IETF Logo Mail Archive

Re: Origin-signed responses

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 02 September 2017 15:37 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E086132F1D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 2 Sep 2017 08:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5gQjVkss3LX for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 2 Sep 2017 08:37:16 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29809132FCC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 2 Sep 2017 08:37:15 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1doAQX-000304-1i for ietf-http-wg-dist@listhub.w3.org; Sat, 02 Sep 2017 15:33:41 +0000
Resent-Date: Sat, 02 Sep 2017 15:33:41 +0000
Resent-Message-Id: <E1doAQX-000304-1i@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1doAQH-0002zE-Jd for ietf-http-wg@listhub.w3.org; Sat, 02 Sep 2017 15:33:25 +0000
Received: from welho-filter4.welho.com ([83.102.41.26]) by mimas.w3.org with esmtp (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1doAQC-0005f9-Cn for ietf-http-wg@w3.org; Sat, 02 Sep 2017 15:33:25 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id A42EF83733; Sat, 2 Sep 2017 18:32:57 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id Jrgo9XA-rXd8; Sat, 2 Sep 2017 18:32:56 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 3AC7D2315; Sat, 2 Sep 2017 18:32:54 +0300 (EEST)
Date: Sat, 02 Sep 2017 18:32:53 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20170902153253.ugxzbfdtz6pvs7za@LK-Perkele-VII>
References: <CANh-dXkbqBpGUrr-dXceQ5HzDjC6mSrrudTKjWwaBQcSO584ug@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CANh-dXkbqBpGUrr-dXceQ5HzDjC6mSrrudTKjWwaBQcSO584ug@mail.gmail.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Received-SPF: none client-ip=83.102.41.26; envelope-from=ilariliusvaara@welho.com; helo=welho-filter4.welho.com
X-W3C-Hub-Spam-Status: No, score=-2.9
X-W3C-Hub-Spam-Report: AWL=1.000, BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1doAQC-0005f9-Cn eac3b48687a7069e2c0d8727116f444c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Origin-signed responses
Archived-At: <http://www.w3.org/mid/20170902153253.ugxzbfdtz6pvs7za@LK-Perkele-VII>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34427
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Sep 01, 2017 at 09:35:27AM -0700, Jeffrey Yasskin wrote:
> Hi all,
> 
> When I brought web packaging to IETF99 DISPATCH
> (https://datatracker.ietf.org/doc/minutes-99-dispatch/), several
> people said they wanted to see what it would look like split into
> layers. https://tools.ietf.org/id/draft-yasskin-http-origin-signed-responses-00.html
> discusses use cases and an outline of what the signing layer needs to
> look like, but doesn't include an actual proposal for signatures yet.
> 
> What do you think? Is splitting the packaging proposal still the right approach?

Some random comments (in no practicular order nor connection):

- The main problem seems to be freshness: How to ensure that the signed
  responses are not stale (this appears to be connected to the HTTP
  caching model).

- Regarding Extended Key Usage: I do not think EKU would be good for
  use-case like this even if it was decided that one needed to flag
  certificates for this kind of usage.

  The reason is that while by specification EKU only appiles to usage
  of the certificate itself, de-facto interpretation (which browsers
  actually rely on security!) is that EKU is inherited down the
  chain. Thus to add a new EKU to end-entity certificates, it may be
  necressary to re-issue intermediates, which is quite lengthy process
  for a reason.

  Having a certificate extension would be another possibility, however
  that also has its problems (will likely take quite long time to be
  available and is of questionable benefit, because either the
  certificate does not actually need it, or it can be used in dangerous
  ways anyway).

- The main risk in just using server PKI keys is server accidentially
  signing a valid response. Such accidential signatures can come from
  two sources:

  1) Confusion with some other type of key exchange.
  2) Confusion with some other type of signature.
  
  The first is mainly risk for OID 1.2.840.113549.1.1.1 generic RSA
  keys, as due to server misconfiguration, those can be used with
  various broken key exchanges that may be exploitable to create valid
  signatures. Other key algorithms, like 1.2.840.113549.1.1.10
  (RSA-PSS), 1.2.840.10045.2.1 (generic ECC), 1.3.101.112 (Ed25519)
  and 1.3.101.113 (Ed448) are not affected, or are affected much less.

  According to spec, the KeyUsage could be used to disable the
  problematic uses without affecting non-problematic ones.
  Unfortunately, in practice KeyUsage is not implemented correctly
  enough to serve in that role.

  The second is mitigated fairly well by using the TLS 1.3 signature
  construction with custom label/context, as pointed out in section
  4.1 (Proof of Origin).

- Be careful with passing URLs to certificates. There are at least two
  kinds of pitfalls here:

  1) One needs to hash or MAC the certificate to avoid attacks.
  2) The URL could point to some rather sensitive place (for probing or
     exploiting bad GET handling).

- On stapling things to certificates, there is presumably also stapling
  Certificate Transparency SCTs (and also STHs for interactive
  clients).

- If application/http2 type format is used, it obviously can not use
  the main header compression state. Less obviously, it does not seem
  like it can use any header compression state, and thus, each pair of
  sets of headers (request-response pair) needs to be compressed
  independently.


-Ilari

v2.23.0 | Report a Bug | By Email