Authentication concerns for the client authentication requests

[thomwiggers]

Came up during the IETF meeting:

David Benjamin:

I'm concerned about authenticating the server's request to the client. Client certificate decisions can result in interesting side effects, like unlocking smartcards or prompting the user. Having something so visible not be authenticated is pretty scary.

[thomwiggers]

I don't think there's any way to solve this problem due to the nature of implicit authentication. As a consequence, we might need to allow clients to drop such a request and then have servers try again using post-handshake authentication.

We might use e.g. the TLS flags extension to allow the client to indicate to the server that it won't accept certificate requests during the handshake. This flag could then be set by default in e.g. browsers, where the interactive pop-up is especially problematic.

[thomwiggers]

Another problem with client authentication requests: an attacker that impersonates a server to a client might submit the request, and learn if the client owns a certificate through the number of messages sent (it can't read it). Should clients be allowed/required to send dummy messages if they don't have a cert to hide this?