Re: [core] Trusting links in .well-known/core
Carsten Bormann <cabo@tzi.org> Tue, 05 March 2019 15:09 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C83621311B9 for <core@ietfa.amsl.com>; Tue, 5 Mar 2019 07:09:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkjjPU2Shv8Q for <core@ietfa.amsl.com>; Tue, 5 Mar 2019 07:09:24 -0800 (PST)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 353751295D8 for <core@ietf.org>; Tue, 5 Mar 2019 07:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost2.informatik.uni-bremen.de [134.102.200.7]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id x25F9EVA008818; Tue, 5 Mar 2019 16:09:19 +0100 (CET)
Received: from [192.168.217.106] (p54A6C2FE.dip0.t-ipconnect.de [84.166.194.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 44DKzt3Bspz1Bp8; Tue, 5 Mar 2019 16:09:14 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CAAzbHvZ+6mj6GwywyAxzUf05B9+ArRSDn4XDumR+AF66ATGWzg@mail.gmail.com>
Date: Tue, 05 Mar 2019 16:09:13 +0100
Cc: "core@ietf.org WG" <core@ietf.org>
X-Mao-Original-Outgoing-Id: 573491352.048673-3d2a9ad7c6ad00fbf3e8b3a0321f8bf6
Content-Transfer-Encoding: quoted-printable
Message-Id: <76EA5546-A02C-41B6-81D9-A31B4EE1F630@tzi.org>
References: <CAAzbHvZ+6mj6GwywyAxzUf05B9+ArRSDn4XDumR+AF66ATGWzg@mail.gmail.com>
To: Klaus Hartke <hartke@projectcool.de>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/g4XIXSNL1Rkb3PZP729ZurPlI9E>
Subject: Re: [core] Trusting links in .well-known/core
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 15:09:33 -0000
On Mar 5, 2019, at 13:47, Klaus Hartke <hartke@projectcool.de> wrote: > > RFC 6690 defines "CoRE Resource Discovery" as "discovery of resources > hosted by a constrained web server" [1]. The RFC then proceeds to > specify that "resource discovery in CoRE is accomplished through the > use of a well-known resource URI that returns a list of links about > resources hosted by that server" [2]. > > Let's say a client requests a representation of .well-known/core from > server 'kadse.example' and gets a link to a resource on > 'kefer.example': > > => > GET coap://kadse.example/.well-known/core > > <= > 2.05 Content > Content-Format: application/link-format > > <coap://kefer.example/42/> > > Because of Section 2.1 of RFC 6690 [3], the context of this link is > <coap://kefer.example/>. So it's a link from <coap://kefer.example/> > to <coap://kefer.example/42/> with link relation type “hosts". Right. > In other words, the client says it wants to discover the resources > hosted by (coap, kadse.example, 5683) and (coap, kadse.example, 5683) > says that there is a resource hosted by (coap, kefer.example, 5683) > named <coap://kefer.example/42/>. That doesn't seen to make a lot of > sense. Sense-making is a complex function. In most environment, we can’t forbid everything that doesn’t make sense. > Are such links currently allowed? If yes, should they be forbidden? Well, there is a statement in there: “If you want to discover information about kadse, it may be of interest that kefer hosts that resource over there.” Without additional context, that may be nonsensical, but with an RT, it might point to any kind of resource that is of interest in conjunction with knowing about the current server. E.g., a CoAP server could point to a data backup server (and, probably, hope that that one over there indeed backs up this server, but it doesn’t know!). > Furthermore: RFC 8288, on which RFC 6690 is based, notes that there > are "attack vectors opened by automatically following, trusting, or > otherwise using links” [4] Then don’t do that. > that need to be mitigated. In particular, > links that “associate a link’s context with another resource cannot be > trusted This is a nice example of a misuse of the word “trust”. How do you “trust a link”? It is obvious that the device exhibiting this link wants you to know it, and (assuming some form of integrity, which is missing in the example), you can “trust that”, but that’s all you can trust. Whether that has influence on what you do next depends on your authorization policies. > since they are effectively assertions by a third party that > could be incorrect or malicious.” Right. In CoAP we have much less of “automatically following” (we don’t even have redirects!). > Because of Section 2.1 of RFC 6690 [3], essentially *every* link in a > Link Format representation associates the link's context with another > resource. I can’t parse this sentence. Links associate “contexts” (bad name for the source of a link) to target resources. Section 2.1 only helps you find out what the “context” is (and I agree, it exhibits some weirdness). > What’s the security model of Link Format? 6690 pretty much punts to 5988 here. And that already has above’s “then don’t do it”. (And reminds people that you need integrity protection/authentication if you want to do something grave based on the information.) > That is, what are the rules > that client should follow for trusting links Don’t “trust”, except in the sense of “this device wanted to give you that information”. We don’t treat discovery information as signed claims, right? But claims they are. > in .well-known/core > representations in Link Format? > > Klaus > > [1] https://tools.ietf.org/html/rfc6690#section-1 > [2] https://tools.ietf.org/html/rfc6690#section-4 > [3] https://tools.ietf.org/html/rfc6690#section-2.1 > [4] https://tools.ietf.org/html/rfc8288#section-5 I think an even more interesting problem is that a link-format can contain coaps:// links without any indication on the kind of security that goes with that. That is a discovery problem we haven’t solved very well yet. Grüße, Carsten
- [core] Trusting links in .well-known/core Klaus Hartke
- Re: [core] Trusting links in .well-known/core Carsten Bormann
- Re: [core] Trusting links in .well-known/core Klaus Hartke