From bff9efd674968a0ebf5815e0f0291e875147827e Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Fri, 13 Apr 2018 10:59:53 -0700 Subject: [PATCH 1/5] Reference stream 0 --- draft-ietf-httpbis-http2-secondary-certs.md | 27 +++++++++++++-------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/draft-ietf-httpbis-http2-secondary-certs.md b/draft-ietf-httpbis-http2-secondary-certs.md index 56234b682..27081a70a 100644 --- a/draft-ietf-httpbis-http2-secondary-certs.md +++ b/draft-ietf-httpbis-http2-secondary-certs.md @@ -350,9 +350,10 @@ Client Server Likewise, either party can supply a `CERTIFICATE_REQUEST` that outlines parameters of a certificate they might request in the future. Upon receipt of a -`CERTIFICATE_REQUEST`, servers SHOULD provide a corresponding certificate. -Clients MAY wait for a `CERTIFICATE_NEEDED` frame to assist in associating the -certificate request with a particular HTTP transition. +`CERTIFICATE_REQUEST`, endpoints SHOULD provide a corresponding certificate in +anticipation of a request shortly being blocked. Clients MAY wait for a +`CERTIFICATE_NEEDED` frame to assist in associating the certificate request with +a particular HTTP transition. ## Requiring certificate authentication {#cert-challenge} @@ -367,19 +368,23 @@ the connection. If the TLS certificate does not contain the new origin, but the server has claimed support for that origin (with an ORIGIN frame, see {{?RFC8336}}) and advertised support for HTTP-layer certificates (see {{setting}}), the client MAY -send a `CERTIFICATE_REQUEST` frame describing the desired origin. Servers -SHOULD provide a corresponding certificate if one is available. +send a `CERTIFICATE_REQUEST` frame describing the desired origin. The client +then sends a `CERTIFICATE_NEEDED` frame for stream zero referencing the request, +indicating that the connection cannot be used for that origin until the +certificate is provided. -If the server does not have the desired certificate, it MUST \[see issue #564]. -In this case, or if the server has not advertised support for HTTP-layer -certificates, the client MUST NOT send any requests for resources in that origin -on the current connection. +If the server does not have the desired certificate, it MUST send an empty +`USE_CERTIFICATE` frame for stream zero. In this case, or if the server has not +advertised support for HTTP-layer certificates, the client MUST NOT send any +requests for resources in that origin on the current connection. ~~~ Client Server <----------------------- (stream 0) ORIGIN -- -- (stream 0) CERTIFICATE_REQUEST ----------> + -- (stream 0) CERTIFICATE_NEEDED (S=0) -----> <------------------ (stream 0) CERTIFICATE -- + <-------- (stream 0) USE_CERTIFICATE (S=0) -- -- (stream N) GET /from-new-origin ---------> <----------------------- (stream N) 200 OK -- ~~~ @@ -482,7 +487,9 @@ required certificate). To reduce the risk of client confusion, servers SHOULD NOT have multiple outstanding `CERTIFICATE_NEEDED` frames for the same stream at any given time. -Clients MUST NOT send multiple `CERTIFICATE_NEEDED` frames for the same stream. +Clients MUST only send multiple `CERTIFICATE_NEEDED` frames for stream zero. +Multiple `CERTIFICATE_NEEDED` frames on any other stream MUST be considered +a stream error of type `PROTOCOL_ERROR`. The `CERTIFICATE_NEEDED` frame MUST NOT be sent to a peer which has not advertised support for HTTP-layer certificate authentication. From 3067409864dcd5c719b99393c70c1d4e1cdf56ed Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Fri, 13 Apr 2018 11:05:02 -0700 Subject: [PATCH 2/5] Changelog --- draft-ietf-httpbis-http2-secondary-certs.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/draft-ietf-httpbis-http2-secondary-certs.md b/draft-ietf-httpbis-http2-secondary-certs.md index 27081a70a..dcc57f476 100644 --- a/draft-ietf-httpbis-http2-secondary-certs.md +++ b/draft-ietf-httpbis-http2-secondary-certs.md @@ -854,6 +854,8 @@ this document. - All frames sent on stream zero; replaced `AUTOMATIC_USE` on `CERTIFICATE` with `UNSOLICITED` on `USE_CERTIFICATE`. (#482,#566) +- `CERTIFICATE_NEEDED` and `USE_CERTIFICATE` can reference stream zero. + (#564,#586) ## Since draft-bishop-httpbis-http2-additional-certs-05: From 07cf01b8cb9146447805f6e5d36d7d1415783585 Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Thu, 24 May 2018 11:44:26 -0700 Subject: [PATCH 3/5] transaction, not transition --- draft-ietf-httpbis-http2-secondary-certs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-http2-secondary-certs.md b/draft-ietf-httpbis-http2-secondary-certs.md index dcc57f476..4211a2bdb 100644 --- a/draft-ietf-httpbis-http2-secondary-certs.md +++ b/draft-ietf-httpbis-http2-secondary-certs.md @@ -353,7 +353,7 @@ parameters of a certificate they might request in the future. Upon receipt of a `CERTIFICATE_REQUEST`, endpoints SHOULD provide a corresponding certificate in anticipation of a request shortly being blocked. Clients MAY wait for a `CERTIFICATE_NEEDED` frame to assist in associating the certificate request with -a particular HTTP transition. +a particular HTTP transaction. ## Requiring certificate authentication {#cert-challenge} From 104de94385fe2e9d1cff43ef87f242467e1cdfe3 Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Tue, 12 Jun 2018 11:51:15 -0700 Subject: [PATCH 4/5] Change log --- draft-ietf-httpbis-http2-secondary-certs.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/draft-ietf-httpbis-http2-secondary-certs.md b/draft-ietf-httpbis-http2-secondary-certs.md index 4211a2bdb..ce3afe819 100644 --- a/draft-ietf-httpbis-http2-secondary-certs.md +++ b/draft-ietf-httpbis-http2-secondary-certs.md @@ -850,6 +850,11 @@ this document. > **RFC Editor's Note:** Please remove this section prior to publication of a > final version of this document. +## Since draft-ietf-httpbis-http2-secondary-certs-01: + +- Clients can send `CERTIFICATE_NEEDED` for stream 0 rather than speculatively + reserving a stream for an origin. + ## Since draft-ietf-httpbis-http2-secondary-certs-00: - All frames sent on stream zero; replaced `AUTOMATIC_USE` on `CERTIFICATE` with From 4d8a71bff0410bf9145fdafd5b0e0ea8e96fc345 Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Tue, 12 Jun 2018 12:00:50 -0700 Subject: [PATCH 5/5] Reference Empty Authenticator --- draft-ietf-httpbis-http2-secondary-certs.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-http2-secondary-certs.md b/draft-ietf-httpbis-http2-secondary-certs.md index ce3afe819..0fe4dd71d 100644 --- a/draft-ietf-httpbis-http2-secondary-certs.md +++ b/draft-ietf-httpbis-http2-secondary-certs.md @@ -373,8 +373,11 @@ then sends a `CERTIFICATE_NEEDED` frame for stream zero referencing the request, indicating that the connection cannot be used for that origin until the certificate is provided. -If the server does not have the desired certificate, it MUST send an empty -`USE_CERTIFICATE` frame for stream zero. In this case, or if the server has not +If the server does not have the desired certificate, it MUST send an Empty +Authenticator, as described in Section 5 of +[I-D.ietf-tls-exported-authenticator], in a `CERTIFICATE` frame in response to +the request, followed by a `USE_CERTIFICATE` frame for stream zero which +references the Empty Authenticator. In this case, or if the server has not advertised support for HTTP-layer certificates, the client MUST NOT send any requests for resources in that origin on the current connection.