Re: TLS Renegotiation and HTTP/2 (#363) from Yoav Nir on 2014-04-01 (ietf-http-wg@w3.org from April to June 2014)

From: Yoav Nir <ynir.ietf@gmail.com>
Date: Tue, 1 Apr 2014 14:02:09 +0300
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <3919F35B-7644-42B0-BFE6-B13B5D5BEFDF@gmail.com>
#1 is not a bad option. It�s not pretty, but just the fact that it�s written down puts it ahead (process-wise) of the others.

The TLS working group is considering getting rid of renegotiation for TLS 1.3, because few use it except for client authentication in HTTPS. Going with option #2 leaves us with all of the complexity. I�d rather we didn�t go there.

#3 is a sure-fire way of getting angry comments and DISCUSSes for HTTP/2. Arguably, those with client certificates are those with the highest security requirements, and to disenfranchise those in a new version is likely to get the document in trouble.

#4 is an interesting one. I�m too lazy to look back at older specifications to see whether it was possible for the server to request the client to send this frame, but it could be done.

#5: hard to comment on things *you* haven�t though of yet, but I can suggest one of my own. Make it an HTTP authentication method. Something along the lines of (apologies for the HTTP/1.1 syntax)

Server sends:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Certs
        realm = �example.com�
        challenge="EKgoC3wwy8KuJROo/gmG1we43c5av9OwOlWaYVPStsw=�

Client sends:
Authorization: Certs
        realm=�example.com�
        hash=�SHA-256�
        cert=�MIIGzTCC...gpECY="
                challenge="EKgoC3wwy8KuJROo/gmG1we43c5av9OwOlWaYVPStsw=�
        signature=�FIMe3WLvlgX3BgJKYN0DXj4UGuauq5fwXgZErnFgVR0=�

All you really need with client certificate authentication is to show the certificate and sign something of the server�s choosing. You can make it fancier by having the server list supported hashes and trusted CAs, but that�s not strictly necessary.


On Apr 1, 2014, at 3:11 AM, Martin Thomson <martin.thomson@gmail.com> wrote:

> In my other email today, I've listed the items that are outstanding,
> of which I identify 6 issues that could result in disruptive changes
> to the protocol if we decide to act on them [1].
> 
> Of those, I think that TLS renegotiation is only the issue that fixes
> something we've actually broken.  Broken, the sense that if we don't
> do something about this issue, we've broken a feature that some people
> rely on.  Importantly, this is broken in a way for which the only real
> recourse is to revert to HTTP/1.1.
> 
> (Transfer-Encoding #445 arguably introduces a feature regression too.
> But it's a regression that can be handled trivially by spending bytes.
> It might be reasonable to say that given the degree to which
> Transfer-Encoding is used today, the odds that we are creating
> incentive to stay on HTTP/1.1 is lower.)
> 
> Relying on renegotiation for re-keying (to avoid key exhaustion) seems
> like a non-problem.  We already require the creation of new
> connections when stream IDs run out.  It does mean that extremely
> large requests or responses (broadly, anything longer than 2^64-1 TLS
> records, though probably less if the cipher suite requires re-keying
> earlier) cannot be carried at all.
> 
> The main issue here is client authentication.  I see several ways out:
> 
> 1. Pursue http://tools.ietf.org/html/draft-thomson-httpbis-catch-00 or
> something like it to the bitter end.  I don't see a way that we can do
> this without creating a new normative reference, unfortunately, and
> that work is clearly half-baked.
> 
> 2. Allow for some very limited form of renegotiation for the client
> authentication use case.  This might mean requiring that
> MAX_CONCURRENT_STREAMS be wound back to 1 at the server before
> renegotiation is triggered.  This avoids the dependency issue, and
> might work for the use cases in question, but the cost in complexity
> and loss of concurrency is extreme to the point that option 3 starts
> looking good.
> 
> 3. Force those using client authentication to stay on HTTP/1.1.  We
> basically get this for free if we intend to pretend that this issue
> doesn't exist.  I tend to think that this would be a bad outcome
> though.
> 
> 4. Resurrect the CREDENTIAL frame from SPDY.  My understanding of this
> mechanism is that it would be non-trivial to add this to the protocol.
> It is quite a flexible mechanism, but one with significant costs.
> This relies on RFC 5705 (TLS extractor) support, which is not
> universally supported in the various TLS stacks that are commonly
> used.  It also requires a new setting and modifications to the HEADERS
> frame.
> 
> 5. Something else that I haven't thought of yet.
> 
> Does anyone have a way forward to recommend?  My primary motivation
> here is getting HTTP/2 done.
> 
> 
> [1] http://lists.w3.org/Archives/Public/ietf-http-wg/2014JanMar/1292.html
>
Received on Tuesday, 1 April 2014 11:02:42 UTC