Re: MACs and Signatures (was Re: draft-ietf-httpbis-message-signatures-05)
Justin Richer <jricher@mit.edu> Wed, 14 July 2021 19:31 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4B563A160A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 14 Jul 2021 12:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.897
X-Spam-Level:
X-Spam-Status: No, score=-2.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5yK2_PSM-p7j for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 14 Jul 2021 12:31:25 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 541713A160B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 14 Jul 2021 12:31:24 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1m3kZD-00013f-CO for ietf-http-wg-dist@listhub.w3.org; Wed, 14 Jul 2021 19:29:11 +0000
Resent-Date: Wed, 14 Jul 2021 19:29:11 +0000
Resent-Message-Id: <E1m3kZD-00013f-CO@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <jricher@mit.edu>) id 1m3kZ9-000124-Ga; Wed, 14 Jul 2021 19:29:07 +0000
Received: from outgoing-auth-1.mit.edu ([18.9.28.11] helo=outgoing.mit.edu) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <jricher@mit.edu>) id 1m3kZ7-0004Zc-VW; Wed, 14 Jul 2021 19:29:07 +0000
Received: from [192.168.1.49] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 16EJSpiY006443 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Jul 2021 15:28:51 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CACsn0cnPNDPDsYOAkAe3-V5G3=-xkt51WnUSiYt4=Huh=oPaHw@mail.gmail.com>
Date: Wed, 14 Jul 2021 15:28:51 -0400
Cc: Christopher Langton <chris@langton.cloud>, "public-credentials@w3.org" <public-credentials@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F72E9A2B-9EC8-4AB4-8865-F61BE198A5E5@mit.edu>
References: <h5V7Vq6ndpToeXGlL8PqMMKHEc-Zy5jxXWea2XIrIWkSLruAJMNxjJIyOHeeopKrQKOeXpAhay8pe7p69M3VyDsu_Hs_d9Nwfpjz8oT_s7Q=@langton.cloud> <edf0660aad2e4a9bbac11aed17e78ff7@oc11expo18.exchange.mit.edu> <CACsn0cnPNDPDsYOAkAe3-V5G3=-xkt51WnUSiYt4=Huh=oPaHw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
X-W3C-Hub-Spam-Status: No, score=-7.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1m3kZ7-0004Zc-VW 1a1a4b328e2b4db511826c076dd39846
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MACs and Signatures (was Re: draft-ietf-httpbis-message-signatures-05)
Archived-At: <https://www.w3.org/mid/F72E9A2B-9EC8-4AB4-8865-F61BE198A5E5@mit.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39016
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> On Jul 14, 2021, at 12:55 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > > On Tue, Jul 13, 2021 at 5:03 AM Justin Richer <jricher@mit.edu> wrote: >> <snip> Not only that, but it's supposed to be lower priority than other sources for this info, so if you're doing things right an attacker won't be able to substitute at all. > > Why have it at all? We have been down this road with JWT, and hack > after hack later, finally sort of maybe learned how to do it right. > Having this algorithm field invites mischief either through bug or > doing things wrong, and signing it doesn't help. We should strive for > specs that cannot be used unsafely, not ones that can be used safely. > > MACs and signatures are not the same. Using them interchangeably is a > mistake. Letting the signer specify which one to use is a mistake. > There's really no excuse here: store the signature algorithm with the > verification key, not in the incoming data to be verified, even if you > must call HMAC a signature. > I’d argue that both keyed MACs and digital signatures serve the same purpose from an application perspectives, even if the underlying portions are very different from each other, as is the nature of the key material. In this spec, they aren’t interchangeable, they’re usable at the same level. The difference is in the key: If you have an EC key and someone signals an HMAC on a message, that’s an error condition right there and it’s easily detectable. We can — and will — call out known issues like this in the security considerations discussion. We aren’t starting from a vacuum, after all. Runtime switching is desirable in some applications and can be handled safely if done well. It’s our goal to have the spec text push people towards defining things either statically at the application level or within the key material’s metadata, and only falling to runtime signals when needed. This is a far cry from the Cavage I-D which said that you always had to have the algorithm field but could ignore it in certain circumstances, during which you’d just “figure it out” from the key, with zero guidance from the spec as to how that was actually supposed to work. The system that we have effectively takes all the best practices from JOSE and other systems and codifies them. The lack of clear primacy was the core cause for bugs in the JOSE world around this field. Additionally, having named algorithms defined in the spec text also serves to model what is required for application of a signature method to this model: the precision required in these definitions is usually lost on new implementors. Whether or not people use the runtime labels to switch, we want implementors to see what it takes to tie a signature method to an HTTP message. And besides, I fully believe if we don’t do enable a well-defined way to signal this, someone’s going to just slap an “alg” parameter in there anyway and then start re-making all the mistakes from JOSE from scratch, probably even including “alg: none” again. — Justin
- RE: draft-ietf-httpbis-message-signatures-05 Justin Richer
- MACs and Signatures (was Re: draft-ietf-httpbis-m… Watson Ladd
- Re: MACs and Signatures (was Re: draft-ietf-httpb… Justin Richer
- Re: MACs and Signatures (was Re: draft-ietf-httpb… Watson Ladd
- Re: MACs and Signatures (was Re: draft-ietf-httpb… Nikos Fotiou