Re: [Gen-art] Gen-ART Last Call review of draft-baeuerle-netnews-cancel-lock-05
Michael Bäuerle <michael.baeuerle@stz-e.de> Mon, 17 July 2017 18:00 UTC
Return-Path: <michael.baeuerle@stz-e.de>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1A28131B23; Mon, 17 Jul 2017 11:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEYmgNr6wgux; Mon, 17 Jul 2017 11:00:30 -0700 (PDT)
Received: from hardbaer.com (mail.hardbaer.com [91.250.101.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14F2812EC1D; Mon, 17 Jul 2017 11:00:29 -0700 (PDT)
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from WStation4 (business-092-079-177-146.static.arcor-ip.net [92.79.177.146]) by hardbaer.com (Postfix) with ESMTPSA id 5F593280054; Mon, 17 Jul 2017 20:00:28 +0200 (CEST)
Date: Mon, 17 Jul 2017 20:00:17 +0200
From: Michael Bäuerle <michael.baeuerle@stz-e.de>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Cc: draft-baeuerle-netnews-cancel-lock.all@ietf.org, General Area Review Team <gen-art@ietf.org>
Message-ID: <20170717200017.14971fcc@WStation4>
In-Reply-To: <37001dcd-6551-78b4-18e7-75fbebaff761@alum.mit.edu>
References: <9be2e7af-b99d-4f86-6552-bfada936600d@alum.mit.edu> <20170707174750.487009ed@WStation4> <7452e826-62e9-0d6e-32b5-dcdefcb4c2ea@alum.mit.edu> <20170711203934.458e3b62@WStation4> <37001dcd-6551-78b4-18e7-75fbebaff761@alum.mit.edu>
Organization: STZ Elektronik
User-Agent: Claws-Mail/3.13.1
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; boundary="Sig_/O7a1g_352jYrsr1=kfs+T6S"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/mzfj089JkXw4UtNjSrboRGWJvPw>
Subject: Re: [Gen-art] Gen-ART Last Call review of draft-baeuerle-netnews-cancel-lock-05
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 18:00:33 -0000
Paul Kyzivat wrote: > On 7/11/17 2:39 PM, Michael Bäuerle wrote: > > Paul Kyzivat wrote: > > > > > > [...] > > > But in that case, what is the point of passing the scheme around at all? > > > > The <scheme> part of <c-key> elements serve the following purposes: > > - Backward compatibility > > Existing implementations use it this way since many years > > - Define the hash algorithm to apply on <c-key-string> elements > > - Select corresponding <c-lock-string> elements to compare against > > > > > IIUC doing so doesn't add any additional security or privacy. You could > > > simply pass the hashed value in cancel-key. Then the verifying agent > > > wouldn't do any hashing. > > > > In this case the creator of the Cancel-Key header field would not prove > > that he really knows K. > > > > > This would mean that the cancel-key would be > > > checked against locks that used a different hash, but that shouldn't > > > hurt anything. > > > > Yes, it is unlikely that comparing against <c-lock-string> elements, > > that used a different hash algorithm, will hurt. > > > > But changing the general syntax of the header fields would break > > backward compatibility to existing implementations. This should be > > avoided with highest priority. > > I studied the draft further. I finally get that it is simpler than I was > expecting it to be. So really it is just that the lock contains > hash(password) while the key contains the password. (The key is just an > algorithmically generated password.) I couldn't believe you would really > be passing the password in the clear, since that would expose it to > on-path attack. But I guess your assumption is that this is really a > one-time password, and that if it is correct then it will immediately be > invalidated, and if it is wrong then it doesn't matter. Yes, it is one-time (only matching one target article). This is the reason why the recommended algorithm in Section 4 uses the unique Message-ID as base component to calculate K. Because the Message-ID is public, a second component (local secret) is used to calculate K. The HMAC algorithm must protect this local secret, so that it cannot be calculated from the resulting K (that is intended to be published inside the Cancel-Key header field). Even with on-path attacks the relevant properties should stay intact: 1) An attacker should not be able to generate valid K values for foreign articles himself 2) An attacker should not be able to use hijacked K values to cancel different articles (than intended by the legitimate creators of these K values) As a result, only legitimate persons/agents should be able to approve cancels for existing articles. Integrity protection for new articles is not a provided property. Supersedes are not more than cancels combined with new articles. > So I'll withdraw my concerns on this section, except that maybe it could > be clearer. Specifically, section 3 could be more explicit about what > each distinct actor (poster, posting agent, moderator or injecting > agent) does. The document is labeled to update RFC 5537. The general behaviour of agents is already documented there: <https://tools.ietf.org/html/rfc5537#section-3.4> ff. Specific agent behaviour regarding to this document is, in general, limited to the principle described in Section 3: A moderator or injecting agent that uses Cancel-Locks must be able to authenticate the author and act representitive for the author (if no Cancel-Lock/-Key header field is present). Maybe this is too strict and moderators and injecting agents should be allowed to add the Cancel-Lock header field only for themselves too. -- Michael Bäuerle
- [Gen-art] Gen-ART Last Call review of draft-baeue… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-b… Michael Bäuerle
- Re: [Gen-art] Gen-ART Last Call review of draft-b… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-b… Julien ÉLIE
- Re: [Gen-art] Gen-ART Last Call review of draft-b… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-b… Michael Bäuerle
- Re: [Gen-art] Gen-ART Last Call review of draft-b… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-b… Michael Bäuerle
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Paul Kyzivat
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Brian E Carpenter
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Alexey Melnikov
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Alexey Melnikov
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Alexey Melnikov
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Paul Kyzivat
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Paul Kyzivat
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Alexey Melnikov
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Pete Resnick
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Julien ÉLIE
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Julien ÉLIE
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Paul Kyzivat
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Julien ÉLIE
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Alexey Melnikov
- Re: [Gen-art] draft-baeuerle-netnews-cancel-lock-… Paul Kyzivat