IETF Logo Mail Archive

Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-06 and RFCs 5536 & 5322

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 19 September 2017 09:06 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CE0126DFE; Tue, 19 Sep 2017 02:06:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=sm7n5Mol; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=etXlWKFj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gj6Le7mZWJHn; Tue, 19 Sep 2017 02:06:16 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38774126B7E; Tue, 19 Sep 2017 02:06:16 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 3655D20A52; Tue, 19 Sep 2017 05:06:15 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Tue, 19 Sep 2017 05:06:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=fs1c0EjdaXP8R4wrLDv93CHJ86RhG Yi5bgr9D2JODwM=; b=sm7n5MolVVnYTcHN5wW0PX65FVfX/CExUEzWP9+7uUVgC z5rBWvBagr8rWpMDcN6Y5VVvSEaYUbtjbvn+HqsloeZeIf19daz8ozi1l74iatbW 43u1Vp6h7XPI/0bp8h4vNSduINl1kMGwrKlanE2SaKfrqF6wEJs5aVnIRgmEJy9b 0S3ZZQcVK06Glw89i9TmldF9g/tkYcPtSe8rn3PA/vjO0skmAX7I+FWQrRyhfN3W zqZ9b6ylIwhGnMf4mLOKKHd1cyxOoWSxjIyK0g5fOqEH5P0JvbKC/FHlQFgbzDAn J3YPV7X+E6npxzuJH7NdL8ytQHQUhTDBIq7LGBmuA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=fs1c0E jdaXP8R4wrLDv93CHJ86RhGYi5bgr9D2JODwM=; b=etXlWKFj8lTS0+MC+QbAqJ lNbVB978X6+0RMj+Eq2I7XUM/MZ09+T/b5CIto/vrbVF7XeCkY1gVWNitoXkROeR mq2ScXR8CJeyUf/VLji4ncOFqEqJbNTGzxIzdbg2DLAAPRstZqDla2cmHDL7x6/Q fib7JrYSaRx0jSNuca5JGfUfksP5dYDhlwow/4/dQOdKfDa/AMvUGNShLD84nJOD h1/xxsF7ZjsPatN2Gq1STdeThNmZFPS5o+UcVO3ltlQGDxrk6Ks6N4tD1kggc8Fq HvO+fkq+Ae7eKrnRDunqzv0o1k44XOFITSJRo1lYgkybWcLYlgftgbi9tUEee/EQ ==
X-ME-Sender: <xms:B97AWaNNs_s7wwA9Jk9GyVV1jsv-xu_B3OCkVFfYjTr0hisH6MXlDA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 028E69E2E0; Tue, 19 Sep 2017 05:06:14 -0400 (EDT)
Message-Id: <1505811974.1510044.1110862800.6711A3E0@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, draft-baeuerle-netnews-cancel-lock.all@ietf.org
Cc: General Area Review Team <gen-art@ietf.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-64b08692
In-Reply-To: <0147f247-2763-8017-f123-5cdd6ceb06b3@alum.mit.edu>
References: <9be2e7af-b99d-4f86-6552-bfada936600d@alum.mit.edu> <20170707174750.487009ed@WStation4> <7452e826-62e9-0d6e-32b5-dcdefcb4c2ea@alum.mit.edu> <20170711203934.458e3b62@WStation4> <37001dcd-6551-78b4-18e7-75fbebaff761@alum.mit.edu> <0147f247-2763-8017-f123-5cdd6ceb06b3@alum.mit.edu>
Date: Tue, 19 Sep 2017 10:06:14 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/7nPf6NA-LL7ULDlhu72mKoU_8F8>
Subject: Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-06 and RFCs 5536 & 5322
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 09:06:23 -0000

Paul,

On Mon, Sep 18, 2017, at 10:14 PM, Paul Kyzivat wrote:
> I'm on tap to do the genart telechat review on 
> draft-baeuerle-netnews-cancel-lock-06. I see that nothing has been done 
> about the ABNF that was my primary concern in my prior wglc review of
> -05:
> 
> https://mailarchive.ietf.org/arch/msg/gen-art/wXKa5tadbo_xQbbUUCk9RZyB0w8
> 
> I'm told by the authors that Alexey asked that it be submitted this way, 
> but the ABNF *is* wrong, and I can't see how a new draft can be allowed 
> to be published with knowingly wrong ABNF. OTOH, the problem didn't 
> originate with this draft. Rather the problem originated with RFC5536, 
> and this draft has simply built on that mistake. Unfortunately the root 
> of the problem is with RFC5322, since its ABNF is structured in a way 
> that makes it really hard to define extensions such as those in RFC5536 
> and this draft. So the cleanest solution I can see is to revise both 
> 5322 and 5536, and then this draft can build on those changes. That is a 
> rather involved fix but I don't see any other reasonable way.
> 
> This prompted me to submit an erratum (#5116) on RFC5536 regarding this 
> issue. But errata aren't often acted on quickly when they require 
> revising RFCs.
> 
> The question is: in the meantime, what to do about this draft? By 
> default I guess I will simply restate the issue in my genart telechat 
> review and leave it for the IESG discuss it.
> 
> Anybody have a better idea?

It is on my to do list *before* the telechat. I contacted Pete Resnick
and he suggested a slightly better fix to your erratum. This is just
taking time on my part.

Best Regards,
Alexey

> 	Thanks,
> 	Paul
> 
> On 7/14/17 12:58 PM, Paul Kyzivat wrote:
> > Michael,
> > 
> > Please see further comments inline.
> > 
> > (Sorry - the indenting is getting deep, but I think we are pretty much 
> > done.)
> > 
> > On 7/11/17 2:39 PM, Michael Bäuerle wrote:
> >> Paul Kyzivat wrote:
> >>> On 7/7/17 11:47 AM, Michael Bäuerle wrote:
> >>>> Paul Kyzivat wrote:
> >>>>>
> >>>>> [...]
> >>>>> General Comments:
> >>>>>
> >>>>> I have not attempted to validate the security properties of this
> >>>>> document - leaving that to a security review.
> >>>>>
> >>>>> I have also not attempted to verify the operational suitability of 
> >>>>> this
> >>>>> mechanism because I don't have the experience needed to do so.
> >>>>>
> >>>>> Issues:
> >>>>>
> >>>>> Major: 1
> >>>>> Minor: 3
> >>>>> Nits:  0
> >>>>>
> >>>>> (1) MAJOR:
> >>>>>
> >>>>> [Problem with ABNF syntax of header fields]
> >>>>
> >>>> Hi Paul,
> >>>>
> >>>> Julien Élie has proposed a new syntax definition.
> >>>
> >>> I was copied on his mail proposing a change to RFC5536, and that is
> >>> tentative. *This* document would of course require a similar change. Or
> >>> else it could extend that change, via something like
> >>>
> >>>     news-fields =/ cancel-lock / cancel-key
> >>>
> >>> But that can only be done if there is actually a draft that revises 5536
> >>> that can then be referenced. Bottom line is that it seems there needs to
> >>> be some coordination of that fix with this draft.
> >>
> >> It's clear that the Cancel-Lock draft needs to be changed. My comment
> >> was about the potential erratum for RFC 5536 and the question:
> >> Is it (in general) possible to reference a modified ABNF definition in
> >> an erratum?
> > 
> > I don't know of any way to do so. Perhaps somebody else can provide a 
> > more definitive answer. You might try asking on rfc-interest.
> > 
> >> If this is possible, then the current:
> >>
> >>     fields =/ *( cancel-lock / cancel-key )
> >>
> >> can be changed to:
> >>
> >>     news-fields =/ cancel-lock / cancel-key
> >>
> >> and should then reference the new ABNF from the erratum.
> >> If not, what about a less formal definition like this:
> >>
> >>     The Cancel-Lock and Cancel-Key header fields MUST be treated as
> >>     though it were news header fields as defined in Section 3 of
> >>     [RFC5536].
> > 
> > I'm not sure about that. It might fly, or not. Again, I think you need 
> > to ask somebody more authoritative.
> > 
> >> Rewriting RFC 5322 and RFC 5536 should be avoided if possible.
> > 
> > I understand why you might not want to take on responsibility for that. 
> > But it is the right thing to do. Question is whether it needs to be done 
> > now.
> > 
> >>>>> (2) Minor:
> >>>>>
> >>>>> In Section 3.5, step 1 says to hash the key using the algorithm 
> >>>>> from its
> >>>>> scheme. But IIUC the scheme describes the algorithm that has already
> >>>>> been used when constructing the Cancel-Key header.
> >>>>
> >>>> No. There are two different operations that use a hash function.
> >>>>
> >>>> The recommended algorithm described in Section 4 calculates:
> >>>> |
> >>>> | K = HMAC(uid+mid, sec)
> >>>>
> >>>> K is then used for <c-key-string> in the Cancel-Key header field only
> >>>> with Base64 as transfer encoding (no further hash operation is used):
> >>>>
> >>>>      c-key-string = Base64(K)
> >>>>
> >>>> HMAC can be based on a different hash function than the one in <scheme>
> >>>> (because a serving agent doesn't need to know how K was calculated for
> >>>> the check algorithm defined in Section 3.5).
> >>>>
> >>>> A value of e.g. "sha256" for <scheme> in a Cancel-Key header field
> >>>> doesn't mean that SHA256 was used to generate this field, but that the
> >>>> corresponding Cancel-Lock header field (in the original article) 
> >>>> contains
> >>>> the value of <c-key-string> hashed with SHA256 (and finally Base64
> >>>> encoded).
> >>>>
> >>>> The hash function defined by <scheme> is used to generate 
> >>>> <c-lock-string>
> >>>> elements for the Cancel-Lock header field:
> >>>>
> >>>>      c-lock-string = Base64(hash(c-key-string))
> >>>>                             ^^^^
> >>>> This hash function is the one specified with <scheme> (in both matching
> >>>> elements <c-lock> and <c-key> in the Cancel-Lock and Cancel-Key header
> >>>> fields of the two articles involved).
> >>>>> IIUC the serving
> >>>>> agent need not hash the provided key. Rather it only uses the 
> >>>>> scheme to
> >>>>> select the locks to compare the hash against.
> >>>>
> >>>> <scheme> is used for both purposes.
> >>>>
> >>>> Step 1 is defined in Section 3.5 as:
> >>>> |
> >>>> | 1. The <c-key-string> part of the <c-key> element is hashed using
> >>>> |    the algorithm defined by its <scheme> part.
> >>>>
> >>>> This is the operation for <c-lock-string> listed above.
> >>>> The hash operation is required here because if the elements from the
> >>>> Cancel-Key header field would be directly comparable, everybody could
> >>>> forge them (copy from the public original article).
> >>>> The hijack/abuse attack against <c-key-string> elements on their way
> >>>> through the network (as discussed for the review from David Mandelberg)
> >>>> is not the same. The relevant difference is who can *create* valid
> >>>> <c-key-string> elements.
> >>>>
> >>>> In Step 2 <scheme> is used again to skip <c-lock-string> elements that
> >>>> were created using different hash functions. The compare operation from
> >>>> Step 2 (with first operand from Step 1) is:
> >>>>
> >>>>      Base64(hash(c-key-string)) == c-lock-string
> >>>>
> >>>> The Base64 encode part is not explicitly noted in Step 1.
> >>>> Base64 decoding the second operand instead would work too:
> >>>>
> >>>>      hash(c-key-string) == Base64_decode(c-lock-string)
> >>>>
> >>>> To be unambiguous and consistent with the definition of <c-lock-string>
> >>>> from Section 2.1, the words for Step 1 in Section 3.5 maybe should
> >>>> explicitly cover the Base64 encode operation. Suggestion:
> >>>>
> >>>>      1. The <c-key-string> part of the <c-key> element is hashed using
> >>>>         the algorithm defined by its <scheme> part and then Base64
> >>>>         encoded.
> >>>
> >>> Hmm. That wasn't so clear to me, though on rereading I can understand it
> >>> that way.
> >>>
> >>> But in that case, what is the point of passing the scheme around at all?
> >>
> >> The <scheme> part of <c-key> elements serve the following purposes:
> >> - Backward compatibility
> >>    Existing implementations use it this way since many years
> >> - Define the hash algorithm to apply on <c-key-string> elements
> >> - Select corresponding <c-lock-string> elements to compare against
> >>
> >>> IIUC doing so doesn't add any additional security or privacy. You could
> >>> simply pass the hashed value in cancel-key. Then the verifying agent
> >>> wouldn't do any hashing.
> >>
> >> In this case the creator of the Cancel-Key header field would not prove
> >> that he really knows K.
> >>
> >>> This would mean that the cancel-key would be
> >>> checked against locks that used a different hash, but that shouldn't
> >>> hurt anything.
> >>
> >> Yes, it is unlikely that comparing against <c-lock-string> elements,
> >> that used a different hash algorithm, will hurt.
> >>
> >> But changing the general syntax of the header fields would break
> >> backward compatibility to existing implementations. This should be
> >> avoided with highest priority.
> > 
> > I studied the draft further. I finally get that it is simpler than I was 
> > expecting it to be. So really it is just that the lock contains 
> > hash(password) while the key contains the password. (The key is just an 
> > algorithmically generated password.) I couldn't believe you would really 
> > be passing the password in the clear, since that would expose it to 
> > on-path attack. But I guess your assumption is that this is really a 
> > one-time password, and that if it is correct then it will immediately be 
> > invalidated, and if it is wrong then it doesn't matter.
> > 
> > So I'll withdraw my concerns on this section, except that maybe it could 
> > be clearer. Specifically, section 3 could be more explicit about what 
> > each distinct actor (poster, posting agent, moderator or injecting 
> > agent) does.
> > 
> >>> [...]
> >>> I didn't see a response from you on (4).
> >>
> >> Sorry for the delay, I was busy.
> >>
> >> | (4) Minor:
> >> |
> >> | In Section 8.1/8.2 the syntax/semantics of the Owner/Change
> >> | controller is unspecified. But IANA is charged with 
> >> allowing/rejecting change
> >> | requests only from the "same" owner. How is IANA expected to verify
> >> | this?
> >>
> >> If it is an experimental algorithm, I see no need for strong 
> >> authentication
> >> of external contributors.
> >>
> >> For the algorithms on the standards track, the IESG is defined as owner
> >> (may authenticate itself to IANA with a signature).
> >>
> >> | What if a change is required but the original owner is no longer
> >> | available?
> >> | E.g., the owner might be specified by email address. Later the mail
> >> | server for that email address may no longer exist.
> >>
> >> In this case the part "[...] where the owner of the registration [...]
> >> has moved out of contact [...]" can be applied.
> > 
> > I won't belabor this point because it will clearly be an infrequent event.
> > 
> >      Thanks,
> >      Paul
> > 
> > _______________________________________________
> > Gen-art mailing list
> > Gen-art@ietf.org
> > https://www.ietf.org/mailman/listinfo/gen-art
> > 
> 
>

v2.23.0 | Report a Bug | By Email