Re: Alt-Svc WGLC
Erik Nygren <erik@nygren.org> Wed, 13 January 2016 22:46 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76F4C1A87D9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 13 Jan 2016 14:46:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.28
X-Spam-Level:
X-Spam-Status: No, score=-6.28 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C1moCx3OoNqv for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 13 Jan 2016 14:46:48 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4D941A87A8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 13 Jan 2016 14:46:48 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aJU7v-0006xt-In for ietf-http-wg-dist@listhub.w3.org; Wed, 13 Jan 2016 22:42:51 +0000
Resent-Date: Wed, 13 Jan 2016 22:42:51 +0000
Resent-Message-Id: <E1aJU7v-0006xt-In@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <nygren@gmail.com>) id 1aJU7q-0006xC-HY for ietf-http-wg@listhub.w3.org; Wed, 13 Jan 2016 22:42:46 +0000
Received: from mail-oi0-f42.google.com ([209.85.218.42]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <nygren@gmail.com>) id 1aJU7m-0005eE-Hq for ietf-http-wg@w3.org; Wed, 13 Jan 2016 22:42:45 +0000
Received: by mail-oi0-f42.google.com with SMTP id o124so94790333oia.3 for <ietf-http-wg@w3.org>; Wed, 13 Jan 2016 14:42:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=3vdCvJ3CzUHt1VahUhAg6ZvuwaO4Eryr4fnlMmKr6aQ=; b=qoP/H++oWC+yiRa/7VxVYcvAnaFMBFKEE/9Vfqkalf8JA8SZOhfUl7k0coiSGjuwzl bSU+aDH2KBDyT0H/oMu6I7sle4jCs9ZFi61ak/XKPhVpvYNrfwrT2f20WCk2f5eoq+XD SEazV1TDggPdGvL+etVt//rvW2m+P4ETTZvc+P8bM6DqidT1tlhq0oLd+neZqyb5v9sg uFV9rGSYDjPi11EIMpDnTLITmbBKQbCcIKOuCGX2OqZmX6rPdEld4Gi6LBcTKN4dJiq4 IQpWTB2v0ftJg4xQ8Za84DALYpioctJuto2tHAgyRLLlH7Xc5Ld8oz+RNO5h7L7OY75x KlRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=3vdCvJ3CzUHt1VahUhAg6ZvuwaO4Eryr4fnlMmKr6aQ=; b=IhWxwSSm5Smz5k2Siu4UNKBe160XSQEkp9s9QjgZcf70QUDBdc3GX+yJfdzZsBxgI5 ToJ1frwxgHhEUupfTpU/fLT6TIyEC1riUFrzROXNxuILHQnQkbP02VUXLx/gQAaub393 j7NQwhcrfs77xNuM7JtgV0Z0Ih0CzWQiNO9uOPwpP0hPlf7vh0V6j0U/zThycD5Kf0Gr WJpuOwo36gvY2J2rIo829bndewWWNzN4bnUqdjeB91zcAxKhGVT0N3O2TzxRsO3RPj0W xn7Dh9NZqP9GyPrpLdmZ9iErR63HP3z1zPt8acDo/hEX6VS5ucVrDiLV0NPHLI1CPoMV WqMQ==
X-Gm-Message-State: ALoCoQkjnZIWSr5lwaY4f4HgpLX3HhNPoQ+KOX22d6d7gCLnjgpt/nzn3KrJf84Q7g9z8dn7it6495A6lX775pR/ySViIvxfTg==
MIME-Version: 1.0
X-Received: by 10.202.221.65 with SMTP id u62mr610410oig.30.1452724936540; Wed, 13 Jan 2016 14:42:16 -0800 (PST)
Sender: nygren@gmail.com
Received: by 10.76.74.100 with HTTP; Wed, 13 Jan 2016 14:42:16 -0800 (PST)
In-Reply-To: <CABkgnnXDi2TyvX+7XkvxJprxck7nku_XaoSOS2KpeQEBzwnweQ@mail.gmail.com>
References: <566EA6AF.60100@gmx.de> <56703332.1000006@crf.canon.fr> <56928545.7010804@gmx.de> <CAJU8_nVkibr4DsUOWjpEYOVTPbTdoWyBsgSFiRr7Rp4=qFKjPA@mail.gmail.com> <CABkgnnWu-oy9Ax1A=E+4GJ47YGKZa3SLHi0a5kendxNX=q5zaQ@mail.gmail.com> <CAJU8_nVyfxjiM1Q-W_CSv=B1auPXbKsDdPNibOR-GHTRjor1GA@mail.gmail.com> <CABkgnnXXGFurjCEb00KAyhyih6F=nww42MKBmYCcz4dS06r38w@mail.gmail.com> <CAJU8_nVQiaGEBtxXtHapOu0eigv=ovQSpT0DuEpkfo6tLQEEkw@mail.gmail.com> <CABkgnnWj=Xqte-XT1yVUAvLfdKT6HojMDr0SHBe9h_XbA6UAMg@mail.gmail.com> <CAJU8_nXUoOEoXjrCcXYr65XoysYOfp3T2J7N2zoyBSMdAf9dnQ@mail.gmail.com> <CABkgnnXDi2TyvX+7XkvxJprxck7nku_XaoSOS2KpeQEBzwnweQ@mail.gmail.com>
Date: Wed, 13 Jan 2016 17:42:16 -0500
X-Google-Sender-Auth: lxOM7m2o9SyD701-jHOnLFs1MBo
Message-ID: <CAKC-DJjRv6oFoLZzT264WFc1+3xOVr_oU-w2PbaCo+8tsask3Q@mail.gmail.com>
From: Erik Nygren <erik@nygren.org>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Kyle Rose <krose@krose.org>, Julian Reschke <julian.reschke@gmx.de>, Hervé Ruellan <herve.ruellan@crf.canon.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a113cf2f8ccab9705293ee12e"
Received-SPF: pass client-ip=209.85.218.42; envelope-from=nygren@gmail.com; helo=mail-oi0-f42.google.com
X-W3C-Hub-Spam-Status: No, score=-5.3
X-W3C-Hub-Spam-Report: AWL=-0.676, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aJU7m-0005eE-Hq b9088efaa9a253cd625ea578815a4414
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc WGLC
Archived-At: <http://www.w3.org/mid/CAKC-DJjRv6oFoLZzT264WFc1+3xOVr_oU-w2PbaCo+8tsask3Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30923
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Tue, Jan 12, 2016 at 10:22 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 13 January 2016 at 14:03, Kyle Rose <krose@krose.org> wrote: > >> 1. the alternative service must be authenticated as the origin host > > > > If this is the case, then we should simply state that "Clients MUST > > NOT use an alternative service that does not strongly authenticate > > with the origin's identity." > The draft does state that in Section 2.1 but with a caveat: "2.1. Host Authentication Clients MUST NOT use alternative services with a host that is different than the origin's without strong server authentication; this mitigates the attack described in Section 9.2. One way to achieve this is for the alternative to use TLS with a certificate that is valid for that origin." That caveat ("host that is different than the origin's") is also the root of the "AD review" thread. If we were to give up on supporting Alt-Svc for unauthenticated use-cases (ie, if the OppSec draft then required strong server authentication for the "HTTP scheme over TLS" use-case) then a number of these concerns go away and we end up with less ambiguity both here and in the OppSec draft. That would also mostly address Mike Bishop's concerns around port switching since the destination port would need to authenticate as the host. For example, if 2.1 switched its first sentence to: Clients MUST NOT use alternative services without strong server authentication; this mitigates the attack described in Section 9.2 <https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-10#section-9.2>. which might also allow various things to be cleaned out of Security Considerations. What are the unauthenticated same-host use-cases of Alt-Svc that we both really want to preserve and which are reasonably safe? Erik
- Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Mark Nottingham
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Hervé Ruellan
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Kyle Rose
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Julian Reschke
- Re: Alt-Svc WGLC Erik Nygren
- Re: Alt-Svc WGLC Martin Thomson
- Re: Alt-Svc WGLC Erik Nygren
- Re: Alt-Svc WGLC Kyle Rose