I've seen things like that for example in rfc 5746: https://tools.ietf.org/html/rfc5746#section-5 > While this extension mitigates the man-in-the-middle attack described in the > overview, it does not resolve all possible problems an application may face > if it is unaware of renegotiation. For example, during renegotiation, either > the client or the server can present a different certificate than was used > earlier. This may come as a surprise to application developers (who might > have expected, for example, that a "getPeerCertificates()" API call returns > the same value if called twice), and might be handled in an insecure way. A second PR could try to tackle this by adding a new message, for example an "AcknowledgeClientAuthentication" message that the server would send to confirm (or not) the validation of the client certificate. I think this would add a bit of complexity for less "surprise". I'm not too keen on this, and I think this could be added as an extension instead, but I think it would be nice to have to see if it integrates nicely in the current draft. Post-handshake auth exists basically entirely to service HTTP/1.1 reactive client certificate which was previously hacked on via renegotiation. I think we should not make this feature any more complicated than absolutely necessary to support this mode, and we should not add more bells and whistles to it to encourage further use. For the HTTP/1.1 use case, this is not necessary because it's reasonable for client/server to agree that the server will not send any more data for that request until it has processed the client's authentication messages. David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
