| draft-ietf-httpbis-client-cert-field-06.txt | draft-ietf-httpbis-client-cert-field-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group B. Campbell | Internet Engineering Task Force (IETF) B. Campbell | |||
| Internet-Draft Ping Identity | Request for Comments: 9440 Ping Identity | |||
| Intended status: Informational M. Bishop, Ed. | Category: Informational M. Bishop, Ed. | |||
| Expires: September 18, 2023 Akamai | ISSN: 2070-1721 Akamai | |||
| March 17, 2023 | July 2023 | |||
| Client-Cert HTTP Header Field | Client-Cert HTTP Header Field | |||
| draft-ietf-httpbis-client-cert-field-06 | ||||
| Abstract | Abstract | |||
| This document describes HTTP extension header fields that allow a TLS | This document describes HTTP extension header fields that allow a TLS | |||
| terminating reverse proxy to convey the client certificate | terminating reverse proxy (TTRP) to convey the client certificate | |||
| information of a mutually authenticated TLS connection to the origin | information of a mutually authenticated TLS connection to the origin | |||
| server in a common and predictable manner. | server in a common and | |||
| predictable manner. | ||||
| About This Document | About This Document | |||
| This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
| Status information for this document may be found at | Status information for this document may be found at | |||
| <https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-cert- | <https://datatracker.ietf.org/doc/draft-ietf-httpbis-client-cert- | |||
| field/>. | field/>. | |||
| Discussion of this document takes place on the HTTP Working Group | Discussion of this document takes place on the HTTP Working Group | |||
| mailing list (<mailto:ietf-http-wg@w3.org>), which is archived at | mailing list (<mailto:ietf-http-wg@w3.org>), which is archived at | |||
| <https://lists.w3.org/Archives/Public/ietf-http-wg/>. Working Group | <https://lists.w3.org/Archives/Public/ietf-http-wg/>. Working Group | |||
| information can be found at <https://httpwg.org/>. | information can be found at <https://httpwg.org/>. | |||
| Source for this draft and an issue tracker can be found at | Source for this draft and an issue tracker can be found at | |||
| <https://github.com/httpwg/http-extensions/labels/client-cert-field>. | <https://github.com/httpwg/http-extensions/labels/client-cert-field>. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This document is not an Internet Standards Track specification; it is | |||
| provisions of BCP 78 and BCP 79. | published for informational purposes. | |||
| Internet-Drafts are working documents of the Internet Engineering | This document is a product of the Internet Engineering Task Force | |||
| Task Force (IETF). Note that other groups may also distribute | (IETF). It has been approved for publication by the Internet | |||
| working documents as Internet-Drafts. The list of current Internet- | Engineering Steering Group (IESG). Not all documents approved by the | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | IESG are candidates for any level of Internet Standard; see Section 2 | |||
| of RFC 7841. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | Information about the current status of this document, any errata, | |||
| and may be updated, replaced, or obsoleted by other documents at any | and how to provide feedback on it may be obtained at | |||
| time. It is inappropriate to use Internet-Drafts as reference | https://www.rfc-editor.org/info/rfc9440. | |||
| material or to cite them other than as "work in progress." | ||||
| This Internet-Draft will expire on September 18, 2023. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2023 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 26 ¶ | skipping to change at page 2, line 25 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| 1. Introduction | 1. Introduction | |||
| A fairly common deployment pattern for HTTPS applications is to have | A fairly common deployment pattern for HTTPS applications is to have | |||
| the origin HTTP application servers sit behind a reverse proxy that | the origin HTTP application servers sit behind a reverse proxy that | |||
| terminates TLS connections from clients. The proxy is accessible to | terminates TLS connections from clients. The proxy is accessible to | |||
| the internet and dispatches client requests to the appropriate origin | the Internet and dispatches client requests to the appropriate origin | |||
| server within a private or protected network. The origin servers are | server within a private or protected network. The origin servers are | |||
| not directly accessible by clients and are only reachable through the | not directly accessible by clients and are only reachable through the | |||
| reverse proxy. The backend details of this type of deployment are | reverse proxy. The backend details of this type of deployment are | |||
| typically opaque to clients who make requests to the proxy server and | typically opaque to clients who make requests to the proxy server and | |||
| see responses as though they originated from the proxy server itself. | see responses as though they originated from the proxy server itself. | |||
| Although HTTPS is also usually employed between the proxy and the | Although HTTPS is also usually employed between the proxy and the | |||
| origin server, the TLS connection that the client establishes for | origin server, the TLS connection that the client establishes for | |||
| HTTPS is only between itself and the reverse proxy server. | HTTPS is only between itself and the reverse proxy server. | |||
| The deployment pattern is found in a number of varieties such as | The deployment pattern is found in a number of varieties such as | |||
| n-tier architectures, content delivery networks, application load | n-tier architectures, content delivery networks, application load- | |||
| balancing services, and ingress controllers. | balancing services, and ingress controllers. | |||
| Although not exceedingly prevalent, TLS client certificate | Although not exceedingly prevalent, TLS client certificate | |||
| authentication is sometimes employed and in such cases the origin | authentication is sometimes employed, and in such cases the origin | |||
| server often requires information about the client certificate for | server often requires information about the client certificate for | |||
| its application logic. Such logic might include access control | its application logic. Such logic might include access control | |||
| decisions, audit logging, and binding issued tokens or cookies to a | decisions, audit logging, and binding issued tokens or cookies to a | |||
| certificate, and the respective validation of such bindings. The | certificate, including the respective validation of such bindings. | |||
| specific details from the certificate needed also vary with the | The specific details needed from the certificate also vary with the | |||
| application requirements. In order for these types of application | application requirements. In order for these types of application | |||
| deployments to work in practice, the reverse proxy needs to convey | deployments to work in practice, the reverse proxy needs to convey | |||
| information about the client certificate to the origin application | information about the client certificate to the origin application | |||
| server. At the time of writing, a common way this information is | server. At the time of writing, a common way this information is | |||
| conveyed is by using non-standard fields to carry the certificate (in | conveyed is by using non-standard fields to carry the certificate (in | |||
| some encoding) or individual parts thereof in the HTTP request that | some encoding) or individual parts thereof in the HTTP request that | |||
| is dispatched to the origin server. This solution works but | is dispatched to the origin server. This solution works, but | |||
| interoperability between independently developed components can be | interoperability between independently developed components can be | |||
| cumbersome or even impossible depending on the implementation choices | cumbersome or even impossible depending on the implementation choices | |||
| respectively made (like what field names are used or are | respectively made (like what field names are used or are | |||
| configurable, which parts of the certificate are exposed, or how the | configurable, which parts of the certificate are exposed, or how the | |||
| certificate is encoded). A well-known predictable approach to this | certificate is encoded). A well-known predictable approach to this | |||
| commonly occurring functionality could improve and simplify | commonly occurring functionality could improve and simplify | |||
| interoperability between independent implementations. | interoperability between independent implementations. | |||
| The scope of this document is to describe existing practice while | The scope of this document is to describe existing practice while | |||
| codifying specific details sufficient to facilitate improved and | codifying specific details sufficient to facilitate improved and | |||
| lower-touch interoperability. As such, this document describes two | lower-touch interoperability. As such, this document describes two | |||
| HTTP header fields, "Client-Cert" and "Client-Cert-Chain", which a | HTTP header fields, "Client-Cert" and "Client-Cert-Chain", which a | |||
| TLS terminating reverse proxy (TTRP) adds to requests sent to the | TLS terminating reverse proxy (TTRP) adds to requests sent to the | |||
| backend origin servers. The "Client-Cert" field value contains the | backend origin servers. The Client-Cert field value contains the | |||
| end-entity client certificate from the mutually authenticated TLS | end-entity client certificate from the mutually authenticated TLS | |||
| connection between the originating client and the TTRP. Optionally, | connection between the originating client and the TTRP. Optionally, | |||
| the "Client-Cert-Chain" field value contains the certificate chain | the Client-Cert-Chain field value contains the certificate chain used | |||
| used for validation of the end-entity certificate. This enables the | for validation of the end-entity certificate. This enables the | |||
| backend origin server to utilize the client certificate information | backend origin server to utilize the client certificate information | |||
| in its application logic. While there may be additional proxies or | in its application logic. While there may be additional proxies or | |||
| hops between the TTRP and the origin server (potentially even with | hops between the TTRP and the origin server (potentially even with | |||
| mutually authenticated TLS connections between them), the scope of | mutually authenticated TLS connections between them), the scope of | |||
| the "Client-Cert" header field is intentionally limited to exposing | the Client-Cert header field is intentionally limited to exposing to | |||
| to the origin server the certificate that was presented by the | the origin server the certificate that was presented by the | |||
| originating client in its connection to the TTRP. | originating client in its connection to the TTRP. | |||
| 1.1. Requirements Notation and Conventions | 1.1. Requirements Notation and Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.2. Terminology and Applicability | 1.2. Terminology and Applicability | |||
| This document uses the following terminology from Section 3 of | This document uses the following terminology from Section 3 of | |||
| [STRUCTURED-FIELDS] to specify syntax and parsing: List and Byte | [STRUCTURED-FIELDS] to specify syntax and parsing: List and Byte | |||
| Sequence. | Sequence. | |||
| Phrases like TLS client certificate authentication or mutually | Phrases like "TLS client certificate authentication" or "mutually | |||
| authenticated TLS are used throughout this document to refer to the | authenticated TLS" are used throughout this document to refer to the | |||
| process whereby, in addition to the normal TLS server authentication | process whereby, in addition to the normal TLS server authentication | |||
| with a certificate, a client presents its X.509 certificate [RFC5280] | with a certificate, a client presents its X.509 certificate [RFC5280] | |||
| and proves possession of the corresponding private key to a server | and proves possession of the corresponding private key to a server | |||
| when negotiating a TLS connection or the resumption of such a | when negotiating a TLS connection or the resumption of such a | |||
| connection. In contemporary versions of TLS [TLS] [TLS1.2] this | connection. In contemporary versions of TLS [TLS] [TLS1.2], mutual | |||
| requires that the client send the Certificate and CertificateVerify | authentication requires the client to send the Certificate and | |||
| messages during the handshake and for the server to verify the | CertificateVerify messages during the handshake and the server to | |||
| CertificateVerify and Finished messages. | verify the CertificateVerify and Finished messages. | |||
| HTTP/2 restricts TLS 1.2 renegotiation (Section 9.2.1 of [RFC9113]) | HTTP/2 restricts TLS 1.2 renegotiation (Section 9.2.1 of [RFC9113]) | |||
| and prohibits TLS 1.3 post-handshake authentication (Section 9.2.3 of | and prohibits TLS 1.3 post-handshake authentication (Section 9.2.3 of | |||
| [RFC9113]). However, they are sometimes used to implement reactive | [RFC9113]). However, they are sometimes used to implement reactive | |||
| client certificate authentication in HTTP/1.1 [RFC9112] where the | client certificate authentication in HTTP/1.1 [RFC9112] where the | |||
| server decides whether to request a client certificate based on the | server decides whether to request a client certificate based on the | |||
| HTTP request. HTTP application data sent on such a connection after | HTTP request. HTTP application data sent on such a connection after | |||
| receipt and verification of the client certificate is also mutually | receipt and verification of the client certificate is also mutually | |||
| authenticated and thus suitable for the mechanisms described in this | authenticated and thus suitable for the mechanisms described in this | |||
| document. With post-handshake authentication there is also the | document. With post-handshake authentication, there is also the | |||
| possibility, though unlikely in practice, of multiple certificates | possibility, though unlikely in practice, of multiple certificates | |||
| and certificate chains from the client on a connection, in which case | and certificate chains from the client on a connection. In this | |||
| only the certificate and chain of the last post-handshake | case, only the certificate and chain of the last post-handshake | |||
| authentication are to be utilized for the header fields described | authentication are to be utilized for the header fields described | |||
| herein. | herein. | |||
| 2. HTTP Header Fields and Processing Rules | 2. HTTP Header Fields and Processing Rules | |||
| This document designates the following headers, defined further in | This document designates the following headers, defined further in | |||
| Section 2.2 and Section 2.3 respectively, to carry the client | Sections 2.2 and 2.3, respectively, to carry the client certificate | |||
| certificate information of a mutually authenticated TLS connection. | information of a mutually authenticated TLS connection. The headers | |||
| The headers convey the information from the reverse proxy to the | convey the information from the reverse proxy to the origin server. | |||
| origin server. | ||||
| Client-Cert: The end-entity certificate used by the client in the | Client-Cert: The end-entity certificate used by the client in the | |||
| TLS handshake with the reverse proxy. | TLS handshake with the reverse proxy. | |||
| Client-Cert-Chain: The certificate chain used for validation of the | Client-Cert-Chain: The certificate chain used for validation of the | |||
| end-entity certificate provided by the client in the TLS handshake | end-entity certificate provided by the client in the TLS handshake | |||
| with the reverse proxy. | with the reverse proxy. | |||
| 2.1. Encoding | 2.1. Encoding | |||
| The headers in this document encode certificates as Byte Sequences | The headers in this document encode certificates as Byte Sequences | |||
| (Section 3.3.5 of [STRUCTURED-FIELDS]) where the value of the binary | (Section 3.3.5 of [STRUCTURED-FIELDS]) where the value of the binary | |||
| data is a DER encoded [ITU.X690.1994] X.509 certificate [RFC5280]. | data is a DER-encoded [ITU.X690.1994] X.509 certificate [RFC5280]. | |||
| In effect, this means that the binary DER certificate is encoded | In effect, this means that the binary DER certificate is encoded | |||
| using base64 (without line breaks, spaces, or other characters | using base64 (without line breaks, spaces, or other characters | |||
| outside the base64 alphabet) and delimited with colons on either | outside the base64 alphabet) and delimited with colons on either | |||
| side. | side. | |||
| Note that certificates are often stored encoded in a textual format, | Note that certificates are often stored in an encoded textual format, | |||
| such as the one described in Section 5.1 of [RFC7468], which is | such as the one described in Section 5.1 of [RFC7468], which is | |||
| already nearly compatible with a Byte Sequence; if so, it will be | already nearly compatible with a Byte Sequence. If certificates are | |||
| sufficient to replace "---(BEGIN|END) CERTIFICATE---" with ":" and | encoded as such, it will be sufficient to replace "---(BEGIN|END) | |||
| remove line breaks in order to generate an appropriate item. | CERTIFICATE---" with ":" and remove line breaks in order to generate | |||
| an appropriate item. | ||||
| 2.2. Client-Cert HTTP Header Field | 2.2. Client-Cert HTTP Header Field | |||
| In the context of a TLS terminating reverse proxy deployment, the | In the context of a TLS terminating reverse proxy deployment, the | |||
| proxy makes the TLS client certificate available to the backend | proxy makes the TLS client certificate available to the backend | |||
| application with the Client-Cert HTTP header field. This field | application with the Client-Cert HTTP header field. This field | |||
| contains the end-entity certificate used by the client in the TLS | contains the end-entity certificate used by the client in the TLS | |||
| handshake. | handshake. | |||
| Client-Cert is a Byte Sequence with the value of the header encoded | Client-Cert is a Byte Sequence with the value of the header encoded | |||
| as described in Section 2.1. | as described in Section 2.1. | |||
| The "Client-Cert" header field is only for use in HTTP requests and | The Client-Cert header field is only for use in HTTP requests and | |||
| MUST NOT be used in HTTP responses. It is a singleton header field | MUST NOT be used in HTTP responses. It is a singleton header field | |||
| value as defined in Section 5.5 of [HTTP], which MUST NOT have a list | value as defined in Section 5.5 of [HTTP], which MUST NOT have a list | |||
| of values or occur multiple times in a request. | of values or occur multiple times in a request. | |||
| Figure 2 in Appendix A has an example of the "Client-Cert" header | Figure 2 in Appendix A has an example of the Client-Cert header | |||
| field. | field. | |||
| 2.3. Client-Cert-Chain HTTP Header Field | 2.3. Client-Cert-Chain HTTP Header Field | |||
| In the context of a TLS terminating reverse proxy deployment, the | In the context of a TLS terminating reverse proxy deployment, the | |||
| proxy MAY make the certificate chain available to the backend | proxy MAY make the certificate chain available to the backend | |||
| application with the Client-Cert-Chain HTTP header field. | application with the Client-Cert-Chain HTTP header field. | |||
| Client-Cert-Chain is a List (Section 3.1 of [STRUCTURED-FIELDS]). | Client-Cert-Chain is a List (Section 3.1 of [STRUCTURED-FIELDS]). | |||
| Each item in the list MUST be a Byte Sequence encoded as described in | Each item in the List MUST be a Byte Sequence encoded as described in | |||
| Section 2.1. The order is the same as the ordering in TLS (such as | Section 2.1. The order is the same as the ordering in TLS (as | |||
| described in Section 4.4.2 of [TLS]). | described in Section 4.4.2 of [TLS]). | |||
| Client-Cert-Chain MUST NOT appear unless Client-Cert is also present, | Client-Cert-Chain MUST NOT appear unless Client-Cert is also present, | |||
| and it does not itself include the end-entity certificate that is | and it does not itself include the end-entity certificate that is | |||
| already present in Client-Cert. The root certificate MAY be omitted | already present in Client-Cert. The root certificate MAY be omitted | |||
| from Client-Cert-Chain, provided that the target origin server is | from Client-Cert-Chain, provided that the target origin server is | |||
| known to possess the omitted trust anchor. | known to possess the omitted trust anchor. | |||
| The "Client-Cert-Chain" header field is only for use in HTTP requests | The Client-Cert-Chain header field is only for use in HTTP requests | |||
| and MUST NOT be used in HTTP responses. It MAY have a list of values | and MUST NOT be used in HTTP responses. It MAY have a list of values | |||
| or occur multiple times in a request. For header compression | or occur multiple times in a request. For header compression | |||
| purposes, it might be advantageous to split lists into multiple | purposes, it might be advantageous to split lists into multiple | |||
| instances. | instances. | |||
| Figure 3 in Appendix A has an example of the "Client-Cert-Chain" | Figure 3 in Appendix A has an example of the Client-Cert-Chain header | |||
| header field. | field. | |||
| 2.4. Processing Rules | 2.4. Processing Rules | |||
| This section outlines the applicable processing rules for a TLS | This section outlines the applicable processing rules for a TTRP that | |||
| terminating reverse proxy (TTRP) that has negotiated a mutually | has negotiated a mutually authenticated TLS connection to convey the | |||
| authenticated TLS connection to convey the client certificate from | client certificate from that connection to the backend origin | |||
| that connection to the backend origin servers. Use of the technique | servers. This technique is to be used as a configuration or | |||
| is to be a configuration or deployment option and the processing | deployment option, and the processing rules described herein are for | |||
| rules described herein are for servers operating with that option | servers operating with that option enabled. | |||
| enabled. | ||||
| A TTRP negotiates the use of a mutually authenticated TLS connection | A TTRP negotiates the use of a mutually authenticated TLS connection | |||
| with the client, such as is described in [TLS] or [TLS1.2], and | with the client, such as is described in [TLS] or [TLS1.2], and | |||
| validates the client certificate per its policy and trusted | validates the client certificate per its policy and trusted | |||
| certificate authorities. Each HTTP request on the underlying TLS | certificate authorities. Each HTTP request on the underlying TLS | |||
| connection is dispatched to the origin server with the following | connection is dispatched to the origin server with the following | |||
| modifications: | modifications: | |||
| 1. The client certificate is placed in the "Client-Cert" header | 1. The client certificate is placed in the Client-Cert header field | |||
| field of the dispatched request, as described in Section 2.2. | of the dispatched request, as described in Section 2.2. | |||
| 2. If so configured, the validation chain of the client certificate | 2. If so configured, the validation chain of the client certificate | |||
| is placed in the "Client-Cert-Chain" header field of the request, | is placed in the Client-Cert-Chain header field of the request, | |||
| as described in Section 2.3. | as described in Section 2.3. | |||
| 3. Any occurrence of the "Client-Cert" or "Client-Cert-Chain" header | 3. Any occurrence of the Client-Cert or Client-Cert-Chain header | |||
| fields in the original incoming request MUST be removed or | fields in the original incoming request MUST be removed or | |||
| overwritten before forwarding the request. An incoming request | overwritten before forwarding the request. An incoming request | |||
| that has a "Client-Cert" or "Client-Cert-Chain" header field MAY | that has a Client-Cert or Client-Cert-Chain header field MAY be | |||
| be rejected with an HTTP 400 response. | rejected with an HTTP 400 response. | |||
| Requests to the TTRP made over a TLS connection where the use of | Requests to the TTRP made over a TLS connection where the use of | |||
| client certificate authentication was not negotiated MUST be | client certificate authentication was not negotiated MUST be | |||
| sanitized by removing any and all occurrences of the "Client-Cert" | sanitized by removing any and all occurrences of the Client-Cert and | |||
| and "Client-Cert-Chain" header fields prior to dispatching the | Client-Cert-Chain header fields prior to dispatching the request to | |||
| request to the backend server. | the backend server. | |||
| Backend origin servers may then use the "Client-Cert" header field of | Backend origin servers may then use the Client-Cert header field of | |||
| the request to determine if the connection from the client to the | the request to determine if the connection from the client to the | |||
| TTRP was mutually authenticated and, if so, the certificate thereby | TTRP was mutually authenticated and, if so, the certificate thereby | |||
| presented by the client. Access control decisions based on the | presented by the client. Access control decisions based on the | |||
| client certificate (or lack thereof) can be conveyed by selecting | client certificate (or lack thereof) can be conveyed by selecting | |||
| response content as appropriate or with an HTTP 403 response, if the | response content as appropriate or with an HTTP 403 response, if the | |||
| certificate is deemed unacceptable for the given context. Note that | certificate is deemed unacceptable for the given context. Note that | |||
| TLS clients that rely on error indications at the TLS layer for an | TLS clients that rely on error indications at the TLS layer for an | |||
| unacceptable certificate will not receive those signals. | unacceptable certificate will not receive those signals. | |||
| When the value of the "Client-Cert" request header field is used to | When the value of the Client-Cert request header field is used to | |||
| select a response (e.g., the response content is access-controlled), | select a response (e.g., the response content is access-controlled), | |||
| the response MUST either be uncacheable (e.g., by sending "Cache- | the response MUST either be uncacheable (e.g., by sending "Cache- | |||
| Control: no-store") or be designated for selective reuse only for | Control: no-store") or be designated for selective reuse only for | |||
| subsequent requests with the same "Client-Cert" header value by | subsequent requests with the same Client-Cert header field value by | |||
| sending a "Vary: Client-Cert" response header. If a TTRP encounters | sending a "Vary: Client-Cert" response header. If a TTRP encounters | |||
| a response with a "client-cert" field name in the "Vary" header | a response with Client-Cert or Client-Cert-Chain in the Vary header | |||
| field, it SHOULD prevent the user agent from caching the response by | field (Section 12.5.5 of [HTTP]), it SHOULD prevent the user agent | |||
| transforming the value of the "Vary" response header field to "*". | from caching the response by transforming the value of the Vary | |||
| response header field to "*". | ||||
| Forward proxies and other intermediaries MUST NOT add the "Client- | Forward proxies and other intermediaries MUST NOT add the Client-Cert | |||
| Cert" or "Client-Cert-Chain" header fields to requests, or modify an | or Client-Cert-Chain header fields to requests or modify an existing | |||
| existing "Client-Cert" or "Client-Cert-Chain" header field. | Client-Cert or Client-Cert-Chain header field. Similarly, clients | |||
| Similarly, clients MUST NOT employ the "Client-Cert" or "Client-Cert- | MUST NOT employ the Client-Cert or Client-Cert-Chain header field in | |||
| Chain" header field in requests. | requests. | |||
| 3. Deployment Considerations | 3. Deployment Considerations | |||
| 3.1. Header Field Compression | 3.1. Header Field Compression | |||
| If the connection between the TTRP and origin is capable of field | If the connection between the TTRP and origin is capable of field | |||
| compression (e.g., HPACK [HPACK] or QPACK [QPACK]), and the TTRP | compression (e.g., HPACK [HPACK] or QPACK [QPACK]), and the TTRP | |||
| multiplexes more than one client's requests into that connection, the | multiplexes more than one client's requests into that connection, the | |||
| size and variation of "Client-Cert" and "Client-Cert-Chain" field | size and variation of Client-Cert and Client-Cert-Chain field values | |||
| values can reduce compression efficiency significantly. An origin | can reduce compression efficiency significantly. An origin could | |||
| could mitigate the efficiency loss by increasing the size of the | mitigate the efficiency loss by increasing the size of the dynamic | |||
| dynamic table. If the TTRP determines that the origin dynamic table | table. If the TTRP determines that the origin dynamic table is not | |||
| is not sufficiently large, it may find it beneficial to always send | sufficiently large, it may find it beneficial to always send the | |||
| the field value as a literal, rather than entering it into the table. | field value as a literal rather than entering it into the table. | |||
| 3.2. Message Header Size | 3.2. Message Header Size | |||
| A server in receipt of a larger message header than it is willing to | A server in receipt of a larger message header than it is willing to | |||
| handle can send an HTTP 431 (Request Header Fields Too Large) status | handle can send an HTTP 431 (Request Header Fields Too Large) status | |||
| code per Section 5 of [RFC6585]. Due to the typical size of the | code per Section 5 of [RFC6585]. Due to the typical size of the | |||
| field values containing certificate data, recipients may need to be | field values containing certificate data, recipients may need to be | |||
| configured to allow for a larger maximum header size. An | configured to allow for a larger maximum header size. An | |||
| intermediary generating client certificate header fields on | intermediary generating client certificate header fields on | |||
| connections that allow for advertising the maximum acceptable header | connections that allow for advertising the maximum acceptable header | |||
| size (e.g., HTTP/2 [RFC9113] or HTTP/3 [RFC9114]) should account for | size (e.g., HTTP/2 [RFC9113] or HTTP/3 [RFC9114]) should account for | |||
| the additional size of the header of the requests it sends vs. | the additional size of the header of the requests it sends, versus | |||
| requests it receives by advertising a value to its clients that is | the requests it receives, by advertising a value to its clients that | |||
| sufficiently smaller so as to allow for the addition of certificate | is sufficiently smaller so as to allow for the addition of | |||
| data. | certificate data. | |||
| 3.3. TLS Session Resumption | 3.3. TLS Session Resumption | |||
| Some TLS implementations do not retain client certificate information | Some TLS implementations do not retain client certificate information | |||
| when resuming. Providing inconsistent values of Client-Cert and | when resuming. Providing inconsistent values of Client-Cert and | |||
| Client-Cert-Chain when resuming might lead to errors, so | Client-Cert-Chain when resuming might lead to errors, so | |||
| implementations that are unable to provide these values SHOULD either | implementations that are unable to provide these values SHOULD either | |||
| disable resumption for connections with client certificates or | disable resumption for connections with client certificates or | |||
| initially omit a "Client-Cert" or "Client-Cert-Chain" field if it | initially omit a Client-Cert or Client-Cert-Chain field if it might | |||
| might not be available after resuming. | not be available after resuming. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| The header fields described herein enable a TTRP and backend or | The header fields described herein enable a TTRP and backend or | |||
| origin server to function together as though, from the client's | origin server to function together as though, from the client's | |||
| perspective, they are a single logical server-side deployment of | perspective, they are a single logical server-side deployment of | |||
| HTTPS over a mutually authenticated TLS connection. Use of the | HTTPS over a mutually authenticated TLS connection. However, use of | |||
| header fields outside that intended use case, however, may undermine | the header fields outside that intended use case may undermine the | |||
| the protections afforded by TLS client certificate authentication. | protections afforded by TLS client certificate authentication. | |||
| Therefore, steps such as those described below need to be taken to | Therefore, steps such as those described below need to be taken to | |||
| prevent unintended use, both in sending the header field and in | prevent unintended use, both in sending the header field and in | |||
| relying on its value. | relying on its value. | |||
| Producing and consuming the "Client-Cert" and "Client-Cert-Chain" | Producing and consuming the Client-Cert and Client-Cert-Chain header | |||
| header fields SHOULD be configurable options, respectively, in a TTRP | fields SHOULD be configurable options, respectively, in a TTRP and | |||
| and backend server (or individual application in that server). The | backend server (or in an individual application in that server). The | |||
| default configuration for both should be to not use the header | default configuration for both should be to not use the header | |||
| fields, thus requiring an "opt-in" to the functionality. | fields, thus requiring an "opt-in" to the functionality. | |||
| In order to prevent field injection, backend servers MUST only accept | In order to prevent field injection, backend servers MUST only accept | |||
| the "Client-Cert" and "Client-Cert-Chain" header fields from a | the Client-Cert and Client-Cert-Chain header fields from a trusted | |||
| trusted TTRP (or other proxy in a trusted path from the TTRP). A | TTRP (or other proxy in a trusted path from the TTRP). A TTRP MUST | |||
| TTRP MUST sanitize the incoming request before forwarding it on by | sanitize the incoming request before forwarding it on by removing or | |||
| removing or overwriting any existing instances of the fields. | overwriting any existing instances of the fields. Otherwise, | |||
| Otherwise, arbitrary clients can control the field values as seen and | arbitrary clients can control the field values as seen and used by | |||
| used by the backend server. It is important to note that neglecting | the backend server. It is important to note that neglecting to | |||
| to prevent field injection does not "fail safe" in that the nominal | prevent field injection does not "fail safe" in that the nominal | |||
| functionality will still work as expected even when malicious actions | functionality will still work as expected even when malicious actions | |||
| are possible. As such, extra care is recommended in ensuring that | are possible. As such, extra care is recommended in ensuring that | |||
| proper field sanitation is in place. | proper field sanitation is in place. | |||
| The communication between a TTRP and backend server needs to be | The communication between a TTRP and backend server needs to be | |||
| secured against eavesdropping and modification by unintended parties. | secured against eavesdropping and modification by unintended parties. | |||
| The configuration options and request sanitization are necessary | The configuration options and request sanitization are necessary | |||
| functionality of the respective servers. The other requirements can | functionalities of the respective servers. The other requirements | |||
| be met in a number of ways, which will vary based on specific | can be met in a number of ways, which will vary based on specific | |||
| deployments. The communication between a TTRP and backend or origin | deployments. The communication between a TTRP and backend or origin | |||
| server, for example, might be authenticated in some way with the | server, for example, might be authenticated in some way with the | |||
| insertion and consumption of the "Client-Cert" and "Client-Cert- | insertion and consumption of the Client-Cert and Client-Cert-Chain | |||
| Chain" header fields occurring only on that connection. Appendix B.3 | header fields occurring only on that connection. Appendix B.3 of | |||
| of [HTTPSIG] gives one example of this with an application of HTTP | [HTTPSIG] gives one example of this with an application of HTTP | |||
| Message Signatures. Alternatively, the network topology might | Message Signatures. Alternatively, the network topology might | |||
| dictate a private network such that the backend application is only | dictate a private network such that the backend application is only | |||
| able to accept requests from the TTRP and the proxy can only make | able to accept requests from the TTRP and the proxy can only make | |||
| requests to that server. Other deployments that meet the | requests to that server. Other deployments that meet the | |||
| requirements set forth herein are also possible. | requirements set forth herein are also possible. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| 5.1. HTTP Field Name Registrations | 5.1. HTTP Field Name Registrations | |||
| Please register the following entries in the "Hypertext Transfer | IANA has registered the following entries in the "Hypertext Transfer | |||
| Protocol (HTTP) Field Name Registry" defined by HTTP Semantics | Protocol (HTTP) Field Name Registry" defined by "HTTP Semantics" | |||
| [HTTP]: | [HTTP]: | |||
| o Field name: Client-Cert | +-------------------+-----------+----------------------+ | |||
| | Field Name | Status | Reference | | ||||
| o Status: permanent | +-------------------+-----------+----------------------+ | |||
| | Client-Cert | permanent | RFC 9440, Section 2 | | ||||
| o Specification document: Section 2 of [this document] | | | | | | |||
| | Client-Cert-Chain | permanent | RFC 9440, Section 2 | | ||||
| o Field name: Client-Cert-Chain | +-------------------+-----------+----------------------+ | |||
| o Status: permanent | ||||
| o Specification document: Section 2 of [this document] | Hypertext Transfer Protocol (HTTP) Field Name Registry | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | [HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | |||
| Ed., "HTTP Semantics", STD 97, RFC 9110, | Ed., "HTTP Semantics", STD 97, RFC 9110, | |||
| DOI 10.17487/RFC9110, June 2022, | DOI 10.17487/RFC9110, June 2022, | |||
| <https://www.rfc-editor.org/info/rfc9110>. | <https://www.rfc-editor.org/info/rfc9110>. | |||
| skipping to change at page 10, line 16 ¶ | skipping to change at page 10, line 10 ¶ | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [STRUCTURED-FIELDS] | [STRUCTURED-FIELDS] | |||
| Nottingham, M. and P-H. Kamp, "Structured Field Values for | Nottingham, M. and P. Kamp, "Structured Field Values for | |||
| HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021, | HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021, | |||
| <https://www.rfc-editor.org/info/rfc8941>. | <https://www.rfc-editor.org/info/rfc8941>. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [HPACK] Peon, R. and H. Ruellan, "HPACK: Header Compression for | [HPACK] Peon, R. and H. Ruellan, "HPACK: Header Compression for | |||
| HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, | HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7541>. | <https://www.rfc-editor.org/info/rfc7541>. | |||
| [HTTPSIG] Backman, A., Richer, J., and M. Sporny, "HTTP Message | [HTTPSIG] Backman, A., Richer, J., and M. Sporny, "HTTP Message | |||
| Signatures", draft-ietf-httpbis-message-signatures-16 | Signatures", draft-ietf-httpbis-message-signatures-19 | |||
| (work in progress), February 2023. | (work in progress), July 2023. | |||
| [QPACK] Krasic, C., Bishop, M., and A. Frindell, Ed., "QPACK: | [QPACK] Krasic, C., Bishop, M., and A. Frindell, Ed., "QPACK: | |||
| Field Compression for HTTP/3", RFC 9204, | Field Compression for HTTP/3", RFC 9204, | |||
| DOI 10.17487/RFC9204, June 2022, | DOI 10.17487/RFC9204, June 2022, | |||
| <https://www.rfc-editor.org/info/rfc9204>. | <https://www.rfc-editor.org/info/rfc9204>. | |||
| [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status | [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status | |||
| Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, | Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, | |||
| <https://www.rfc-editor.org/info/rfc6585>. | <https://www.rfc-editor.org/info/rfc6585>. | |||
| skipping to change at page 11, line 25 ¶ | skipping to change at page 11, line 21 ¶ | |||
| [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [TLS1.2] Dierks, T. and E. Rescorla, "The Transport Layer Security | [TLS1.2] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
| DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
| <https://www.rfc-editor.org/info/rfc5246>. | <https://www.rfc-editor.org/info/rfc5246>. | |||
| 6.3. URIs | ||||
| [1] https://datatracker.ietf.org/meeting/106/materials/slides-106- | ||||
| secdispatch-securing-protocols-between-proxies-and-backend-http- | ||||
| servers-00 | ||||
| [2] https://datatracker.ietf.org/meeting/106/materials/minutes- | ||||
| 106-secdispatch | ||||
| Appendix A. Example | Appendix A. Example | |||
| In a hypothetical example where a TLS client presents the client and | In a hypothetical example where a TLS client would present the client | |||
| intermediate certificate from Figure 1 when establishing a mutually | and intermediate certificate from Figure 1 when establishing a | |||
| authenticated TLS connection with the TTRP, the proxy would send the | mutually authenticated TLS connection with the TTRP, the proxy would | |||
| "Client-Cert" field shown in Figure 2 to the backend. Note that line | send the Client-Cert field shown in Figure 2 to the backend. Note | |||
| breaks and extra spaces have been added to the field value in | that line breaks and extra spaces have been added to the field value | |||
| Figure 2 and Figure 3 for display and formatting purposes only. | in Figures 2 and 3 for display and formatting purposes only. | |||
| -----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | |||
| MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJMZXQncyBB | MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJMZXQncyBB | |||
| dXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0yMDAx | dXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0yMDAx | |||
| MTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZI | MTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZI | |||
| zj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p | zj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p | |||
| 5Be5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIw | 5Be5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIw | |||
| ADAfBgNVHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMC | ADAfBgNVHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMC | |||
| BsAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1w | BsAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1w | |||
| bGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMje | bGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMje | |||
| skipping to change at page 12, line 43 ¶ | skipping to change at page 12, line 43 ¶ | |||
| MDAxMDkyMTI1NDVaMFYxCzAJBgNVBAYTAlVTMRswGQYDVQQKDBJMZXQncyBBdXRo | MDAxMDkyMTI1NDVaMFYxCzAJBgNVBAYTAlVTMRswGQYDVQQKDBJMZXQncyBBdXRo | |||
| ZW50aWNhdGUxKjAoBgNVBAMMIUxldCdzIEF1dGhlbnRpY2F0ZSBSb290IEF1dGhv | ZW50aWNhdGUxKjAoBgNVBAMMIUxldCdzIEF1dGhlbnRpY2F0ZSBSb290IEF1dGhv | |||
| cml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFoaHU+Z5bPKmGzlYXtCf+E6 | cml0eTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFoaHU+Z5bPKmGzlYXtCf+E6 | |||
| HYj62fORaHDOrt+yyh3H/rTcs7ynFfGn+gyFsrSP3Ez88rajv+U2NfD0o0uZ4Pmj | HYj62fORaHDOrt+yyh3H/rTcs7ynFfGn+gyFsrSP3Ez88rajv+U2NfD0o0uZ4Pmj | |||
| YzBhMB0GA1UdDgQWBBTEA2Q6eecKu9g9yb5glbkhhVINGDAfBgNVHSMEGDAWgBTE | YzBhMB0GA1UdDgQWBBTEA2Q6eecKu9g9yb5glbkhhVINGDAfBgNVHSMEGDAWgBTE | |||
| A2Q6eecKu9g9yb5glbkhhVINGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE | A2Q6eecKu9g9yb5glbkhhVINGDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE | |||
| AwIBhjAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRF | AwIBhjAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRF | |||
| YGMg1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc | YGMg1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc | |||
| -----END CERTIFICATE----- | -----END CERTIFICATE----- | |||
| Figure 1: Certificate Chain (with client certificate first) | Figure 1: Certificate Chain (with Client Certificate First) | |||
| Client-Cert: :MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJ | Client-Cert: :MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQKDBJ | |||
| MZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0 | MZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTAeFw0 | |||
| yMDAxMTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZ | yMDAxMTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMA0xCzAJBgNVBAMMAkJDMFkwEwYHKoZ | |||
| Izj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p5Be | Izj0CAQYIKoZIzj0DAQcDQgAE8YnXXfaUgmnMtOXU/IncWalRhebrXmckC8vdgJ1p5Be | |||
| 5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIwADAfBgN | 5F/3YC8OthxM4+k1M6aEAEFcGzkJiNy6J84y7uzo9M6NyMHAwCQYDVR0TBAIwADAfBgN | |||
| VHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0 | VHSMEGDAWgBRm3WjLa38lbEYCuiCPct0ZaSED2DAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0 | |||
| lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1wbGUuY29tMAoGCCq | lBAwwCgYIKwYBBQUHAwIwHQYDVR0RAQH/BBMwEYEPYmRjQGV4YW1wbGUuY29tMAoGCCq | |||
| GSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMjeSkC3dFCOOB8TAiEAx/k | GSM49BAMCA0gAMEUCIBHda/r1vaL6G3VliL4/Di6YK0Q6bMjeSkC3dFCOOB8TAiEAx/k | |||
| HSB4urmiZ0NX5r5XarmPk0wmuydBVoU4hBVZ1yhk=: | HSB4urmiZ0NX5r5XarmPk0wmuydBVoU4hBVZ1yhk=: | |||
| Figure 2: Header Field in HTTP Request to Origin Server | Figure 2: Header Field in HTTP Request to Origin Server | |||
| If the proxy were configured to also include the certificate chain, | If the proxy were configured to also include the certificate chain, | |||
| it would also include the "Client-Cert-Chain" header field. Note | it would also include the Client-Cert-Chain header field. Note that | |||
| that while the following example does illustrate the TTRP inserting | while the following example does illustrate the TTRP inserting the | |||
| the root certificate, many deployments will opt to omit the trust | root certificate, many deployments will opt to omit the trust anchor. | |||
| anchor. | ||||
| Client-Cert-Chain: :MIIB5jCCAYugAwIBAgIBFjAKBggqhkjOPQQDAjBWMQsw | Client-Cert-Chain: :MIIB5jCCAYugAwIBAgIBFjAKBggqhkjOPQQDAjBWMQsw | |||
| CQYDVQQGEwJVUzEbMBkGA1UECgwSTGV0J3MgQXV0aGVudGljYXRlMSowKAYDVQQ | CQYDVQQGEwJVUzEbMBkGA1UECgwSTGV0J3MgQXV0aGVudGljYXRlMSowKAYDVQQ | |||
| DDCFMZXQncyBBdXRoZW50aWNhdGUgUm9vdCBBdXRob3JpdHkwHhcNMjAwMTE0Mj | DDCFMZXQncyBBdXRoZW50aWNhdGUgUm9vdCBBdXRob3JpdHkwHhcNMjAwMTE0Mj | |||
| EzMjMwWhcNMzAwMTExMjEzMjMwWjA6MRswGQYDVQQKDBJMZXQncyBBdXRoZW50a | EzMjMwWhcNMzAwMTExMjEzMjMwWjA6MRswGQYDVQQKDBJMZXQncyBBdXRoZW50a | |||
| WNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEG | WNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEG | |||
| CCqGSM49AwEHA0IABJf+aA54RC5pyLAR5yfXVYmNpgd+CGUTDp2KOGhc0gK91zx | CCqGSM49AwEHA0IABJf+aA54RC5pyLAR5yfXVYmNpgd+CGUTDp2KOGhc0gK91zx | |||
| hHesEYkdXkpS2UN8Kati+yHtWCV3kkhCngGyv7RqjZjBkMB0GA1UdDgQWBBRm3W | hHesEYkdXkpS2UN8Kati+yHtWCV3kkhCngGyv7RqjZjBkMB0GA1UdDgQWBBRm3W | |||
| jLa38lbEYCuiCPct0ZaSED2DAfBgNVHSMEGDAWgBTEA2Q6eecKu9g9yb5glbkhh | jLa38lbEYCuiCPct0ZaSED2DAfBgNVHSMEGDAWgBTEA2Q6eecKu9g9yb5glbkhh | |||
| VINGDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO | VINGDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAKBggqhkjO | |||
| skipping to change at page 14, line 8 ¶ | skipping to change at page 14, line 8 ¶ | |||
| jAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRFYGMg | jAKBggqhkjOPQQDAgNIADBFAiEAmAeg1ycKHriqHnaD4M/UDBpQRpkmdcRFYGMg | |||
| 1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc: | 1Qyrkx4CIB4ivz3wQcQkGhcsUZ1SOImd/lq1Q0FLf09rGfLQPWDc: | |||
| Figure 3: Certificate Chain in HTTP Request to Origin Server | Figure 3: Certificate Chain in HTTP Request to Origin Server | |||
| Appendix B. Select Design Considerations | Appendix B. Select Design Considerations | |||
| B.1. Field Injection | B.1. Field Injection | |||
| This document requires that the TTRP sanitize the fields of the | This document requires that the TTRP sanitize the fields of the | |||
| incoming request by removing or overwriting any existing instances of | incoming request by removing or overwriting any existing instances of | |||
| the "Client-Cert" and "Client-Cert-Chain" header fields before | the Client-Cert and Client-Cert-Chain header fields before | |||
| dispatching that request to the backend application. Otherwise, a | dispatching that request to the backend application. Otherwise, a | |||
| client could inject its own values that would appear to the backend | client could inject its own values that would appear to the backend | |||
| to have come from the TTRP. Although numerous other methods of | to have come from the TTRP. Although numerous other methods of | |||
| detecting/preventing field injection are possible, such as the use of | detecting and preventing field injection are possible, such as the | |||
| a unique secret value as part of the field name or value or the | use of a unique secret value as part of the field name or value or | |||
| application of a signature, HMAC, or AEAD, there is no common general | the application of a signature, HMAC, or AEAD, there is no common | |||
| mechanism. The potential problem of client field injection is not at | general mechanism. The potential problem of client field injection | |||
| all unique to the functionality of this document, and it would | is not at all unique to the functionality of this document; | |||
| therefore be inappropriate for this document to define a one-off | therefore, it would be inappropriate for this document to define a | |||
| solution. In the absence of a generic common solution existing | one-off solution. Since a generic common solution does not currently | |||
| currently, stripping/sanitizing the fields is the de facto means of | exist, stripping and sanitizing the fields is the de facto means of | |||
| protecting against field injection in practice. Sanitizing the | protecting against field injection in practice. Sanitizing the | |||
| fields is sufficient when properly implemented and is a normative | fields is sufficient when properly implemented and is a normative | |||
| requirement of Section 4. | requirement of Section 4. | |||
| B.2. The Forwarded HTTP Extension | B.2. The Forwarded HTTP Extension | |||
| The "Forwarded" HTTP header field defined in [RFC7239] allows proxy | The Forwarded HTTP header field defined in [RFC7239] allows proxy | |||
| components to disclose information lost in the proxying process. The | components to disclose information lost in the proxying process. The | |||
| TLS client certificate information of concern to this document could | TLS client certificate information of concern to this document could | |||
| have been communicated with an extension parameter to the "Forwarded" | have been communicated with an extension parameter to the Forwarded | |||
| field; however, doing so would have had some disadvantages that this | field; however, doing so would have had some disadvantages that this | |||
| document endeavored to avoid. The "Forwarded" field syntax allows | document endeavored to avoid. The Forwarded field syntax allows for | |||
| for information about a full chain of proxied HTTP requests, whereas | information about a full chain of proxied HTTP requests, whereas the | |||
| the "Client-Cert" and "Client-Cert-Chain" header fields of this | Client-Cert and Client-Cert-Chain header fields of this document are | |||
| document are concerned only with conveying information about the | concerned only with conveying information about the certificate | |||
| certificate presented by the originating client on the TLS connection | presented by the originating client on the TLS connection to the TTRP | |||
| to the TTRP (which appears as the server from that client's | (which appears as the server from that client's perspective) to | |||
| perspective) to backend applications. The multi-hop syntax of the | backend applications. The multi-hop syntax of the Forwarded field is | |||
| "Forwarded" field is expressive but also more complicated, which | expressive but also more complicated, which would make processing it | |||
| would make processing it more cumbersome, and more importantly, make | more cumbersome and, more importantly, would make properly sanitizing | |||
| properly sanitizing its content as required by Section 4 to prevent | its content, as required by Section 4 to prevent field injection, | |||
| field injection considerably more difficult and error-prone. Thus, | considerably more difficult and error-prone. Thus, this document | |||
| this document opted for a flatter and more straightforward structure. | opted for a flatter and more straightforward structure. | |||
| B.3. The Whole Certificate and Certificate Chain | B.3. The Whole Certificate and Certificate Chain | |||
| Different applications will have varying requirements about what | Different applications will have varying requirements about what | |||
| information from the client certificate is needed, such as the | information from the client certificate is needed, such as the | |||
| subject and/or issuer distinguished name, subject alternative | subject and/or issuer distinguished name, subject alternative | |||
| name(s), serial number, subject public key info, fingerprint, etc. | name(s), serial number, subject public key info, fingerprint, etc. | |||
| Furthermore, some applications, such as [RFC8705], make use of the | Furthermore, some applications, such as that described in [RFC8705], | |||
| entire certificate. In order to accommodate the latter and ensure | make use of the entire certificate. In order to accommodate the | |||
| wide applicability by not trying to cherry-pick particular | latter and ensure wide applicability by not trying to cherry-pick | |||
| certificate information, this document opted to pass the full, | particular certificate information, this document opted to pass the | |||
| encoded certificate as the value of the "Client-Cert" field. | full, encoded certificate as the value of the Client-Cert field. | |||
| The validation of the client certificate and chain of the mutually | The validation of the client certificate and chain of the mutually | |||
| authenticated TLS connection is typically performed by the TTRP | authenticated TLS connection is typically performed by the TTRP | |||
| during the handshake. With the responsibility of certificate | during the handshake. With the responsibility of certificate | |||
| validation falling on the TTRP, the end-entity certificate is | validation falling on the TTRP, the end-entity certificate is | |||
| oftentimes sufficient for the needs of the origin server. The | oftentimes sufficient for the needs of the origin server. The | |||
| separate "Client-Cert-Chain" field can convey the certificate chain | separate Client-Cert-Chain field can convey the certificate chain for | |||
| for origin server deployments that require this additional | origin server deployments that require this additional information. | |||
| information. | ||||
| Appendix C. Acknowledgements | Acknowledgements | |||
| The authors would like to thank the following individuals who've | The authors would like to thank the following individuals who have | |||
| contributed in various ways ranging from just being generally | contributed to this document in various ways, ranging from just being | |||
| supportive of bringing forth the document to providing specific | generally supportive of bringing forth the document to providing | |||
| feedback or content: | specific feedback or content: | |||
| o Evan Anderson | o Evan Anderson | |||
| o Annabelle Backman | o Annabelle Backman | |||
| o Alan Frindell | o Alan Frindell | |||
| o Rory Hewitt | o Rory Hewitt | |||
| o Fredrik Jeansson | o Fredrik Jeansson | |||
| skipping to change at page 16, line 4 ¶ | skipping to change at page 15, line 50 ¶ | |||
| o Erik Nygren | o Erik Nygren | |||
| o Mike Ounsworth | o Mike Ounsworth | |||
| o Lucas Pardue | o Lucas Pardue | |||
| o Matt Peterson | o Matt Peterson | |||
| o Eric Rescorla | o Eric Rescorla | |||
| o Justin Richer | ||||
| o Justin Richer | ||||
| o Michael Richardson | o Michael Richardson | |||
| o Joe Salowey | o Joe Salowey | |||
| o Rich Salz | o Rich Salz | |||
| o Mohit Sethi | o Mohit Sethi | |||
| o Rifaat Shekh-Yusef | o Rifaat Shekh-Yusef | |||
| skipping to change at page 16, line 28 ¶ | skipping to change at page 16, line 26 ¶ | |||
| o Nick Sullivan | o Nick Sullivan | |||
| o Willy Tarreau | o Willy Tarreau | |||
| o Martin Thomson | o Martin Thomson | |||
| o Peter Wu | o Peter Wu | |||
| o Hans Zandbelt | o Hans Zandbelt | |||
| Appendix D. Document History | ||||
| To be removed by the RFC Editor before publication as an RFC | ||||
| draft-ietf-httpbis-client-cert-field-06 | ||||
| o Updates from IESG review | ||||
| draft-ietf-httpbis-client-cert-field-05 | ||||
| o Correct a couple references | ||||
| o Updates from Genart Last Call review | ||||
| o Incorporate AD review feedback | ||||
| o Editorial updates | ||||
| draft-ietf-httpbis-client-cert-field-04 | ||||
| o Updates, fixes, and clarifications from WGLC feedback | ||||
| o State that the certificate chain is in the same order as it | ||||
| appears in TLS rather than copying the language from TLS | ||||
| o Update references for HTTP Semantics, HTTP/3, and QPACK to point | ||||
| to the now RFCs 9110/9114/9204 | ||||
| o HTTP Semantics now a normative ref | ||||
| o Mention that origin server access control decisions can be | ||||
| conveyed by selecting response content or with a 403 | ||||
| draft-ietf-httpbis-client-cert-field-02 | ||||
| o Add a note about cert retention on TLS session resumption | ||||
| o Say to use only the last one in the case of multiple post- | ||||
| handshake client cert authentications | ||||
| draft-ietf-httpbis-client-cert-field-01 | ||||
| o Use RFC 8941 Structured Field Values for HTTP | ||||
| o Introduce a separate header that can convey the certificate chain | ||||
| o Add considerations on header compression and size | ||||
| o Describe interaction with caching | ||||
| o Fill out IANA Considerations with HTTP field name registrations | ||||
| o Discuss renegotiation | ||||
| draft-ietf-httpbis-client-cert-field-00 | ||||
| o Initial WG revision | ||||
| o Mike Bishop added as co-editor | ||||
| draft-bdc-something-something-certificate-05 | ||||
| o Change intended status of the draft to Informational | ||||
| o Editorial updates and (hopefully) clarifications | ||||
| draft-bdc-something-something-certificate-04 | ||||
| o Update reference from draft-ietf-oauth-mtls to RFC8705 | ||||
| draft-bdc-something-something-certificate-03 | ||||
| o Expanded further discussion notes to capture some of the feedback | ||||
| in and around the presentation of the draft in SECDISPATCH at IETF | ||||
| 107 and add those who've provided such feedback to the | ||||
| acknowledgements | ||||
| draft-bdc-something-something-certificate-02 | ||||
| o Editorial tweaks + further discussion notes | ||||
| draft-bdc-something-something-certificate-01 | ||||
| o Use the RFC v3 Format or die trying | ||||
| draft-bdc-something-something-certificate-00 | ||||
| o Initial draft after a time constrained and rushed secdispatch | ||||
| presentation [1] at IETF 106 in Singapore with the recommendation | ||||
| to write up a draft (at the end of the minutes [2]) and some folks | ||||
| expressing interest despite the rather poor presentation | ||||
| Authors' Addresses | Authors' Addresses | |||
| Brian Campbell | Brian Campbell | |||
| Ping Identity | Ping Identity | |||
| Email: bcampbell@pingidentity.com | Email: bcampbell@pingidentity.com | |||
| Mike Bishop (editor) | Mike Bishop (editor) | |||
| Akamai | Akamai | |||
| End of changes. 68 change blocks. | ||||
| 274 lines changed or deleted | 171 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||