Hi Nikos, The problems post-handshake authentication has with HTTP/2 are described in draft-ietf-httpbis-http2-secondary-certs-00 <https://tools.ietf.org/html/draft-ietf-httpbis-http2-secondary-certs-00#section-1.2.3> a.k.a. draft-Bishop. See Section 1.2.3 in particular.
In brief, the problem is that requests and responses are multiplexed in HTTP/2, and threfore there is not a tight coupling between TLS frames and HTTP/2 streams. With post-handshake authentication, the authentication happens in band, and so the HTTP/2 layer doesn't have visibility into whether or not specific data was sent before or after the authentication. Regards, Jonathan On Fri, 4 May 2018 at 10:01 Nikos Mavrogiannopoulos <n...@redhat.com> wrote: > On Thu, 2018-04-19 at 16:32 -0400, Sean Turner wrote: > > All, > > > > This is the working group last call for the "Exported Authenticators > > in TLS" draft available at https://datatracker.ietf.org/doc/draft-iet > > f-tls-exported-authenticator/. Please review the document and send > > your comments to the list by 2359 UTC on 4 April 2018. > > I have not checked the mechanism, but I have few questions based on the > description in the introduction. > "Post-handshake authentication is defined in TLS 1.3, but it has the > disadvantage of requiring additional state to be stored in the TLS > state machine and it composes poorly with multiplexed connection > protocols like HTTP/2. It is also only available for client > authentication. This mechanism is intended to be used as part of a > replacement for post-handshake authentication in applications." > > * Was this proposed to be included in TLS 1.3 as post-handshake > authentication mechanism instead? > > * What are the actual problems that post-handshake authentication has > with HTTP/2? > > regards, > Nikos > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
