Re: [http-auth] Comment on "Signing HTTP Messages"

Yoav Nir <ynir.ietf@gmail.com> Tue, 30 January 2018 16:54 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E91120724; Tue, 30 Jan 2018 08:54:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KjDw_jPz3_yY; Tue, 30 Jan 2018 08:54:14 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E961205D3; Tue, 30 Jan 2018 08:54:14 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id 143so2514826wma.5; Tue, 30 Jan 2018 08:54:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=+Thzq0xXR2MZF6eZHdgcQJ0R35JhFHCLFT7HblxJVaw=; b=WnMrokl0d/Ru3EV2W2MDOqwKcr+kQbaEitquVuXCjy6niPxnLh4Ia8DBSvkjE69Yrx I6/6KpXQqzASySPtsz9rNhkAdwsq/jWu1yppnNaArVFQm1zvhZM1mYpB3EpjQ8fcTUNk v/Pzk4Fe5jWD9sEaXtkkffki7q/3y0NCKYPgo/cFQrPRzuoWXe2CXPEC99K2xl2Z72ce XhFrIUl7jjN/jjMgHErF3XjaeJg2CGqNT5qdxAfoi2HN68ofMecHFWYLyfUcLMDXQt7P kosYNCF6qXENai6hmjym8pBcBZGy4WqAoCfJXvfwwOYjdCBB1FcnmC1dvnoCjBX466eN qB3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=+Thzq0xXR2MZF6eZHdgcQJ0R35JhFHCLFT7HblxJVaw=; b=nGKoJ0QpE/yGWtzWoXitSXLnFRJAcT5gHHlp8/OqTom8XszIzjLzCCgII/i9V/xIxF d3PbizMnDgEwsfg1wmhqYXqNHoPDxGRn5Aky7M7qM6eSLH+9xqriSKgY2kWc5aQnrg4a 5jTf8BcoUh8eBb01SgtJN3b3eYICB97nCu9MYvF7l13X8LKOM7t0bt3rmxjDiZfSpMD4 hi+wOBPfAWGUFzxjnWkmjEfz6RhCjbl7MUwUt91NlT4w8+qnqMzcPrJrxdh2X3IsUKRv v5Ky5ErvBbVC0WC2lKqa5bHCbvJUzFiOENZOSSjZMfoBRCpn8+JZhIG/2FxfQTYI+kr/ R/EA==
X-Gm-Message-State: AKwxytc1wN3+UVOuYIXu0gVb5kzdTxD3jfcv+GREBVp/F7sh2/qkKXMl 271kebqrR1dJ7sfA7SAthN8=
X-Google-Smtp-Source: AH8x225Hu2uX12yciGfQ7i1gjE0/4+M9s4e71dwIVAAaVEL2zs8a1xES5RJF427hOvKNMOEvevFbjw==
X-Received: by 10.28.172.130 with SMTP id v124mr21781379wme.16.1517331252752; Tue, 30 Jan 2018 08:54:12 -0800 (PST)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id p12sm773692wre.83.2018.01.30.08.54.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jan 2018 08:54:11 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <980968C7-E802-4196-B363-BC288A520DCB@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_5EEA33A7-3C53-486B-AA09-514CEF470668"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Tue, 30 Jan 2018 18:54:08 +0200
In-Reply-To: <5d5d23b0-0947-ada6-a25e-5f521e6cace1@oracle.com>
Cc: draft-cavage-http-signatures@ietf.org, http-auth@ietf.org
To: Richard Gibson <richard.j.gibson@oracle.com>
References: <5d5d23b0-0947-ada6-a25e-5f521e6cace1@oracle.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/8KTMCD57YCn8C5E7pgi5k8n8WMg>
Subject: Re: [http-auth] Comment on "Signing HTTP Messages"
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2018 16:54:17 -0000

Hi, Richard

The http-auth mailing list is for the now-defunct working group HTTP-Auth.

The proper list for draft-cavage is the HTTP-bis WG mailing list: ietf-http-wg@w3.org <mailto:ietf-http-wg@w3.org>

Yoav

> On 30 Jan 2018, at 4:55, Richard Gibson <richard.j.gibson@oracle.com> wrote:
> 
> https://tools.ietf.org/html/draft-cavage-http-signatures-09#section-2.2 specifies the following:
> 
> > If any of the parameters listed above are erroneously duplicated in the associated header field, then the last parameter defined MUST be used.
> 
> This may expose a client security vulnerability for attacks analogous to HTTP header injection. Is there a compelling reason not to reject requests that specify the same parameter more than once?
> 
> > Any parameter that is not recognized as a parameter, or is not well-formed, MUST be ignored.
> 
> This will almost certainly limit future changes, since legacy clients won't implement desired behavior changes from new parameters _and_ will fail to signal that inability. Is there a compelling reason not to reject requests that specify unknown parameters?
> 
> _______________________________________________
> http-auth mailing list
> http-auth@ietf.org
> https://www.ietf.org/mailman/listinfo/http-auth