Authentication in Alternative Services (draft-ietf-httpbis-alt-svc-06)
John Mattsson <john.mattsson@ericsson.com> Fri, 06 February 2015 19:00 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDEBD1A19F2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 6 Feb 2015 11:00:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5gzA0GxBdoWN for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 6 Feb 2015 11:00:54 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB9CB1A876E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 6 Feb 2015 11:00:33 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YJo58-0006JJ-D7 for ietf-http-wg-dist@listhub.w3.org; Fri, 06 Feb 2015 18:56:46 +0000
Resent-Date: Fri, 06 Feb 2015 18:56:46 +0000
Resent-Message-Id: <E1YJo58-0006JJ-D7@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <john.mattsson@ericsson.com>) id 1YJo4x-0006I4-RB for ietf-http-wg@listhub.w3.org; Fri, 06 Feb 2015 18:56:35 +0000
Received: from sesbmg22.ericsson.net ([193.180.251.48]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <john.mattsson@ericsson.com>) id 1YJo4v-000768-Ms for ietf-http-wg@w3.org; Fri, 06 Feb 2015 18:56:35 +0000
X-AuditID: c1b4fb30-f79106d000001184-32-54d50e48c47d
Received: from ESESSHC009.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 2A.5D.04484.84E05D45; Fri, 6 Feb 2015 19:56:09 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.199]) by ESESSHC009.ericsson.se ([153.88.183.45]) with mapi id 14.03.0210.002; Fri, 6 Feb 2015 19:56:08 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Authentication in Alternative Services (draft-ietf-httpbis-alt-svc-06)
Thread-Index: AQHQQj6Qt91gA9qqhEyCwjMkc7yC6Q==
Date: Fri, 06 Feb 2015 18:56:07 +0000
Message-ID: <41002472-19A9-4A50-9885-08842303D4D6@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.20]
Content-Type: multipart/related; boundary="_004_4100247219A94A50988508842303D4D6ericssoncom_"; type="multipart/alternative"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrNIsWRmVeSWpSXmKPExsUyM+Jvja4n39UQg/3neSwOt8xicmD0ODpv P2sAYxSXTUpqTmZZapG+XQJXxt19C5gLXh5mqvi+dCJLA2PLbqYuRk4OCQETicl7/7FB2GIS F+6tB7OFBI4wSvy969rFyAVkL2aUWDxxIjtIgk3AQGLungawIhEBfYlHZ46ydjFycAgLBErs +GQLEQ6TWLilgQnC1pPY2t3ICGKzCKhI7D+8EyzOK2AvsW7dOhYQmxFo7/dTa8DizALiEree zIe6TUTi4cXTULeJSrx8/I8VwlaUuDp9OVR9vcSB99dZIWYKSpyc+YRlAqPQLCSjZiEpm4Wk DCKeLLHj2HYgmwPI1pRYv0sfIqwoMaX7ITuErSHROmculG0tce7zUVZMNdoSJzZOgYorSLxa f49tFjDkmAWWMEpcmLCMHWK+i8T8J2HIehcw8q1iFC1OLU7KTTcy0kstykwuLs7P08tLLdnE CIzdg1t+G+xgfPnc8RCjAAejEg+vgd6VECHWxLLiytxDjNIcLErivHbGh0KEBNITS1KzU1ML Uovii0pzUosPMTJxcEo1MObq9d65btosHSv6fHtx9MZZi548XbJgT+mXzabmN0/Peld9vjw8 KSfuu8p0TztP0cPWQdd5RPhYItTTv01PFmix+vmvl3lrSHVBj3pY1Yn/ol9c5BmuCutZSr69 nTJzLc8EzzyGutz4anVGpciryWc3Mvq6rem5K7GtdNMJJc4pFsmKr1MilFiKMxINtZiLihMB qC2h9r4CAAA=
Received-SPF: pass client-ip=193.180.251.48; envelope-from=john.mattsson@ericsson.com; helo=sesbmg22.ericsson.net
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: AWL=-1.769, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001
X-W3C-Scan-Sig: lisa.w3.org 1YJo4v-000768-Ms bacad50194e017063918a1643f75e3ac
X-Original-To: ietf-http-wg@w3.org
Subject: Authentication in Alternative Services (draft-ietf-httpbis-alt-svc-06)
Archived-At: <http://www.w3.org/mid/41002472-19A9-4A50-9885-08842303D4D6@ericsson.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28771
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, Hi, - It feels like the normative text about authentication is in the wrong place. I think the authentication text in the beginning of Section 2 “Importantly, … being used)” belongs in Section 2.1. (Section 9.2 even states that this requirement is in Section 2.1, which it currently isn’t). - As the draft forces alternative services to be strongly authenticated with the origin’s identity, the draft should also discuss the security issues of having private keys for the origin spread out in several different locations. - Can an “alternative service” advertise alternative services (using Alt-Svc or ALTSVC)? There is no discussion in the draft. An alternative service is clearly authoritative for an origin (sometime more than the origin server), but allowing an alternative service to send Alt-Svc or ALTSVC means that an alternative service can keep a client away from the origin server forever. - There is a short mention on using DoS as a downgrade attack but there is no discussion on a man-in-the-middle simply removing an Alt-Svc header with higher security. Maybe a security consideration section on downgrade attacks makes sense. Cheers, John JOHN MATTSSON MSc Engineering Physics, MSc Business Administration and Economics Ericsson IETF Security Coordinator Senior Researcher, Security Ericsson AB Ericsson Research Färögatan 6 SE-164 80 Stockholm, Sweden Phone +46 10 71 43 501 SMS/MMS +46 76 11 53 501 john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com> www.ericsson.com<http://www.ericsson.com/>
- Authentication in Alternative Services (draft-iet… John Mattsson