<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Apr 10, 2017 at 6:30 PM, Christian Huitema <span dir="ltr"><<a href="mailto:huitema@huitema.net" target="_blank">huitema@huitema.net</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><span class="gmail-">
<div class="gmail-m_6736637589726480830moz-cite-prefix">On 4/10/2017 1:38 PM, Shumon Huque
wrote:<br>
</div>
</span><blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span class="gmail-">On Mon, Apr 10, 2017 at 4:06 PM,
Daniel Kahn Gillmor <span dir="ltr"><<a href="mailto:dkg@fifthhorseman.net" target="_blank">dkg@fifthhorseman.net</a>></span>
wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-m_6736637589726480830gmail-">...</span></blockquote><span class="gmail-">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
For TLS 1.2 and earlier (i.e. all formalized versions of
TLS today) the<br>
client certificate is visible in the clear over the
network during the<br>
handshake. This exposes your client's individual location
information<br>
to any passive network monitor, which is not a good thing
for a protocol<br>
that is intended to enhance user privacy.<br>
</blockquote>
</span></div>
</div>
</div>
</blockquote>
<br>
Yes. That's why TLS client authentication is probably a bad idea.
The identity leak is kinda fixed in TLS 1.3, but only if the client
refuses to negotiate down to 1.2, and that's not practical.<br></div></blockquote><div><br></div><div>Although DNS over TLS might be enough of a green field application that perhaps TLS 1.3 only out of the gate might be plausible if there were new requirements.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">...
<span class="gmail-"><div>Does TLS 1.3 protect the client certificate? To
Christian's question about </div>
<div>alternatives to per-client certificate authentication
in TLS, there are a few, but </div>
<div>they are unfortunately seldom used today (Pre-shared
key; SRP; Kerberos - </div>
<div>spec deprecated; OpenPGP keys, etc). At the DNS layer,
per-client authentication </div>
<div>is possible with GSS-TSIG, but it's very complex to set
up.<br>
</div>
</span></div>
</div>
</div>
</blockquote>
<br>
Pretty much all the TLS client authentication schemes share the
"identity leak in clear text" issue that DKG is mentioning. If we
really need client auth, we need to look at a DNS level solution, or
maybe DNS over TLS specific solution. If GSS-TSIG works, that may be
it. If it doesn't, maybe use something else, like some TBD EDNS
transaction.</div></blockquote><div><br></div><div>Yeah, it's a bit challenging. One problem with the DNS level solution is that the server is paying the full price of a TLS handshake before deciding whether or not to allow access, which doesn't seem very desirable.</div><div><br></div><div>> <span style="font-size:12.8px">But first, we have to be really convinced that we do need client auth!</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Right!</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">-- </span></div><div><span style="font-size:12.8px">Shumon Huque</span></div></div></div><div class="gmail_extra"><br></div></div>