Re: Eric Rescorla's Discuss on draft-ietf-httpbis-encryption-encoding-08: (with DISCUSS and COMMENT)
Martin Thomson <martin.thomson@gmail.com> Tue, 18 April 2017 07:20 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292A61315F5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Apr 2017 00:20:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.502
X-Spam-Level:
X-Spam-Status: No, score=-6.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aDCpoBuO5OW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 18 Apr 2017 00:20:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5952A1315F4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 18 Apr 2017 00:20:45 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1d0NOB-0007wV-KB for ietf-http-wg-dist@listhub.w3.org; Tue, 18 Apr 2017 07:17:27 +0000
Resent-Date: Tue, 18 Apr 2017 07:17:27 +0000
Resent-Message-Id: <E1d0NOB-0007wV-KB@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1d0NO8-0007vf-Md for ietf-http-wg@listhub.w3.org; Tue, 18 Apr 2017 07:17:24 +0000
Received: from mail-lf0-f54.google.com ([209.85.215.54]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <martin.thomson@gmail.com>) id 1d0NO2-0005gh-5a for ietf-http-wg@w3.org; Tue, 18 Apr 2017 07:17:19 +0000
Received: by mail-lf0-f54.google.com with SMTP id 75so75904054lfs.2 for <ietf-http-wg@w3.org>; Tue, 18 Apr 2017 00:16:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OLuhlJ6YE+1qhKZyukbcbz45pib+J5SUSyHosohvAvc=; b=c78CZavIqHIYgfE3HOdw44dAI3rtKjPZxsXkEbSyJ0z6DSKmAnv5V9MJE5AYtyOJkI A2rTYPj8oZdJCOJicHxxoNAn8iBHXI6BnK5F7aDPGT/uUeRboKd620+AoO5pYxARin7f kAOWFgmpHvGthCUp2Mh7ytxkebNGNAt8QLviOr793Wq9YcFbahNgfgLcnZrTgGU+s+g5 5YjV2cIkk3M5XZYDMUxgDeWTCzUtoVxC3QqGjTLlPDMzB3MBDMyJgNGgbaFhNG5KEAuH SIVEBxjYmQdiRyQm6m19/+5WwNbKjQzU5b5pPLwcAjW7PXlm3bO2/6JBhLyEjkBUFxHv F71A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OLuhlJ6YE+1qhKZyukbcbz45pib+J5SUSyHosohvAvc=; b=ITJo38WaXSc/cfOQbmAF/Qp1dn5V7LA9YA17zOAUxavEG0+GEcyI4u2Rg516894xI2 eKBn6zfOvz3zyvX/L5yrSgLyaykjIRDBOA+nnckOeMpQtUZGtqnXdzMe3MX13D7Acet5 KZ6nY2Nl8QM5z4N2/uGnwLRgEKlJpNaBGYxDGZF4D+ek4kZdGnzvuBlJqis35mUn9z7B xlyLcq9284vkjdWidEb7V/T4KsGQXz9spdN4LmndZ/FUyOg9iI5imF/w7Z2+YgsVJO0z 1/rbCgRAS0rWBDTTDnzdfZiwh0kJ4XP0CFlcdGzP3kQBxioqz3I7zmjA2K5elBDQSCF+ /pKw==
X-Gm-Message-State: AN3rC/6RzvSynb+sWpU05Ie51GEsbb5BkGtOdc/u/i0Ukx36YS8qaa1U LCO5J9zc8nmZqlGZ/uoK5cwIzMn2tw==
X-Received: by 10.25.160.147 with SMTP id j141mr3942919lfe.19.1492499811041; Tue, 18 Apr 2017 00:16:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.83.5 with HTTP; Tue, 18 Apr 2017 00:16:49 -0700 (PDT)
In-Reply-To: <149217430101.22471.8833296005911898611.idtracker@ietfa.amsl.com>
References: <149217430101.22471.8833296005911898611.idtracker@ietfa.amsl.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 18 Apr 2017 17:16:49 +1000
Message-ID: <CABkgnnXia0YvPK2dOu-TcoptVnwcJHoNR3cMogvW9fTG7+1mxQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-encryption-encoding@ietf.org, Mark Nottingham <mnot@mnot.net>, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.215.54; envelope-from=martin.thomson@gmail.com; helo=mail-lf0-f54.google.com
X-W3C-Hub-Spam-Status: No, score=-5.7
X-W3C-Hub-Spam-Report: AWL=-0.212, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1d0NO2-0005gh-5a f48848c46ad33e3ab0f82b1762885ce1
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Eric Rescorla's Discuss on draft-ietf-httpbis-encryption-encoding-08: (with DISCUSS and COMMENT)
Archived-At: <http://www.w3.org/mid/CABkgnnXia0YvPK2dOu-TcoptVnwcJHoNR3cMogvW9fTG7+1mxQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33818
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 14 April 2017 at 22:51, Eric Rescorla <ekr@rtfm.com> wrote: > The "aes128gcm" content coding uses a fixed record size. The final > encoding consists of a header (see Section 2.1) and zero or more > fixed size encrypted records; the final record can be smaller than > the record size. > > This restriction seems to be an artifact of your previous design which > used short records as an end marker. With the new padding delimeter > structure (which I note is isomorphic to the TLS 1.3 structure), I'm > not seeing any reason to require that the records be fixed length (as > they are not in TLS). I didn't see any discussion of this point in the > thread where this structure was designed, so I'd like to get > confirmation that the WG considered this point and decided to continue > with the above restriction. I'll clear this discuss upon either such > confirmation > or removal of the restriction. > > > UPDATE: James Manger points out that you need fixed record sizes > for random access and header-freeness, though not for security. I will > clear this. I think that James covered this. > S 2.1. > You should say what idlen is. The QUIC notation here isn't defined :) Oops, thanks for picking that up (the QUIC notation doesn't really support this idea either. > S 2.2/2.3. > Can you make clearer that the strings don't have their own null > termination. I.e, that what is fed into the CEK generation function > is .... 32 38 67 63 6d 00 01 > not .... 32 38 67 63 6d 00 00 01 Done. > S 4.6. > > This mechanism only offers encryption of content; it does not > perform > authentication or authorization, which still needs to be performed > (e.g., by HTTP authentication [RFC7235]). > > This text is kind of confusing, because the mechanism does provide > data origin authentication. I think you mean that if the server is > just going to process this as an opaque and stuff it somewhere, then > it needs extra authentication? This seems like a layering issue. The example is a little strange. I've made what I think is the minimal change: ``` This mechanism only offers data origin authentication; it does not perform authentication or authorization of the message creator, which could still need to be performed (e.g., by HTTP authentication {{?RFC7235}}). This is especially relevant when a HTTP PUT request is accepted by a server without decrypting the payload; if the request is unauthenticated, it becomes possible for a third party to deny service and/or poison the store. ``` Does that seem better? The layering issue exists already, but it's arguably beneficial. An HTTP endpoint might retain or remove content codings as they see fit (or, in this case, are able). For example, static JS or HTML files are routinely stored on disk or in cache with gzip (or brotli) encoding applied at servers and intermediaries, because that suits the usage model best and per-request compression can be too slow. > S 4.7. > Some citations to some of the various padding traffic analysis papers > might be useful. I added a couple. > Distributing non-padding data is recommended to avoid > leaking size information. > > I think you mean "distributing this across the records". Thanks. I've updated the editor's copy, which should show at http://httpwg.org/http-extensions/draft-ietf-httpbis-encryption-encoding.html in a little while. I will await instruction before I submit a -09 version.
- Eric Rescorla's Discuss on draft-ietf-httpbis-enc… Eric Rescorla
- Re: Eric Rescorla's Discuss on draft-ietf-httpbis… Martin Thomson
- Re: Eric Rescorla's Discuss on draft-ietf-httpbis… Eric Rescorla
- Re: Eric Rescorla's Discuss on draft-ietf-httpbis… Martin Thomson