IETF Logo Mail Archive

Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

Justin Richer <jricher@mit.edu> Mon, 31 October 2022 16:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB8FC152599 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2022 09:05:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.761
X-Spam-Level:
X-Spam-Status: No, score=-7.761 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mpnbMEUoJ0pH for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 31 Oct 2022 09:05:21 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91E0AC1522B4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 31 Oct 2022 09:05:21 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1opXF6-002yOd-5d for ietf-http-wg-dist@listhub.w3.org; Mon, 31 Oct 2022 16:02:28 +0000
Resent-Date: Mon, 31 Oct 2022 16:02:28 +0000
Resent-Message-Id: <E1opXF6-002yOd-5d@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1opXF4-002yNg-JL for ietf-http-wg@listhub.w3.org; Mon, 31 Oct 2022 16:02:26 +0000
Received: from outgoing-exchange-1.mit.edu ([18.9.28.15]) by mimas.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <jricher@mit.edu>) id 1opXF3-004tI5-03 for ietf-http-wg@w3.org; Mon, 31 Oct 2022 16:02:26 +0000
Received: from oc11exedge1.exchange.mit.edu (OC11EXEDGE1.EXCHANGE.MIT.EDU [18.9.3.17]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 29VG26rO025349; Mon, 31 Oct 2022 12:02:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1667232132; bh=2RvfpHTyOknT8Ktp3AfZf1VNBhtPjY6IkRmIxN5L2ew=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=SZsAr5QFWquLsmnABzNJWQVkmop9q2NmMFbNZbmFoLHzj9twFhCCVZedj8RqzBmc/ ZW3Zw+t7ZZxxwxKBbJe3CZ+PcOKTAvUeyplh03v8uJsu3OgICGMDGkmYXz/ofjm38x SZfZq300Sc3HPz8klX6Za+hFSyGTK69OBJ9mB9I+f8zFivnaWeTN1OssTJRZeSyrax 6kZuZwFdzf/xHIZ7MPS6u6eZr0ZTZYIRx6Rz8GCPNdI9BXLUSomgwKTA/tJTDVoeUt OJFD4/TjoMngjhEoK8E0htfSIZeKpSYZ/3LZzMRdjD0zXW96+LmeHDaUBwvASzJDDC wITgqUBpnQMTw==
Received: from w92exhyb4.exchange.mit.edu (18.7.71.74) by oc11exedge1.exchange.mit.edu (18.9.3.17) with Microsoft SMTP Server (TLS) id 15.0.1497.38; Mon, 31 Oct 2022 12:00:57 -0400
Received: from oc11exhyb3.exchange.mit.edu (18.9.1.99) by w92exhyb4.exchange.mit.edu (18.7.71.74) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Mon, 31 Oct 2022 12:01:29 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.177) by oc11exhyb3.exchange.mit.edu (18.9.1.99) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Mon, 31 Oct 2022 12:01:29 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JW2fcwYUYo0Sa1r9p9L9NgbU6NQbLWTLzYzGFjXLVGYrys2bxJUnMKoyXlGQj+nEfq7qrYYquMlq4dfp0hZJR2pL2jKEjvTWqmBDzUh7P6hT3PHw2OoBlSJ0MQ8UVUa3BgOZ7PxcZdEbH5iBkF8rWqINKBJ0YsA7oaQT/oRSPR2L3gMNt+6Mznb/0umAJ0fHEv54lLfubXE9QWTvsVC665vb01UdnMYJnRKsnzuUtX211a0sSjOJNBYzL31SWzUWkUCeOh6qJkkNJq3g8kNJap6qJ/6EzngOUKpPyCD3OV3FAzuKuAdFKTW4wN/hJCXVGIOii/iLdvBUhK7lhRn1Dg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2RvfpHTyOknT8Ktp3AfZf1VNBhtPjY6IkRmIxN5L2ew=; b=UzyZb5s9uWaFq1/cfn/IUh2oXoE6cfmILwAplqFICc+Zlp/23oZIRA06GGolkBZvyhc5DkLdLihmHKPWLiXuRCHyL5AZFSJ36L07XsgqcP9+U5d8mGEUX4gIUPtfdao8AauCA7m6AUIcpSLeBbdr2OuCtlyprXH/kQ/g2Zldr7u74PPPO47+uNFJ+B9B6wX0oMIo0yvje4u7iHGmqUXb0u5eAqGq1RyefVUwa+uqrMqqvHw4WvcBWeQdfMtcN+TJUz4uC8x5+6sJyc6rGqKqU/4ci00IWk3CJiTMjVrBhsaMwh7vRGwXCfCn28lnUSbeUOf3wOo7yEQYHAmQ33hcMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by DM6PR01MB5961.prod.exchangelabs.com (2603:10b6:5:1db::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.15; Mon, 31 Oct 2022 16:01:27 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::23fb:26a6:7340:e857]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::23fb:26a6:7340:e857%7]) with mapi id 15.20.5769.019; Mon, 31 Oct 2022 16:01:27 +0000
From: Justin Richer <jricher@mit.edu>
To: Julian Reschke <julian.reschke@gmx.de>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Thread-Index: AQHY7TbPdbrPP79kzkK4Z+QZxcsttK4oqaEA
Date: Mon, 31 Oct 2022 16:01:27 +0000
Message-ID: <01671934-E6C5-4B82-82AF-EA49022EEA4D@mit.edu>
References: <7A490A89-3B27-4278-9AFA-A5339FF11500@mnot.net> <9feaab79-4da9-cd83-b53e-297fc199624b@gmx.de> <7BE7AA9D-2EFB-44AA-AB56-9C23E0F55AFF@mit.edu> <111cf860-bbda-1c02-a5b7-81c76af7d263@gmx.de>
In-Reply-To: <111cf860-bbda-1c02-a5b7-81c76af7d263@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|DM6PR01MB5961:EE_
x-ms-office365-filtering-correlation-id: a43f16fb-543e-4d13-64b9-08dabb592b09
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kobGO/wBqSITdIhVRaV416bxKDGbkD/XdwLODZzC5zy+rrbOgBzicmJA0c9eXVq+lrewQ9vBrO1qpnESNWgV/uPr0u8h04iqZgNu9JT6LJL1calVlfXBwFnX/McihlQrn/nj0LKoQKio5bHV9byGlkAdQZumhQn8Wk21ezxf6LExGk+EgBXDq6WEO/TrOnHfJaEiJMbbVXfndfkAJMxtqWSFsqf8jxS5q6TAm3pJ5wG62NiMYZ3uh+t9Fpuv2Cc38f1QQNmemHJo3/rFechTA6AgSIeaEAYSDGs7JFlCB+jGTdfnHWuz/1psM+CRkp9y962amJj+Y+S4OJWdNNrMRTaYN8obPfBxzm9R22yNjKbL/lOFDmMeiCFNDMMBeqVUOVsfDqaqmpv74XtzSuATwwcDoCJ/WiaB9UT54OuqyBTJ5GBWGbCtuPIZei5I+lcy7Tnzg/GLXxmuIYl4OQ5YGZ/jCCwTb6Zrf5qj5qNvT3KsLRhTINkhZ8WrT1JvqoHO6GJH0QnBfsKO3akMc8SU/KityNjaz9pJJwCQl1Lu8cba1wkrqxnvgK1d9a5hivP9r0RlHaqixNxSf95rEJKyNvuuskOwfAyrWPy+DAo0k9ymcKX9lFZaezdOwng21vZKtiioHR1y0hUT7QYR01JF679tP1pLcLcrl8vR40qaB6jE2WbsrCZAEUl+368cO/JaTPny/F3PwSLw3ujRQjwX21XZrZWg8qgm7RfyH+cS5dPWH4/R5huNk6dLt7nPxVK1kBHrdGCZlWRlZV1LAI9s0Q==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR01MB4444.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(396003)(366004)(376002)(346002)(39860400002)(136003)(451199015)(26005)(8936002)(5660300002)(86362001)(478600001)(66899015)(71200400001)(6486002)(6916009)(36756003)(91956017)(786003)(6506007)(316002)(41300700001)(122000001)(6512007)(8676002)(75432002)(33656002)(66556008)(66476007)(66446008)(64756008)(4326008)(53546011)(66946007)(76116006)(38100700002)(2616005)(186003)(15650500001)(2906002)(83380400001)(38070700005);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xfnoCgv7xhz5ysqGunYYbuTS8wMhNvse0a+fB5+C8KzFmZzh0gZypcf5Oug3v9yIHSZDLR/Kzkeyt9L0AzQz4MPfUhaEePYsHLx5xv2ncxmDH108r7sFpU2kG+ChhxV3W8Hi89f/p5RKn1lzkWgHqnA+OM69T55MNvddvkYxNWNo/ExbpX6ZgWorpKAwPu340+G1b6C86J1mSe5qAUqTr7/P0plgJgvSNFxSBvEhCgo/rnYerm9aRKnw2s2n4jSbSNaWqtbT+xOAkf4ROD2OtDK21Kf8hNWNqdiFDR5xmmfsDnJDo8+KrFKdjR8t6CeeeohxlHPAXy7LxXl28FBF9PMRWicJORwP4/wc0/UtBVNHf6oriMrHPlbRx5W0/LuBPlzSR32mwfoLFO0JB/o7r2I8y/3BZywg3jOJBQufJoeBzwl4dkN+wyQl2VWILKs8kxtDl5vOBPxD0eJQlVnh5UBeROo+jHeEm0RtqjUF5ksbDZYHLbrM83Op6MOn3H+fn1K649td/mpwxg63wtRs44fejDXHdLxch3p6FlcPC4m8Msu4DhqS6DmN49Lpux4NDT4dB5CbtFSGIzrKDGkj6bjUPf+EaMzxYnbYc8CTvL3GY0jH9X33bz4AcjvB4JSRhH77m3nSMnchXfSJsbbQ11lQ05+T6wGs+MnQOFhZuVEd+OwEz3sZLH7yOlJLwawuksFAL5/Du7kVOtTIT0Z37ZppXFKcX5g9658hISwaeTMbxrdyQwMioQannymX39aC1iynwmtvQP5YR7ehzoloSDHdrubhSoWYdwOoobyDW8JsCMXS533/ARqtoGQL3Ys0T0flgZrP0GWx6cE8JttPCBZ8iIfGcKaGeYN5ntGbUdMJ6nKFqXR6I4xj8zLpXv3XYTvfyTRBVsrm9LSm5kzUTUIP+ch0UQED+Op6aUyLI9DTKUfPmLhsIeYnQXhUzJo2bt+UFBPy31GQThVsP0Boj847kNhUfJCvaXgJp2YLJgtrt4HCaibqFQNA5jJ42nlJdqqRx8k0JiW0mCwx2J2Q5u1qLjVmTEWLFWMEf69wy/gNWxF9oRc1Ixy7RZw1iQXjCbQyUbPgG12XnAT3tNmaYekSLqug++YqJXDxDL5ZFsM3b9G1+JygBJRCCIEpn+r6b2N2Cbc7aL5Nijw4Wi23cspw82u/jPy+HDjG/lW/KHtOyX/hZAotsEEZVM9nx+BKq+t/2glsCOIznr9oo2FWJISVDVVr9PyGaZo3V8SSxUfwIcYCNt6dY7MhnGJfKC+W4htNDKgFkI0Z36JYK81LZvsh6CksiSEJXHKAEWBKOIwDbzmu9gHqJgXuSvegMjnZv9DTFMesMDo338rLHzPRa/q5v9vcF11AFewMT5QiQ1cDBz5GarA4D1fAJBRPU1iitBs4B2KswLF3poxcYuAJLVXkQdhtmNMUIMTog7A+1m9yAwP71TkY348Zc4SsMwZa1OBdusoIH/FUQMn1L6jaLQSl/8PX/E/fv2dq25V+hM4It0gOjdYTc5q8CHE2azrKm+ofvBEStTfzKqxih89Tj6MV5lz4bCiaDm3NXS3roZ07t3ZnxV6EiLbFqjeGDzRw
Content-Type: multipart/alternative; boundary="_000_01671934E6C54B8282AFEA49022EEA4Dmitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a43f16fb-543e-4d13-64b9-08dabb592b09
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2022 16:01:27.4397 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EflnipKRzK8Lr8ARMlOwpI8hk32+J0PcZOWFwj34YF4JA45OOudBAj1YDCChU4mh
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB5961
X-OriginatorOrg: mit.edu
X-W3C-Hub-DKIM-Status: validation passed: (address=jricher@mit.edu domain=mit.edu), signature is good
X-W3C-Hub-Spam-Status: No, score=-7.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1opXF3-004tI5-03 e0357b76385cbb57b44f2ab96cb06a07
X-Original-To: ietf-http-wg@w3.org
Subject: Re: combined field value, Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13
Archived-At: <https://www.w3.org/mid/01671934-E6C5-4B82-82AF-EA49022EEA4D@mit.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40514
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Oct 31, 2022, at 10:40 AM, Julian Reschke <julian.reschke@gmx.de<mailto:julian.reschke@gmx.de>> wrote:

Am 31.10.2022 um 15:33 schrieb Justin Richer:
Hi Julian, thanks for this writeup of this issue. Multiple-valued fields have been potentially trouble from the start of this work many years ago.

After re-reading the text in RFC9110 section 5, but especially 5.3, the normalization rules are consistent with the advice of " For consistency, use comma SP”, but an intermediary could in fact combine field values without spaces on the way through. I think what we want to do is something like:


HTTP fields that are known to be  "list-based fields” by the signer or verifier which have multiple values MUST have all values combined using the delimiter of “comma <SP>” as suggested by RFC9110. <warning about set-cookie goes here>

So it’s still the “combined value” but it’s got very specific rails around it. What do you think of this approach?

I agree that we might want to revisit this text in the HTTP semantics document, too. In my own limited practical experience, whenever the libraries I’ve used offer a pre-combined value, it always does the combination with “comma <SP>”, as shown in both examples and in the non-normative recommendations. I think that the fact that the examples do the same, in spite of the normative text technically allowing other options, is a practical consideration for implementors.

 — Justin

Well, there's nothing in the spec that guarantees that this (adding the
OPTIONAL SP) will happen. I'm not sure it's a good idea to rely on it.

A sender can always make things robust by making sure that there's only
a single instance of the field...

Best regards, Julian


I agree exactly with this — sorry if what I was saying before was unclear. I think it’s in fact MORE important to call out because things will “just work” in the wild for so many developers that having imprecise behavior is a huge problem. It would perhaps be worth adding implementation considerations for this issue in Signatures, and eventually revisiting the requirements in HTTP.

Making a completely robust solution here is not out of the question — you’d just need to take every list-based field, parse it to pull out the comma-separated values, and re-combine it. I don’t think we want to require that by all Signatures implementations though: you could get your list of list-based fields wrong, you could have a problem with your parser that grabs quoted commas, etc. But calling it out for implementations that want to cover all corner cases, that makes sense to me. We do something similar for obs-fold already.

The good news, from a security perspective, is that this problem does at least fail closed — what would otherwise be a valid message will have a failing signature. Not great, but at least not causing the opposite problem of having a manipulated message pass with what should be a failing signature.

 — Justin

v2.23.0 | Report a Bug | By Email