| draft-ietf-httpbis-client-cert-field-00.txt | draft-ietf-httpbis-client-cert-field-01.txt | |||
|---|---|---|---|---|
| HTTP B. Campbell | HTTP B. Campbell | |||
| Internet-Draft Ping Identity | Internet-Draft Ping Identity | |||
| Intended status: Informational M. Bishop, Ed. | Intended status: Informational M. Bishop, Ed. | |||
| Expires: 10 December 2021 Akamai | Expires: 29 July 2022 Akamai | |||
| 8 June 2021 | 25 January 2022 | |||
| Client-Cert HTTP Header Field: Conveying Client Certificate Information | Client-Cert HTTP Header Field | |||
| from TLS Terminating Reverse Proxies to Origin Server Applications | draft-ietf-httpbis-client-cert-field-01 | |||
| draft-ietf-httpbis-client-cert-field-00 | ||||
| Abstract | Abstract | |||
| This document defines the HTTP header field "Client-Cert" that allows | This document defines HTTP extension header fields that allow a TLS | |||
| a TLS terminating reverse proxy to convey the client certificate of a | terminating reverse proxy to convey the client certificate | |||
| mutually-authenticated TLS connection to the origin server in a | information of a mutually-authenticated TLS connection to the origin | |||
| common and predictable manner. | server in a common and predictable manner. | |||
| Note to Readers | About This Document | |||
| _RFC EDITOR: please remove this section before publication_ | This note is to be removed before publishing as an RFC. | |||
| Discussion of this draft takes place on the HTTP working group | Status information for this document may be found at | |||
| mailing list (ietf-http-wg@w3.org), which is archived at | https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-cert- | |||
| https://lists.w3.org/Archives/Public/ietf-http-wg/ | field/. | |||
| (https://lists.w3.org/Archives/Public/ietf-http-wg/). | ||||
| Working Group information can be found at http://httpwg.github.io/ | Discussion of this document takes place on the HTTP Working Group | |||
| (http://httpwg.github.io/); source code and issues list for this | mailing list (mailto:ietf-http-wg@w3.org), which is archived at | |||
| draft can be found at https://github.com/httpwg/http- | https://lists.w3.org/Archives/Public/ietf-http-wg/. Working Group | |||
| extensions/labels/client-cert-header (https://github.com/httpwg/http- | information can be found at https://httpwg.org/. | |||
| extensions/labels/client-cert-header). | ||||
| Source for this draft and an issue tracker can be found at | ||||
| https://github.com/httpwg/http-extensions/labels/client-cert-field. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 10 December 2021. | This Internet-Draft will expire on 29 July 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Revised BSD License text as | |||
| as described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 | 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. HTTP Header Field and Processing Rules . . . . . . . . . . . 4 | 2. HTTP Header Fields and Processing Rules . . . . . . . . . . . 4 | |||
| 2.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.2. Client-Cert HTTP Header Field . . . . . . . . . . . . . . 5 | 2.2. Client-Cert HTTP Header Field . . . . . . . . . . . . . . 5 | |||
| 2.3. Processing Rules . . . . . . . . . . . . . . . . . . . . 5 | 2.3. Client-Cert-Chain HTTP Header Field . . . . . . . . . . . 6 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 2.4. Processing Rules . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 3. Deployment Considerations . . . . . . . . . . . . . . . . . . 7 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.1. Header Field Compression . . . . . . . . . . . . . . . . 8 | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 3.2. Header Block Size . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5.2. Informative References . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 9 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix B. Considerations Considered . . . . . . . . . . . . . 10 | 5.1. HTTP Field Name Registrations . . . . . . . . . . . . . . 9 | |||
| B.1. Header Injection . . . . . . . . . . . . . . . . . . . . 10 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| B.2. The Forwarded HTTP Extension . . . . . . . . . . . . . . 10 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| B.3. The Whole Certificate and Only the Whole Certificate . . 11 | 6.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 12 | Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 13 | Appendix B. Considerations Considered . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | B.1. Field Injection . . . . . . . . . . . . . . . . . . . . . 14 | |||
| B.2. The Forwarded HTTP Extension . . . . . . . . . . . . . . 14 | ||||
| B.3. The Whole Certificate and Certificate Chain . . . . . . . 14 | ||||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 15 | ||||
| Appendix D. Document History . . . . . . . . . . . . . . . . . . 16 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | ||||
| 1. Introduction | 1. Introduction | |||
| A fairly common deployment pattern for HTTPS applications is to have | A fairly common deployment pattern for HTTPS applications is to have | |||
| the origin HTTP application servers sit behind a reverse proxy that | the origin HTTP application servers sit behind a reverse proxy that | |||
| terminates TLS connections from clients. The proxy is accessible to | terminates TLS connections from clients. The proxy is accessible to | |||
| the internet and dispatches client requests to the appropriate origin | the internet and dispatches client requests to the appropriate origin | |||
| server within a private or protected network. The origin servers are | server within a private or protected network. The origin servers are | |||
| not directly accessible by clients and are only reachable through the | not directly accessible by clients and are only reachable through the | |||
| reverse proxy. The backend details of this type of deployment are | reverse proxy. The backend details of this type of deployment are | |||
| skipping to change at page 3, line 25 ¶ | skipping to change at page 3, line 35 ¶ | |||
| authentication is sometimes employed and in such cases the origin | authentication is sometimes employed and in such cases the origin | |||
| server often requires information about the client certificate for | server often requires information about the client certificate for | |||
| its application logic. Such logic might include access control | its application logic. Such logic might include access control | |||
| decisions, audit logging, and binding issued tokens or cookies to a | decisions, audit logging, and binding issued tokens or cookies to a | |||
| certificate, and the respective validation of such bindings. The | certificate, and the respective validation of such bindings. The | |||
| specific details from the certificate needed also vary with the | specific details from the certificate needed also vary with the | |||
| application requirements. In order for these types of application | application requirements. In order for these types of application | |||
| deployments to work in practice, the reverse proxy needs to convey | deployments to work in practice, the reverse proxy needs to convey | |||
| information about the client certificate to the origin application | information about the client certificate to the origin application | |||
| server. A common way this information is conveyed in practice today | server. A common way this information is conveyed in practice today | |||
| is by using non-standard headers to carry the certificate (in some | is by using non-standard fields to carry the certificate (in some | |||
| encoding) or individual parts thereof in the HTTP request that is | encoding) or individual parts thereof in the HTTP request that is | |||
| dispatched to the origin server. This solution works but | dispatched to the origin server. This solution works but | |||
| interoperability between independently developed components can be | interoperability between independently developed components can be | |||
| cumbersome or even impossible depending on the implementation choices | cumbersome or even impossible depending on the implementation choices | |||
| respectively made (like what header names are used or are | respectively made (like what field names are used or are | |||
| configurable, which parts of the certificate are exposed, or how the | configurable, which parts of the certificate are exposed, or how the | |||
| certificate is encoded). A well-known predictable approach to this | certificate is encoded). A well-known predictable approach to this | |||
| commonly occurring functionality could improve and simplify | commonly occurring functionality could improve and simplify | |||
| interoperability between independent implementations. | interoperability between independent implementations. | |||
| This document aspires to standardize an HTTP header field named | This document aspires to standardize two HTTP header fields, Client- | |||
| "Client-Cert" that a TLS terminating reverse proxy (TTRP) adds to | Cert and Client-Cert-Chain, which a TLS terminating reverse proxy | |||
| requests that it sends to the backend origin servers. The header | (TTRP) adds to requests sent to the backend origin servers. The | |||
| value contains the client certificate from the mutually-authenticated | Client-Cert field value contains the end-entity client certificate | |||
| TLS connection between the originating client and the TTRP. This | from the mutually-authenticated TLS connection between the | |||
| enables the backend origin server to utilize the client certificate | originating client and the TTRP. Optionally, the Client-Cert-Chain | |||
| information in its application logic. While there may be additional | field value contains the certificate chain used for validation of the | |||
| proxies or hops between the TTRP and the origin server (potentially | end-entity certificate. This enables the backend origin server to | |||
| even with mutually-authenticated TLS connections between them), the | utilize the client certificate information in its application logic. | |||
| scope of the "Client-Cert" header is intentionally limited to | While there may be additional proxies or hops between the TTRP and | |||
| exposing to the origin server the certificate that was presented by | the origin server (potentially even with mutually-authenticated TLS | |||
| the originating client in its connection to the TTRP. | connections between them), the scope of the Client-Cert header field | |||
| is intentionally limited to exposing to the origin server the | ||||
| certificate that was presented by the originating client in its | ||||
| connection to the TTRP. | ||||
| 1.1. Requirements Notation and Conventions | 1.1. Requirements Notation and Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| Phrases like TLS client certificate authentication or mutually- | Phrases like TLS client certificate authentication or mutually- | |||
| authenticated TLS are used throughout this document to refer to the | authenticated TLS are used throughout this document to refer to the | |||
| process whereby, in addition to the normal TLS server authentication | process whereby, in addition to the normal TLS server authentication | |||
| with a certificate, a client presents its X.509 certificate [RFC5280] | with a certificate, a client presents its X.509 certificate [RFC5280] | |||
| and proves possession of the corresponding private key to a server | and proves possession of the corresponding private key to a server | |||
| when negotiating a TLS connection or the resumption of such a | when negotiating a TLS connection or the resumption of such a | |||
| connection. In contemporary versions of TLS [RFC8446] [RFC5246] this | connection. In contemporary versions of TLS [RFC8446] [RFC5246] this | |||
| requires that the client send the Certificate and CertificateVerify | requires that the client send the Certificate and CertificateVerify | |||
| messages during the handshake and for the server to verify the | messages during the handshake and for the server to verify the | |||
| CertificateVerify and Finished messages. | CertificateVerify and Finished messages. | |||
| TODO: HTTP2 forbids TLS renegotiation and post-handshake | HTTP/2 restricts TLS 1.2 renegotiation (Section 9.2.1 of [RFC7540]) | |||
| authentication but it's possible with HTTP1.1 and maybe needs to | and prohibits TLS 1.3 post-handshake authentication [RFC8740]. | |||
| be discussed explicitly here or somewhere in this document? | However, they are sometimes used to implement reactive client | |||
| Naively I'd say that the "Client-Cert" header will be sent with | certificate authentication in HTTP/1.1 [RFC7230] where the server | |||
| the data of the most recent client cert anytime after | decides whether to request a client certificate based on the HTTP | |||
| renegotiation or post-handshake auth. And only for requests that | request. HTTP application data sent on such a connection after | |||
| are fully covered by the cert but that in practice making the | receipt and verification of the client certificate is also mutually- | |||
| determination of where exactly in the application data the cert | authenticated and thus suitable for the mechanisms described in this | |||
| messages arrived is hard to impossible so it'll be a best effort | document. | |||
| kind of thing. | ||||
| 2. HTTP Header Field and Processing Rules | 2. HTTP Header Fields and Processing Rules | |||
| 2.1. Encoding | This document designates the following headers, defined further in | |||
| Section 2.2 and Section 2.3 respectively, to carry the client | ||||
| certificate information of a mutually-authenticated TLS connection | ||||
| from a reverse proxy to origin server. | ||||
| The field-values of the HTTP header defined herein utilize the | Client-Cert: Conveys the end-entity certificate used by the client | |||
| following encoded form. | in the TLS handshake with the reverse proxy from the reverse proxy | |||
| to the origin server. | ||||
| A certificate is represented in text as an "EncodedCertificate", | Client-Cert-Chain: Conveys the certificate chain used for validation | |||
| which is the base64-encoded (Section 4 of [RFC4648]) DER | of the end-entity certificate used by the client in the TLS | |||
| [ITU.X690.1994] PKIX certificate. The encoded value MUST NOT include | handshake from the reverse proxy to the origin server. | |||
| any line breaks, whitespace, or other additional characters. ABNF | ||||
| [RFC5234] syntax for "EncodedCertificate" is shown in the figure | ||||
| below. | ||||
| EncodedCertificate = 1*( DIGIT / ALPHA / "+" / "/" ) 0*2"=" | 2.1. Encoding | |||
| DIGIT = <Defined in Section B.1 of [RFC5234]> ; A-Z / a-z | The headers in this document encode certificates as Structured Field | |||
| ALPHA = <Defined in Section B.1 of [RFC5234]> ; 0-9 | Byte Sequences (Section 3.3.5 of [RFC8941]) where the value of the | |||
| binary data is a DER encoded [ITU.X690.1994] X.509 certificate | ||||
| [RFC5280]. In effect, this means that the binary DER certificate is | ||||
| encoded using base64 (without line breaks, spaces, or other | ||||
| characters outside the base64 alphabet) and delimited with colons on | ||||
| either side. | ||||
| Note that certificates are often stored encoded in a textual format, | ||||
| such as the one described in Section 5.1 of [RFC7468], which is | ||||
| already nearly compatible with a Structured Field Byte Sequence; if | ||||
| so, it will be sufficient to replace ---(BEGIN|END) CERTIFICATE--- | ||||
| with : and remove line breaks in order to generate an appropriate | ||||
| item. | ||||
| 2.2. Client-Cert HTTP Header Field | 2.2. Client-Cert HTTP Header Field | |||
| In the context of a TLS terminating reverse proxy (TTRP) deployment, | In the context of a TLS terminating reverse proxy deployment, the | |||
| the TTRP makes the TLS client certificate available to the backend | proxy makes the TLS client certificate available to the backend | |||
| application with the following header field. | application with the Client-Cert HTTP header field. This field | |||
| contains the end-entity certificate used by the client in the TLS | ||||
| handshake. | ||||
| Client-Cert: The end-entity client certificate as an | Client-Cert is an Item Structured Header [RFC8941]. Its value MUST | |||
| "EncodedCertificate" value. | be a Byte Sequence (Section 3.3.5 of [RFC8941]). Its ABNF is: | |||
| The "Client-Cert" header field defined herein is only for use in HTTP | Client-Cert = sf-binary | |||
| requests and MUST NOT be used in HTTP responses. It is a single HTTP | ||||
| header field-value as defined in Section 3.2 of [RFC7230], which MUST | ||||
| NOT have a list of values or occur multiple times in a request. | ||||
| 2.3. Processing Rules | The value of the header is encoded as described in Section 2.1. | |||
| The Client-Cert header field is only for use in HTTP requests and | ||||
| MUST NOT be used in HTTP responses. It is a single HTTP header field | ||||
| value as defined in Section 3.2 of [RFC7230], which MUST NOT have a | ||||
| list of values or occur multiple times in a request. | ||||
| 2.3. Client-Cert-Chain HTTP Header Field | ||||
| In the context of a TLS terminating reverse proxy deployment, the | ||||
| proxy MAY make the certificate chain used for validation of the end- | ||||
| entity certificate available to the backend application with the | ||||
| Client-Cert-Chain HTTP header field. This field contains | ||||
| certificates used by the proxy to validate the certificate used by | ||||
| the client in the TLS handshake. These certificates might or might | ||||
| not have been provided by the client during the TLS handshake. | ||||
| Client-Cert-Chain is a List Structured Header [RFC8941]. Each item | ||||
| in the list MUST be a Byte Sequence (Section 3.3.5 of [RFC8941]) | ||||
| encoded as described in Section 2.1. | ||||
| The header's ABNF is: | ||||
| Client-Cert-Chain = sf-list | ||||
| The Client-Cert-Chain header field is only for use in HTTP requests | ||||
| and MUST NOT be used in HTTP responses. It MAY have a list of values | ||||
| or occur multiple times in a request. For header compression | ||||
| purposes, it might be advantageous to split lists into multiple | ||||
| instances. | ||||
| The first certificate in the list SHOULD directly certify the end- | ||||
| entity certificate provided in the Client-Cert header; each following | ||||
| certificate SHOULD directly certify the one immediately preceding it. | ||||
| Because certificate validation requires that trust anchors be | ||||
| distributed independently, a certificate that specifies a trust | ||||
| anchor MAY be omitted from the chain, provided that the server is | ||||
| known to possess any omitted certificates. | ||||
| However, for maximum compatibility, servers SHOULD be prepared to | ||||
| handle potentially extraneous certificates and arbitrary orderings. | ||||
| 2.4. Processing Rules | ||||
| This section outlines the applicable processing rules for a TLS | This section outlines the applicable processing rules for a TLS | |||
| terminating reverse proxy (TTRP) that has negotiated a mutually- | terminating reverse proxy (TTRP) that has negotiated a mutually- | |||
| authenticated TLS connection to convey the client certificate from | authenticated TLS connection to convey the client certificate from | |||
| that connection to the backend origin servers. Use of the technique | that connection to the backend origin servers. Use of the technique | |||
| is to be a configuration or deployment option and the processing | is to be a configuration or deployment option and the processing | |||
| rules described herein are for servers operating with that option | rules described herein are for servers operating with that option | |||
| enabled. | enabled. | |||
| A TTRP negotiates the use of a mutually-authenticated TLS connection | A TTRP negotiates the use of a mutually-authenticated TLS connection | |||
| with the client, such as is described in [RFC8446] or [RFC5246], and | with the client, such as is described in [RFC8446] or [RFC5246], and | |||
| validates the client certificate per its policy and trusted | validates the client certificate per its policy and trusted | |||
| certificate authorities. Each HTTP request on the underlying TLS | certificate authorities. Each HTTP request on the underlying TLS | |||
| connection are dispatched to the origin server with the following | connection are dispatched to the origin server with the following | |||
| modifications: | modifications: | |||
| 1. The client certificate is be placed in the "Client-Cert" header | 1. The client certificate is placed in the Client-Cert header field | |||
| field of the dispatched request as defined in Section 2.2. | of the dispatched request, as described in Section 2.2. | |||
| 2. Any occurrence of the "Client-Cert" header in the original | 2. If so configured, the validation chain of the client certificate | |||
| incoming request MUST be removed or overwritten before forwarding | is placed in the Client-Cert-Chain header field of the request, | |||
| the request. An incoming request that has a "Client-Cert" header | as described in Section 2.3. | |||
| MAY be rejected with an HTTP 400 response. | ||||
| 3. Any occurrence of the Client-Cert or Client-Cert-Chain header | ||||
| fields in the original incoming request MUST be removed or | ||||
| overwritten before forwarding the request. An incoming request | ||||
| that has a Client-Cert or Client-Cert-Chain header field MAY be | ||||
| rejected with an HTTP 400 response. | ||||
| Requests made over a TLS connection where the use of client | Requests made over a TLS connection where the use of client | |||
| certificate authentication was not negotiated MUST be sanitized by | certificate authentication was not negotiated MUST be sanitized by | |||
| removing any and all occurrences "Client-Cert" header field prior to | removing any and all occurrences of the Client-Cert and Client-Cert- | |||
| dispatching the request to the backend server. | Chain header fields prior to dispatching the request to the backend | |||
| server. | ||||
| Backend origin servers may then use the "Client-Cert" header of the | Backend origin servers may then use the Client-Cert header field of | |||
| request to determine if the connection from the client to the TTRP | the request to determine if the connection from the client to the | |||
| was mutually-authenticated and, if so, the certificate thereby | TTRP was mutually-authenticated and, if so, the certificate thereby | |||
| presented by the client. | presented by the client. | |||
| Forward proxies and other intermediaries MUST NOT add the "Client- | Forward proxies and other intermediaries MUST NOT add the Client-Cert | |||
| Cert" header to requests, or modify an existing "Client-Cert" header. | or Client-Cert-Chain header fields to requests, or modify an existing | |||
| Similarly, clients MUST NOT employ the "Client-Cert" header in | Client-Cert or Client-Cert-Chain header field. Similarly, clients | |||
| MUST NOT employ the Client-Cert or Client-Cert-Chain header field in | ||||
| requests. | requests. | |||
| A server that receives a request with a "Client-Cert" header value | When the value of the Client-Cert request header field is used to | |||
| that it considers to be too large can respond with an HTTP 431 status | select a response (e.g., the response content is access-controlled), | |||
| code per Section 5 of [RFC6585]. | the response MUST either be uncacheable (e.g., by sending Cache- | |||
| Control: no-store) or be designated for selective reuse only for | ||||
| subsequent requests with the same Client-Cert header value by sending | ||||
| a Vary: Client-Cert response header. If a TTRP encounters a response | ||||
| with a client-cert field name in the Vary header field, it SHOULD | ||||
| prevent the user agent from caching the response by transforming the | ||||
| value of the Vary response header field to *. | ||||
| 3. Security Considerations | 3. Deployment Considerations | |||
| 3.1. Header Field Compression | ||||
| The header described herein enable a TTRP and backend or origin | If the client certificate header field is generated by an | |||
| server to function together as though, from the client's perspective, | intermediary on a connection that compresses fields (e.g., using | |||
| they are a single logical server side deployment of HTTPS over a | HPACK [RFC7541] or QPACK [I-D.ietf-quic-qpack]) and more than one | |||
| mutually-authenticated TLS connection. Use of the "Client-Cert" | client's requests are multiplexed into that connection, it can reduce | |||
| header outside that intended use case, however, may undermine the | compression efficiency significantly, due to the typical size of the | |||
| protections afforded by TLS client certificate authentication. | field value and its variation between clients. Recipients that | |||
| Therefore steps MUST be taken to prevent unintended use, both in | anticipate connections with these characteristics can mitigate the | |||
| sending the header and in relying on its value. | efficiency loss by increasing the size of the dynamic table. If a | |||
| recipient does not do so, senders may find it beneficial to always | ||||
| send the field value as a literal, rather than entering it into the | ||||
| dynamic table. | ||||
| Producing and consuming the "Client-Cert" header SHOULD be a | 3.2. Header Block Size | |||
| configurable option, respectively, in a TTRP and backend server (or | ||||
| individual application in that server). The default configuration | ||||
| for both should be to not use the "Client-Cert" header thus requiring | ||||
| an "opt-in" to the functionality. | ||||
| In order to prevent header injection, backend servers MUST only | A server in receipt of a larger header block than it is willing to | |||
| accept the "Client-Cert" header from a trusted TTRP (or other proxy | handle can send an HTTP 431 (Request Header Fields Too Large) status | |||
| in a trusted path from the TTRP). A TTRP MUST sanitize the incoming | code per Section 5 of [RFC6585]. Due to the typical size of the | |||
| request before forwarding it on by removing or overwriting any | field values containing certificate data, recipients may need to be | |||
| existing instances of the header. Otherwise arbitrary clients can | configured to allow for a larger maximum header block size. An | |||
| control the header value as seen and used by the backend server. It | intermediary generating client certificate header fields on | |||
| is important to note that neglecting to prevent header injection does | connections that allow for advertising the maximum acceptable header | |||
| not "fail safe" in that the nominal functionality will still work as | block size (e.g. HTTP/2 [RFC7540] or HTTP/3 [I-D.ietf-quic-http]) | |||
| expected even when malicious actions are possible. As such, extra | should account for the additional size of header block of the | |||
| care is recommended in ensuring that proper header sanitation is in | requests it sends vs. requests it receives by advertising a value to | |||
| place. | its clients that is sufficiently smaller so as to allow for the | |||
| addition of certificate data. | ||||
| 4. Security Considerations | ||||
| The header fields described herein enable a TTRP and backend or | ||||
| origin server to function together as though, from the client's | ||||
| perspective, they are a single logical server side deployment of | ||||
| HTTPS over a mutually-authenticated TLS connection. Use of the | ||||
| header fields outside that intended use case, however, may undermine | ||||
| the protections afforded by TLS client certificate authentication. | ||||
| Therefore, steps MUST be taken to prevent unintended use, both in | ||||
| sending the header field and in relying on its value. | ||||
| Producing and consuming the Client-Cert and Client-Cert-Chain header | ||||
| fields SHOULD be configurable options, respectively, in a TTRP and | ||||
| backend server (or individual application in that server). The | ||||
| default configuration for both should be to not use the header fields | ||||
| thus requiring an "opt-in" to the functionality. | ||||
| In order to prevent field injection, backend servers MUST only accept | ||||
| the Client-Cert and Client-Cert-Chain header fields from a trusted | ||||
| TTRP (or other proxy in a trusted path from the TTRP). A TTRP MUST | ||||
| sanitize the incoming request before forwarding it on by removing or | ||||
| overwriting any existing instances of the fields. Otherwise, | ||||
| arbitrary clients can control the field values as seen and used by | ||||
| the backend server. It is important to note that neglecting to | ||||
| prevent field injection does not "fail safe" in that the nominal | ||||
| functionality will still work as expected even when malicious actions | ||||
| are possible. As such, extra care is recommended in ensuring that | ||||
| proper field sanitation is in place. | ||||
| The communication between a TTRP and backend server needs to be | The communication between a TTRP and backend server needs to be | |||
| secured against eavesdropping and modification by unintended parties. | secured against eavesdropping and modification by unintended parties. | |||
| The configuration options and request sanitization are necessarily | The configuration options and request sanitization are necessarily | |||
| functionally of the respective servers. The other requirements can | functionally of the respective servers. The other requirements can | |||
| be met in a number of ways, which will vary based on specific | be met in a number of ways, which will vary based on specific | |||
| deployments. The communication between a TTRP and backend or origin | deployments. The communication between a TTRP and backend or origin | |||
| server, for example, might be authenticated in some way with the | server, for example, might be authenticated in some way with the | |||
| insertion and consumption of the "Client-Cert" header occurring only | insertion and consumption of the Client-Cert and Client-Cert-Chain | |||
| on that connection. Alternatively the network topology might dictate | header fields occurring only on that connection. Alternatively the | |||
| a private network such that the backend application is only able to | network topology might dictate a private network such that the | |||
| accept requests from the TTRP and the proxy can only make requests to | backend application is only able to accept requests from the TTRP and | |||
| that server. Other deployments that meet the requirements set forth | the proxy can only make requests to that server. Other deployments | |||
| herein are also possible. | that meet the requirements set forth herein are also possible. | |||
| 4. IANA Considerations | 5. IANA Considerations | |||
| TODO: register the "Client-Cert" HTTP header field in the registry | 5.1. HTTP Field Name Registrations | |||
| defined by http-core. | ||||
| 5. References | Please register the following entries in the "Hypertext Transfer | |||
| Protocol (HTTP) Field Name Registry" defined by | ||||
| [I-D.ietf-httpbis-semantics]: | ||||
| 5.1. Normative References | * Field name: Client-Cert | |||
| * Status: permanent | ||||
| * Specification document: Section 2 of [this document] | ||||
| * Field name: Client-Cert-Chain | ||||
| * Status: permanent | ||||
| * Specification document: Section 2 of [this document] | ||||
| 6. References | ||||
| 6.1. Normative References | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/rfc/rfc2119>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/rfc/rfc5280>. | <https://www.rfc-editor.org/rfc/rfc5280>. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | ||||
| Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | ||||
| <https://www.rfc-editor.org/rfc/rfc4648>. | ||||
| [ITU.X690.1994] | [ITU.X690.1994] | |||
| International Telecommunications Union, "Information | International Telecommunications Union, "Information | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Technology - ASN.1 encoding rules: Specification of Basic | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | Distinguished Encoding Rules (DER)", ITU-T Recommendation | |||
| X.690, 1994. | X.690, 1994. | |||
| 5.2. Informative References | [RFC8941] Nottingham, M. and P-H. Kamp, "Structured Field Values for | |||
| HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021, | ||||
| <https://www.rfc-editor.org/rfc/rfc8941>. | ||||
| 6.2. Informative References | ||||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8446>. | <https://www.rfc-editor.org/rfc/rfc8446>. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
| DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
| <https://www.rfc-editor.org/rfc/rfc5246>. | <https://www.rfc-editor.org/rfc/rfc5246>. | |||
| [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | |||
| Specifications: ABNF", STD 68, RFC 5234, | Transfer Protocol Version 2 (HTTP/2)", RFC 7540, | |||
| DOI 10.17487/RFC5234, January 2008, | DOI 10.17487/RFC7540, May 2015, | |||
| <https://www.rfc-editor.org/rfc/rfc5234>. | <https://www.rfc-editor.org/rfc/rfc7540>. | |||
| [RFC8740] Benjamin, D., "Using TLS 1.3 with HTTP/2", RFC 8740, | ||||
| DOI 10.17487/RFC8740, February 2020, | ||||
| <https://www.rfc-editor.org/rfc/rfc8740>. | ||||
| [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Message Syntax and Routing", | Protocol (HTTP/1.1): Message Syntax and Routing", | |||
| RFC 7230, DOI 10.17487/RFC7230, June 2014, | RFC 7230, DOI 10.17487/RFC7230, June 2014, | |||
| <https://www.rfc-editor.org/rfc/rfc7230>. | <https://www.rfc-editor.org/rfc/rfc7230>. | |||
| [RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX, | ||||
| PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468, | ||||
| April 2015, <https://www.rfc-editor.org/rfc/rfc7468>. | ||||
| [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for | ||||
| HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, | ||||
| <https://www.rfc-editor.org/rfc/rfc7541>. | ||||
| [I-D.ietf-quic-qpack] | ||||
| Krasic, C. '., Bishop, M., and A. Frindell, "QPACK: Header | ||||
| Compression for HTTP/3", Work in Progress, Internet-Draft, | ||||
| draft-ietf-quic-qpack-21, 2 February 2021, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-quic- | ||||
| qpack-21>. | ||||
| [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status | [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status | |||
| Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, | Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, | |||
| <https://www.rfc-editor.org/rfc/rfc6585>. | <https://www.rfc-editor.org/rfc/rfc6585>. | |||
| [I-D.ietf-quic-http] | ||||
| Bishop, M., "Hypertext Transfer Protocol Version 3 | ||||
| (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- | ||||
| quic-http-34, 2 February 2021, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-quic- | ||||
| http-34>. | ||||
| [I-D.ietf-httpbis-semantics] | ||||
| Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP | ||||
| Semantics", Work in Progress, Internet-Draft, draft-ietf- | ||||
| httpbis-semantics-19, 12 September 2021, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- | ||||
| semantics-19>. | ||||
| [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", | [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", | |||
| RFC 7239, DOI 10.17487/RFC7239, June 2014, | RFC 7239, DOI 10.17487/RFC7239, June 2014, | |||
| <https://www.rfc-editor.org/rfc/rfc7239>. | <https://www.rfc-editor.org/rfc/rfc7239>. | |||
| [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T. | [RFC8705] Campbell, B., Bradley, J., Sakimura, N., and T. | |||
| Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication | Lodderstedt, "OAuth 2.0 Mutual-TLS Client Authentication | |||
| and Certificate-Bound Access Tokens", RFC 8705, | and Certificate-Bound Access Tokens", RFC 8705, | |||
| DOI 10.17487/RFC8705, February 2020, | DOI 10.17487/RFC8705, February 2020, | |||
| <https://www.rfc-editor.org/rfc/rfc8705>. | <https://www.rfc-editor.org/rfc/rfc8705>. | |||
| [RFC8941] Nottingham, M. and P-H. Kamp, "Structured Field Values for | ||||
| HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021, | ||||
| <https://www.rfc-editor.org/rfc/rfc8941>. | ||||
| [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., | ||||
| Weiler, S., and T. Kivinen, "Using Raw Public Keys in | ||||
| Transport Layer Security (TLS) and Datagram Transport | ||||
| Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, | ||||
| June 2014, <https://www.rfc-editor.org/rfc/rfc7250>. | ||||
| Appendix A. Example | Appendix A. Example | |||
| In a hypothetical example where a TLS client presents the client and | In a hypothetical example where a TLS client presents the client and | |||
| intermediate certificate from Figure 1 when establishing a mutually- | intermediate certificate from Figure 1 when establishing a mutually- | |||
| authenticated TLS connection with the TTRP, the proxy would send the | authenticated TLS connection with the TTRP, the proxy would send the | |||
| "Client-Cert" header shown in {#example-header} to the backend. Note | Client-Cert field shown in {#example-header} to the backend. Note | |||
| that line breaks and whitespace have been added to the value of the | that line breaks and whitespace have been added to the field value in | |||
| header field in Figure 2 for display and formatting purposes only. | Figure 2 for display and formatting purposes only. | |||
| -----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | |||
| MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJMZXQncyBB | MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJMZXQncyBB | |||
| dXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0yMDAx | dXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0yMDAx | |||
| MTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZI | MTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZI | |||
| zj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p | zj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p | |||
| 5Be5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIw | 5Be5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIw | |||
| ADAfBgNVHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMC | ADAfBgNVHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMC | |||
| BsAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1w | BsAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1w | |||
| bGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMje | bGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMje | |||
| skipping to change at page 10, line 5 ¶ | skipping to change at page 13, line 5 ¶ | |||
| cml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFoaHU+Z5bPKmGzlYXtCf+E6 | cml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFoaHU+Z5bPKmGzlYXtCf+E6 | |||
| HYj62fORaHDOrt+yyh3H/rTcs7ynFfGn+gyFsrSP3Ez88rajv+U2NfD0o0uZ4Pmj | HYj62fORaHDOrt+yyh3H/rTcs7ynFfGn+gyFsrSP3Ez88rajv+U2NfD0o0uZ4Pmj | |||
| YzBhMB0GA1UdDgQWBBTEA2Q6eecKu9g9yb5glbkhhVINGDAfBgNVHSMEGDAWgBTE | YzBhMB0GA1UdDgQWBBTEA2Q6eecKu9g9yb5glbkhhVINGDAfBgNVHSMEGDAWgBTE | |||
| A2Q6eecKu9g9yb5glbkhhVINGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE | A2Q6eecKu9g9yb5glbkhhVINGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE | |||
| AwIBhjAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRF | AwIBhjAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRF | |||
| YGMg1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc | YGMg1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc | |||
| -----END CERTIFICATE----- | -----END CERTIFICATE----- | |||
| Figure 1: Certificate Chain (with client certificate first) | Figure 1: Certificate Chain (with client certificate first) | |||
| Client-Cert: MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJM | Client-Cert: :MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJ | |||
| ZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0y | MZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0 | |||
| MDAxMTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZI | yMDAxMTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZ | |||
| zj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p5Be5 | Izj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p5Be | |||
| F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIwADAfBgNV | 5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIwADAfBgN | |||
| HSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0l | VHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0 | |||
| BAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1wbGUuY29tMAoGCCqG | lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1wbGUuY29tMAoGCCq | |||
| SM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMjeSkC3dFCOOB8TAiEAx/kH | GSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMjeSkC3dFCOOB8TAiEAx/k | |||
| SB4urmiZ0NX5r5XarmPk0wmuydBVoU4hBVZ1yhk= | HSB4urmiZ0NX5r5XarmPk0wmuydBVoU4hBVZ1yhk=: | |||
| Figure 2: Header in HTTP Request to Origin Server | Figure 2: Header Field in HTTP Request to Origin Server | |||
| Appendix B. Considerations Considered | If the proxy were configured to also include the certificate chain, | |||
| it would also include this header: | ||||
| B.1. Header Injection | Client-Cert-Chain: :MIIB5jCCAYugAwIBAgIBFjAKBggqhkjOPQQDAjBWMQsw | |||
| CQYDVQQGEwJVUzEbMBkGA1UECgwSTGV0J3MgQXV0aGVudGljYXRlMSowKAYDVQQ | ||||
| DDCFMZXQncyBBdXRoZW50aWNhdGUgUm9vdCBBdXRob3JpdHkwHhcNMjAwMTE0Mj | ||||
| EzMjMwWhcNMzAwMTExMjEzMjMwWjA6MRswGQYDVQQKDBJMZXQncyBBdXRoZW50a | ||||
| WNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEG | ||||
| CCqGSM49AwEHA0IABJf+aA54RC5pyLAR5yfXVYmNpgd+CGUTDp2KOGhc0gK91zx | ||||
| hHesEYkdXkpS2UN8Kati+yHtWCV3kkhCngGyv7RqjZjBkMB0GA1UdDgQWBBRm3W | ||||
| jLa38lbEYCuiCPct0ZaSED2DAfBgNVHSMEGDAWgBTEA2Q6eecKu9g9yb5glbkhh | ||||
| VINGDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO | ||||
| PQQDAgNJADBGAiEA5pLvaFwRRkxomIAtDIwg9D7gC1xzxBl4r28EzmSO1pcCIQC | ||||
| JUShpSXO9HDIQMUgH69fNDEMHXD3RRX5gP7kuu2KGMg==:, :MIICBjCCAaygAw | ||||
| IBAgIJAKS0yiqKtlhoMAoGCCqGSM49BAMCMFYxCzAJBgNVBAYTAlVTMRswGQYDV | ||||
| QQKDBJMZXQncyBBdXRoZW50aWNhdGUxKjAoBgNVBAMMIUxldCdzIEF1dGhlbnRp | ||||
| Y2F0ZSBSb290IEF1dGhvcml0eTAeFw0yMDAxMTQyMTI1NDVaFw00MDAxMDkyMTI | ||||
| 1NDVaMFYxCzAJBgNVBAYTAlVTMRswGQYDVQQKDBJMZXQncyBBdXRoZW50aWNhdG | ||||
| UxKjAoBgNVBAMMIUxldCdzIEF1dGhlbnRpY2F0ZSBSb290IEF1dGhvcml0eTBZM | ||||
| BMGByqGSM49AgEGCCqGSM49AwEHA0IABFoaHU+Z5bPKmGzlYXtCf+E6HYj62fOR | ||||
| aHDOrt+yyh3H/rTcs7ynFfGn+gyFsrSP3Ez88rajv+U2NfD0o0uZ4PmjYzBhMB0 | ||||
| GA1UdDgQWBBTEA2Q6eecKu9g9yb5glbkhhVINGDAfBgNVHSMEGDAWgBTEA2Q6ee | ||||
| cKu9g9yb5glbkhhVINGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBh | ||||
| jAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRFYGMg | ||||
| 1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc: | ||||
| This draft requires that the TTRP sanitize the headers of the | Figure 3: Certificate Chain in HTTP Request to Origin Server | |||
| incoming request by removing or overwriting any existing instances of | ||||
| the "Client-Cert" header before dispatching that request to the | Appendix B. Considerations Considered | |||
| backend application. Otherwise, a client could inject its own | B.1. Field Injection | |||
| "Client-Cert" header that would appear to the backend to have come | ||||
| This draft requires that the TTRP sanitize the fields of the incoming | ||||
| request by removing or overwriting any existing instances of the | ||||
| Client-Cert and Client-Cert-Chain header fields before dispatching | ||||
| that request to the backend application. Otherwise, a client could | ||||
| inject its own values that would appear to the backend to have come | ||||
| from the TTRP. Although numerous other methods of detecting/ | from the TTRP. Although numerous other methods of detecting/ | |||
| preventing header injection are possible; such as the use of a unique | preventing field injection are possible; such as the use of a unique | |||
| secret value as part of the header name or value or the application | secret value as part of the field name or value or the application of | |||
| of a signature, HMAC, or AEAD, there is no common general | a signature, HMAC, or AEAD, there is no common general standardized | |||
| standardized mechanism. The potential problem of client header | mechanism. The potential problem of client field injection is not at | |||
| injection is not at all unique to the functionality of this draft and | all unique to the functionality of this draft, and it would therefore | |||
| it would therefor be inappropriate for this draft to define a one-off | be inappropriate for this draft to define a one-off solution. In the | |||
| solution. In the absence of a generic standardized solution existing | absence of a generic standardized solution existing currently, | |||
| currently, stripping/sanitizing the headers is the de facto means of | stripping/sanitizing the fields is the de facto means of protecting | |||
| protecting against header injection in practice today. Sanitizing | against field injection in practice today. Sanitizing the fields is | |||
| the headers is sufficient when properly implemented and is normative | sufficient when properly implemented and is a normative requirement | |||
| requirement of Section 3. | of Section 4. | |||
| B.2. The Forwarded HTTP Extension | B.2. The Forwarded HTTP Extension | |||
| The "Forwarded" HTTP header field defined in [RFC7239] allows proxy | The Forwarded HTTP header field defined in [RFC7239] allows proxy | |||
| components to disclose information lost in the proxying process. The | components to disclose information lost in the proxying process. The | |||
| TLS client certificate information of concern to this draft could | TLS client certificate information of concern to this draft could | |||
| have been communicated with an extension parameter to the "Forwarded" | have been communicated with an extension parameter to the Forwarded | |||
| header field, however, doing so would have had some disadvantages | field; however, doing so would have had some disadvantages that this | |||
| that this draft endeavored to avoid. The "Forwarded" header syntax | draft endeavored to avoid. The Forwarded field syntax allows for | |||
| allows for information about a full chain of proxied HTTP requests, | information about a full chain of proxied HTTP requests, whereas the | |||
| whereas the "Client-Cert" header of this document is concerned only | Client-Cert and Client-Cert-Chain header fields of this document are | |||
| with conveying information about the certificate presented by the | concerned only with conveying information about the certificate | |||
| originating client on the TLS connection to the TTRP (which appears | presented by the originating client on the TLS connection to the TTRP | |||
| as the server from that client's perspective) to backend | (which appears as the server from that client's perspective) to | |||
| applications. The multi-hop syntax of the "Forwarded" header is | backend applications. The multi-hop syntax of the Forwarded field is | |||
| expressive but also more complicated, which would make processing it | expressive but also more complicated, which would make processing it | |||
| more cumbersome, and more importantly, make properly sanitizing its | more cumbersome, and more importantly, make properly sanitizing its | |||
| content as required by Section 3 to prevent header injection | content as required by Section 4 to prevent field injection | |||
| considerably more difficult and error prone. Thus, this draft opted | considerably more difficult and error-prone. Thus, this draft opted | |||
| for the flatter and more straightforward structure of a single | for a flatter and more straightforward structure. | |||
| "Client-Cert" header. | ||||
| B.3. The Whole Certificate and Only the Whole Certificate | B.3. The Whole Certificate and Certificate Chain | |||
| Different applications will have varying requirements about what | Different applications will have varying requirements about what | |||
| information from the client certificate is needed, such as the | information from the client certificate is needed, such as the | |||
| subject and/or issuer distinguished name, subject alternative | subject and/or issuer distinguished name, subject alternative | |||
| name(s), serial number, subject public key info, fingerprint, etc.. | name(s), serial number, subject public key info, fingerprint, etc.. | |||
| Furthermore some applications, such as "OAuth 2.0 Mutual-TLS Client | Furthermore, some applications, such as [RFC8705], make use of the | |||
| Authentication and Certificate-Bound Access Tokens" [RFC8705], make | entire certificate. In order to accommodate the latter and ensure | |||
| use of the entire certificate. In order to accommodate the latter | wide applicability by not trying to cherry-pick particular | |||
| and ensure wide applicability by not trying to cherry-pick particular | ||||
| certificate information, this draft opted to pass the full encoded | certificate information, this draft opted to pass the full encoded | |||
| certificate as the value of the "Client-Cert" header. | certificate as the value of the Client-Cert field. | |||
| The handshake and validation of the client certificate (chain) of the | The handshake and validation of the client certificate (chain) of the | |||
| mutually-authenticated TLS connection is performed by the TTRP. With | mutually-authenticated TLS connection is performed by the TTRP. With | |||
| the responsibility of certificate validation falling on the TTRP, | the responsibility of certificate validation falling on the TTRP, the | |||
| only the end-entity certificate is passed to the backend - the root | end-entity certificate is oftentimes sufficient for the needs of the | |||
| Certificate Authority is not included nor are any intermediates. | origin server. The separate Client-Cert-Chain field can convey the | |||
| certificate chain for deployments that require such information. | ||||
| TODO: It has been suggested that more information about the | ||||
| certificate chain might be needed/wanted by the backend | ||||
| application (to independently evaluate the cert chain, for | ||||
| example, although that seems like it would be terribly | ||||
| inefficient) and that any intermediates as well as the root should | ||||
| also be somehow conveyed, which is an area for further discussion | ||||
| should this draft progress. One potential approach suggested by a | ||||
| few folks is to allow some configurability in what is sent along | ||||
| with maybe a prefix token to indicate what's being sent - | ||||
| something like "Client-Cert: FULL \<cert> \<intermediate> | ||||
| \<anchor>" or "Client-Cert: EE \<cert>" as the strawman. Or a | ||||
| perhaps a parameter or other construct of [RFC8941] to indicate | ||||
| what's being sent. It's also been suggested that the end-entity | ||||
| certificate by itself might sometimes be too big (esp. e.g., with | ||||
| some post-quantum signature schemes). Hard to account for it both | ||||
| being too much data and not enough data at the same time. But | ||||
| potentially opening up configuration options to send only specific | ||||
| attribute(s) from the client certificate is a possibility for | ||||
| that. In the author's humble opinion the end-entity certificate | ||||
| by itself strikes a good balance for the vast majority of needs | ||||
| and avoids optionality. But, again, this is an area for further | ||||
| discussion should this draft progress. | ||||
| TODO: It has also been suggested that maybe considerations for | ||||
| [RFC7250] Raw Public Keys is maybe worth considering. This too is | ||||
| this is an area for further discussion and consideration should | ||||
| this draft progress. | ||||
| Appendix C. Acknowledgements | Appendix C. Acknowledgements | |||
| The author would like to thank the following individuals who've | The authors would like to thank the following individuals who've | |||
| contributed in various ways ranging from just being generally | contributed in various ways ranging from just being generally | |||
| supportive of bringing forth the draft to providing specific feedback | supportive of bringing forth the draft to providing specific feedback | |||
| or content: | or content: | |||
| * Evan Anderson | * Evan Anderson | |||
| * Annabelle Backman | * Annabelle Backman | |||
| * Mike Bishop | * Alan Frindell | |||
| * Rory Hewitt | * Rory Hewitt | |||
| * Fredrik Jeansson | * Fredrik Jeansson | |||
| * Benjamin Kaduk | * Benjamin Kaduk | |||
| * Torsten Lodderstedt | * Torsten Lodderstedt | |||
| * Kathleen Moriarty | * Kathleen Moriarty | |||
| * Mark Nottingham | * Mark Nottingham | |||
| * Erik Nygren | ||||
| * Mike Ounsworth | * Mike Ounsworth | |||
| * Matt Peterson | * Matt Peterson | |||
| * Eric Rescorla | * Eric Rescorla | |||
| * Justin Richer | * Justin Richer | |||
| * Michael Richardson | * Michael Richardson | |||
| * Joe Salowey | * Joe Salowey | |||
| * Rich Salz | * Rich Salz | |||
| * Mohit Sethi | * Mohit Sethi | |||
| * Rifaat Shekh-Yusef | * Rifaat Shekh-Yusef | |||
| * Travis Spencer | * Travis Spencer | |||
| * Nick Sullivan | * Nick Sullivan | |||
| * Martin Thomson | ||||
| * Peter Wu | * Peter Wu | |||
| * Hans Zandbelt | * Hans Zandbelt | |||
| Appendix D. Document History | Appendix D. Document History | |||
| To be removed by the RFC Editor before publication as an RFC | To be removed by the RFC Editor before publication as an RFC | |||
| draft-ietf-httpbis-client-cert-field-01 | ||||
| * Use RFC 8941 Structured Field Values for HTTP | ||||
| * Introduce a separate header that can convey the certificate chain | ||||
| * Add considerations on header compression and size | ||||
| * Describe interaction with caching | ||||
| * Fill out IANA Considerations with HTTP field name registrations | ||||
| * Discuss renegotiation | ||||
| draft-ietf-httpbis-client-cert-field-00 | draft-ietf-httpbis-client-cert-field-00 | |||
| * Initial WG revision | * Initial WG revision | |||
| * Mike Bishop added as co-editor | * Mike Bishop added as co-editor | |||
| draft-bdc-something-something-certificate-05 | draft-bdc-something-something-certificate-05 | |||
| * Change intended status of the draft to Informational | * Change intended status of the draft to Informational | |||
| * Editorial updates and (hopefully) clarifications | * Editorial updates and (hopefully) clarifications | |||
| draft-bdc-something-something-certificate-04 | ||||
| * Update reference from draft-ietf-oauth-mtls to RFC8705 | * Update reference from draft-ietf-oauth-mtls to RFC8705 | |||
| draft-bdc-something-something-certificate-03 | draft-bdc-something-something-certificate-03 | |||
| * Expanded further discussion notes to capture some of the feedback | * Expanded further discussion notes to capture some of the feedback | |||
| in and around the presentation of the draft in SECDISPATCH at IETF | in and around the presentation of the draft in SECDISPATCH at IETF | |||
| 107 and add those who've provided such feedback to the | 107 and add those who've provided such feedback to the | |||
| acknowledgements | acknowledgements | |||
| draft-bdc-something-something-certificate-02 | draft-bdc-something-something-certificate-02 | |||
| End of changes. 71 change blocks. | ||||
| 251 lines changed or deleted | 405 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||