IETF Logo Mail Archive

Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2

Eric Rescorla <ekr@rtfm.com> Mon, 04 July 2016 22:53 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F070612B028 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 4 Jul 2016 15:53:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.346
X-Spam-Level:
X-Spam-Status: No, score=-8.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8CX0FdA9bY0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 4 Jul 2016 15:53:45 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C4FA12B01F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 4 Jul 2016 15:53:44 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bKCgM-0002cF-B0 for ietf-http-wg-dist@listhub.w3.org; Mon, 04 Jul 2016 22:49:38 +0000
Resent-Date: Mon, 04 Jul 2016 22:49:38 +0000
Resent-Message-Id: <E1bKCgM-0002cF-B0@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ekr@rtfm.com>) id 1bKCgI-0002bL-Jk for ietf-http-wg@listhub.w3.org; Mon, 04 Jul 2016 22:49:34 +0000
Received: from mail-yw0-f179.google.com ([209.85.161.179]) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <ekr@rtfm.com>) id 1bKCgE-0006Vo-WB for ietf-http-wg@w3.org; Mon, 04 Jul 2016 22:49:33 +0000
Received: by mail-yw0-f179.google.com with SMTP id i12so48450292ywa.1 for <ietf-http-wg@w3.org>; Mon, 04 Jul 2016 15:49:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mlRboiqNZs40RWwDtcAQ1zTIJ8xbS2pAStDvB5R12Dg=; b=OW1JhkfyppGr2uqEMIVfFE+XzpizTxqNfuFsyMiUIlUwGmmxntJsRNa8IU3OTW48Og RE8PhU/4DdlAUdDMjvSeH7KJWJVOLX4RPq1naClU5DjRDewYgE6N8WAOXHEFBGDsFvpV dK7CGrCAmfZWHCQqQueNe89lrQKma0SYcC6Mz/jfVuvaVsumIijXGaMD87WapqZdygpx JkEu/c5zfOL7jrPP4qOsyYJLDbIoxc+JJoHkaY2dRpBBc27+APgzQUk7gEqYYEZF6e7L Va2KQ3LDdl3NZj+ljDU+aFFPEpXuRhT/9VeOdTAXLGbSILZamq6rh18kQOUWqdQjZyit udxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mlRboiqNZs40RWwDtcAQ1zTIJ8xbS2pAStDvB5R12Dg=; b=ab4l5ifFzXAI93c/j5hHDyhZevc9qPzfLx5qOu8AwMuqAc7jhT+x3elkJhkhpm80+d nptaqtjsHcLowIEqoext6U9kTmGulGZwHjCPWO02Hih8Qy1tE9XPZIw8nuM/T8pcoYkW pHw3bfZdJWeHNgKBlm9cA/2Zy2WvVzLr341G83+POK0J93ujP5TCppCPfi1MXda9X7Ra Ff+wPROSkaoHbIDa0lYUEVniW9lNlfStnwOK8hGn48NhS9Bt1a0aPuA8bt5GvdLMMEDw E7a8KFjn4X+1m4HLNfHDBpa47yIDD0aSipNKeTuaoAKiq/FHIGAco46FO3Mb3pLw0Tai E6Tg==
X-Gm-Message-State: ALyK8tKqTqpjdmjtvq+GKCfaB47I7ehZtaN2zmC14tLwa1AZpVE9i3qwfCnN2so42U/eSxcUfD0jvIjMtDwJnA==
X-Received: by 10.37.209.140 with SMTP id i134mr4554269ybg.146.1467672544281; Mon, 04 Jul 2016 15:49:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.211 with HTTP; Mon, 4 Jul 2016 15:48:24 -0700 (PDT)
In-Reply-To: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net>
References: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 04 Jul 2016 15:48:24 -0700
Message-ID: <CABcZeBPTYgcfecKErhacR=jfXkoRPESgUQ=1pzPEWg092fqZvw@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="94eb2c0628b4a642430536d72453"
Received-SPF: none client-ip=209.85.161.179; envelope-from=ekr@rtfm.com; helo=mail-yw0-f179.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.040, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1bKCgE-0006Vo-WB 40809217948784e6f77e12a54ded51b3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2
Archived-At: <http://www.w3.org/mid/CABcZeBPTYgcfecKErhacR=jfXkoRPESgUQ=1pzPEWg092fqZvw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31825
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Document: draft-bishop-httpbis-http2-additional-certs-01

OVERALL
I don't have a strong position on the level of demand for the
functionality in this draft (though the fact that Nick, Martin, and
MikeB all think it's useful counts for a lot with me). My comments
below are restricted to the technical functionality.

This document is targeted at two primary use cases:

- Servers which have multiple certificates corresponding to
  >1 origins and want to mux them over the same connections.
- On-the-fly client authentication conditioned on access to
  protected resources.

In each of these cases, it seems like there are two phases:

1. The relying party indicates the identity it would like the
   peer to authenticate for.
2. The authenticating party supplies a certificate and proves
   possession of the private key corresponding to the certificate.

The second of these seems pretty similar for both use cases, but the
first actually is rather different and seems rather shoe-horned in in
an attempt to make it symmetrical. I would suggest instead that we
provide different mechanisms for the "certificate request" phase that
more closely track the TLS 1.3 mechanisms. Specifically:

- When requesting that the server authenticate for a new origin,
  the client should supply a new domain name.
- When requesting that the client authenticate for a new certificate
  the server should supply a CertificateRequest which indicates
  detailed certificate properties (this is more or less what the
  draft does).

I think that this would be clearer and provide a better match for the
use case.

I'd also like to understand the relationship of this mechanism
with TOKBIND, as it seems that it has extremely similar properties,
albeit being restricted to H2.

I think it would be OK to adopt this document, but IMO it will need
a fair bit of work before it's ready for publication.


DETAILED COMMENTS
S 1.1.
I'm a bit skeptical of this encrypted SNI use case, though I suppose
it might work in some settings. As DKG has suggested, there are applications
of encrypted SNI where you want the gateway not to be able to see the
plaintext.


S 2.
This AUTOMATIC_USE thing seems very dangerous, as indicated in S 5.  I
would suggest instead that servers always have this semantic (you
require this anyway in S 3.5) and that clients never have this
semantic. In addition, I would forbid ambient authentication with
any certificate (including one established at the TLS layer) once
the client has authenticated with a certificate at the HTTP layer,
and reserve some indicator for the certificates established in TLS.


S 2.3.
It would be nice to be clear that the client MUST NOT send a request
to an unauthenticated domain prior to completion of the CERT_REQUIRED.

I see that you are retroactively authenticating pushed resources.
I guess we've decided to live with this, but...


S 3.1.
This Request-ID seems very short. Surely it's easily possible to
do >1 requests. What is the benefit in making it so short?

Same thing for Cert-ID.


S 3.3.
It's pretty odd that you allow servers to take a position on which
extensions should be in certs but not on what signature algorithms
should be used to sign them. Also, as noted above, all the fields here
are useless in the server->client authentication case (it's not like
you're going to provide the whole trust anchor list). You should
use a different format here for server and client, because most of
the signaling here in client->server is cruft.

What is a peer supposed to do if it receies a request that it
thinks it has already satisfied (e.g., a duplicate SAN?).


S 3.5.
Signing the same value with every CERTIFICATE_PROOF seems like it's
really living on the edge. Minimally, it seems like you have a
reflection attack where the client is able to replay the server's
CERTIFICATE_PROOF back to it. I would recommend that:

- You sign over the certificate and the RequestID (I don't have a
  concrete attack but it just seems like an abundance of caution).
  You could just stuff it in the context parameter.
- Have the client and server exporters be different to avoid reflection.
- Also, nothing wrong with 64 bytes, but it seems a bit long, no?


S 6.1.
A two byte bitfield indicating which algorithms you support seems
like premature optimization. It's easy to see how this gets to be
half-full, just with algorithms that we know of today (4Q, digest
signatures, some sort of lattice-based post-quantum thing). I would
think at least 32-bit field would be wise.


On Thu, Jun 23, 2016 at 5:41 PM, Mark Nottingham <mnot@mnot.net> wrote:

> <https://tools.ietf.org/html/draft-bishop-httpbis-http2-additional-certs>
>
> We've discussed carrying certificates and related artefacts in HTTP for a
> long time. This draft from Mike and Martin is an evolution of several
> previous approaches.
>
> Please state whether you support adoption, and ideally why. Expressions of
> interest in implementation would also be very helpful.
>
> We'll wait at least one week before making a decision.
>
> Cheers,
>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>

v2.23.0 | Report a Bug | By Email