IETF Logo Mail Archive

Re: [apps-discuss] draft-farrell-decade-ni-02 - we think this is done...

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 06 April 2012 15:45 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22A3C21F8569 for <apps-discuss@ietfa.amsl.com>; Fri, 6 Apr 2012 08:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0QJOiKGbs2Z7 for <apps-discuss@ietfa.amsl.com>; Fri, 6 Apr 2012 08:45:46 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 54CD221F8555 for <apps-discuss@ietf.org>; Fri, 6 Apr 2012 08:45:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id EC4E8171478; Fri, 6 Apr 2012 16:45:44 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1333727144; bh=BPgRuF1oApRRpm 2mcvEIn+j36gqIsW9oT52dd1SF158=; b=UOL1/C/y4QNdqNpLJap0mWCL++BrEw ypZVrAUdRUVVOOM81hS+EX4mOIaSRyS890tjLrn1WkzH4L1iCdQk7HzjIzjMLzfd /vJmL72G2MfVvczxi/uDmj5dRggMRBrVJ7dR2mLms0rEgMFDjR/foEq5YoJGIrZT 8mRQdbp8fBuWbgc295CZUuzZHmguEUuqEk/gvC/oztbYGjap4W7qlRTKusWedYbm IFbc9ovjdGdggbevVFR1EwQ/2G8fEJvW+odljRimMVciSOrrXgQ2UqqBDBryyhWP UIUqYhjSOTCzFsPvuvkaGs3SyYVzDAI8C0sGWTLGQQ0iFyn/egkyLc2A==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id X7og1JTCjb2s; Fri, 6 Apr 2012 16:45:44 +0100 (IST)
Received: from [10.87.48.4] (unknown [86.46.29.158]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 718A7171477; Fri, 6 Apr 2012 16:45:44 +0100 (IST)
Message-ID: <4F7F0FA8.4030704@cs.tcd.ie>
Date: Fri, 06 Apr 2012 16:45:44 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Carsten Bormann <cabo@tzi.org>
References: <4F7DFC47.2020604@cs.tcd.ie> <DDCD3226-782B-46E5-9CEB-61E4773CE0B2@tzi.org> <4F7EC545.7090702@cs.tcd.ie> <93FE0923-1A47-4E97-94E9-559B3E217F01@tzi.org>
In-Reply-To: <93FE0923-1A47-4E97-94E9-559B3E217F01@tzi.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: Apps Discuss <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] draft-farrell-decade-ni-02 - we think this is done...
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 15:45:47 -0000

Hiya,

On 04/06/2012 01:08 PM, Carsten Bormann wrote:
> On Apr 6, 2012, at 12:28, Stephen Farrell wrote:
>
>>> I believe for this to be the replacement of "unsecure links out of HTTPS", the secure media type issue must be solved in the base spec.
>>> (Oh, and is there ever a need to discuss content-coding in this context???)
>>
>> Not sure what you mean by "solved" can you elaborate?
>
> The problem is that the ni: hash only secures the bytes of the payload.
> (At least that's my assumption -- it might be worth saying explicitly what is hashed here, BTW.)
>
> The entity I would have been retrieving over a secure HTTPS channel also has metadata.
> Many of these are not critical, as they only pertain to the retrieval process (say, the Etag).
> However, the media type is critical for correctly interpreting the returned result.
> While I'm not aware of the proverbial contract text that means something different when interpreted as SJIS instead of UTF-8, attacks on the basis of swapping the media type are conceivable.  (Also, there is lots of potential for misconfiguration, damaging the reliability.)
>
> I'm naming content-coding as another example that it is not quite clear what is the input to the hash function.
> So maybe it is worth having another (normative) document that spells out how exactly ni:// is used in the Browser Web (among others, to solve the "unsecure links" problem)?

Ah now I see. Yes, I think other documents should define the
hash input bytes, each in their own contexts.

I'd be happy to help out with making a start on the web/ajax
thing, but would need help from someone who knows more about
the input bytes.

Cheers,
S.

> Grüße, Carsten
>
>

v2.23.0 | Report a Bug | By Email