[http-auth] Comment on "Signing HTTP Messages"

Richard Gibson <richard.j.gibson@oracle.com> Tue, 30 January 2018 02:55 UTC

Return-Path: <richard.j.gibson@oracle.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 713ED1314D5; Mon, 29 Jan 2018 18:55:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L00bDtZGcJOm; Mon, 29 Jan 2018 18:55:54 -0800 (PST)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE1251314E2; Mon, 29 Jan 2018 18:55:27 -0800 (PST)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w0U2pxYl173146; Tue, 30 Jan 2018 02:55:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=E/y2jrj7lTuGf/iIr2gszyBn+fv08h01xXCiEa/g4pI=; b=eucs3qAo3PubYdiXZcTad4BczD9z6o/EV4galIioHSpGISoLlHJTWCyi/NavkiQh3TaI hFlVO5NeLYxYbyiXZ2WOlFPivu5o7gpY9QizclhzWdP4wM0cEIXhISwivfJaRgJICRpt yw20UjDg9wsptx4OnDzC+hDhLXJtDwuJQcDbz2YJSociWnbG9dfKVsnUjLKeX8iTZ6e1 ZnxHHbtXFI1yhCFcFIWnuSBoYWUKulLoG/HNQ2QRCeltbI02ERw8GDoJ9A0G2ghjYdEJ cE0eRMSLULGs8T0J9mtjn1KHyU/F1W63nFArOqjkr3zhndr1gNQe47FlPumxe2YRMRar Hg==
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2ftfm5g3pg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 30 Jan 2018 02:55:25 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w0U2tPju015080 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 30 Jan 2018 02:55:25 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w0U2tP29004245; Tue, 30 Jan 2018 02:55:25 GMT
Received: from [172.19.129.2] (/216.146.45.33) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 29 Jan 2018 18:55:25 -0800
To: draft-cavage-http-signatures@ietf.org, http-auth@ietf.org
From: Richard Gibson <richard.j.gibson@oracle.com>
Message-ID: <5d5d23b0-0947-ada6-a25e-5f521e6cace1@oracle.com>
Date: Mon, 29 Jan 2018 21:55:23 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8789 signatures=668655
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801300035
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/8YpaKPI6lCp-tkCmKWXSzr_oWzs>
Subject: [http-auth] Comment on "Signing HTTP Messages"
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2018 02:55:56 -0000

https://tools.ietf.org/html/draft-cavage-http-signatures-09#section-2.2 
specifies the following:

 > If any of the parameters listed above are erroneously duplicated in 
the associated header field, then the last parameter defined MUST be used.

This may expose a client security vulnerability for attacks analogous to 
HTTP header injection. Is there a compelling reason not to reject 
requests that specify the same parameter more than once?

 > Any parameter that is not recognized as a parameter, or is not 
well-formed, MUST be ignored.

This will almost certainly limit future changes, since legacy clients 
won't implement desired behavior changes from new parameters _and_ will 
fail to signal that inability. Is there a compelling reason not to 
reject requests that specify unknown parameters?