Re: Roman Danyliw's No Objection on draft-ietf-httpbis-digest-headers-12: (with COMMENT)
Lucas Pardue <lucaspardue.24.7@gmail.com> Tue, 23 May 2023 19:52 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86AB2C1519B2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 23 May 2023 12:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.747
X-Spam-Level:
X-Spam-Status: No, score=-2.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAmALhTElTy0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 23 May 2023 12:52:32 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D265DC14F6EC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 23 May 2023 12:52:31 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1q1Y1b-00HYKT-KS for ietf-http-wg-dist@listhub.w3.org; Tue, 23 May 2023 19:50:27 +0000
Resent-Date: Tue, 23 May 2023 19:50:27 +0000
Resent-Message-Id: <E1q1Y1b-00HYKT-KS@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <lucaspardue.24.7@gmail.com>) id 1q1Y1a-00HYJa-Bw for ietf-http-wg@listhub.w3.org; Tue, 23 May 2023 19:50:26 +0000
Received: from mail-oa1-x31.google.com ([2001:4860:4864:20::31]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <lucaspardue.24.7@gmail.com>) id 1q1Y1Z-001OQw-NJ for ietf-http-wg@w3.org; Tue, 23 May 2023 19:50:26 +0000
Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-19c7e1acf9eso76451fac.1 for <ietf-http-wg@w3.org>; Tue, 23 May 2023 12:50:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684871420; x=1687463420; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=f9hT2WDTuoNkWKWP8vOH2fKfAxr7l146jiLQMqb/KYk=; b=cTomHEMlz/iNSI9E7c6IOvjkj8KB0/dYEElNNyaKbcg/Mgi3/3o7Y2iPmTAIqEaotR dzEyyiiqIYr+VVM5DvrPldLUSXrix+5DZmBBP0oiAMLt0JEsOoTXA1HrIjew5xHEHfkX cIGJgQwm2vPP/aL33/FeRiUw9Oei9ZX/MngTPnRA0JXdyCpsfjNANnb/y4TCW3qkeT/f ewApkdcLspkzQ69Lm/d3ThZwfxtNDMTVVvtAS+PboiXXMpdrTW1UUz7SK7p8ksxER6kZ YGIYXk4vVvLUpUROw0o4pR8LxHp5kT+D5HTzyB/TSkQ7gt/aAsNTFodlsM7MWIg7KbUU QXGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684871420; x=1687463420; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=f9hT2WDTuoNkWKWP8vOH2fKfAxr7l146jiLQMqb/KYk=; b=bBAJlMSj5jtqgreqcIVQMN8eDMrXYgbqhx0ziALmQ+q8BYbCyuCHYgI/tGTay2Gadq uGAQ7IIfcTWXzCaBDj9cfHldbyaT+vIe5tGeiAWc8XRh58LrFrEIB35iMPb3IzV1c4wP /+Q6OeCTzjicHYqe7QJRVPCMgnmPxY9uf++n2g9eovb5CPTHMRn7HG1ULy493UTKxOpX abb1Ir1U5yv+YG3qR/bxPvQdzdpR5SyYVtliyLwVoINLctRqk2OdcEREsW0Ds/0Rtgyi +c7poSwOZQbUJCVuVIUZciccE8dztJt8g8z6SKw2iSzATvUQ5jVNL5ZexLtg9FBoKHMR Jbqg==
X-Gm-Message-State: AC+VfDz2YgyNC5VdFF3OBR9ga24QnmRg+SQ1GLbcNtH9RRQ4YDZGHou7 CWniKJ5B+BsDtotzninbHSXcQIatB2WNQKtZive4jrGapik=
X-Google-Smtp-Source: ACHHUZ6vWKOKLbFVT5UmUXzisbACZ6if3D+NiEZjit9kRMDS4ZAIASUVVyS+XcR/0k7aNMQM3KOXqeVqUQkeBFmSBWM=
X-Received: by 2002:a05:6870:8c26:b0:196:5f5f:7c7a with SMTP id ec38-20020a0568708c2600b001965f5f7c7amr8697931oab.33.1684871420372; Tue, 23 May 2023 12:50:20 -0700 (PDT)
MIME-Version: 1.0
References: <168486410440.60374.9215584822726745937@ietfa.amsl.com>
In-Reply-To: <168486410440.60374.9215584822726745937@ietfa.amsl.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Tue, 23 May 2023 20:50:09 +0100
Message-ID: <CALGR9oYrS_H9Qtn6ZvvBCUkK+CVsYMT1AUWM+LOiMbCNibA52g@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-digest-headers@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, mnot@mnot.net
Content-Type: multipart/alternative; boundary="00000000000080ea0c05fc61b2c0"
Received-SPF: pass client-ip=2001:4860:4864:20::31; envelope-from=lucaspardue.24.7@gmail.com; helo=mail-oa1-x31.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=lucaspardue.24.7@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1q1Y1Z-001OQw-NJ 572fe68ca5fe5c59bc22680cf5dbf3c2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Roman Danyliw's No Objection on draft-ietf-httpbis-digest-headers-12: (with COMMENT)
Archived-At: <https://www.w3.org/mid/CALGR9oYrS_H9Qtn6ZvvBCUkK+CVsYMT1AUWM+LOiMbCNibA52g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51068
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Roman, Thanks for the review. Responses in line: On Tue, May 23, 2023 at 6:48 PM Roman Danyliw via Datatracker < noreply@ietf.org> wrote: > Roman Danyliw has entered the following ballot position for > draft-ietf-httpbis-digest-headers-12: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-httpbis-digest-headers/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Peter Yee for the SECDIR review. > > ** Section 2. Using multiple digests in a single Content-Digest is > supported. > There is also guidance that “a recipient MAY ignore any or all of the > digests”. > I read that text as “if presented multiple digests, a recipient can > choose to > look at only one or some subset of the digests.” Is that accurate? Is > there > standardized behavior for when a recipient validates/checks both digests > and > only one is valid? > Background caveats: we are building on top of the way that RFC3230 did things, which was quite relaxed about stating what the receiver requirements are. In this draft, validation failures are primarily an implementation concern. In other words, the decision about what to do with a validation failure are the concern of the application using this HTTP capability. There's an interplay with general-purpose HTTP feature discovery too, which is not really great and we can't solve. In the case you highlight, I interpret that as a receiver that does want to check digest, and it receives more than one value that it supports the algoithm of. Since we don't really standardise what to do when even a single digest validation fails, I'm not sure what we can really say, from a standards perspective, if one succeeds or one fails. Spamming the receiver with digest values is a possible attack that we give some consideration in Section 6.7. So I'm cautious about making anything appear as if a receiver has to cross verify the integrity digests. > ** Section 4. > * key conveys the hashing algorithm (see Section 5); > > Shouldn’t this read as “hashing algorithm(s)” as it is possible to send > more > than one in the field? > The full text is > Want-Content-Digest and Want-Repr-Digest are of type Dictionary where each: - > * key conveys the hashing algorithm (see Section 5 <https://httpwg.org/http-extensions/draft-ietf-httpbis-digest-headers.html#algorithms> ); Just to establish we're on the same page. A Structured Fields Dictionary is a set of individual items that have a key. A key indicates a single algorithm. If the sender wants to indicate multiple algorithms, it sends multiple keys. If we didn't have the "each" qualifier on the preceding line, I'd agree that "keys" could be used. But I find the current presentation clearer from an editorial perspective. > ** Section 4. > * value is an Integer (Section 3.3.1 of [STRUCTURED-FIELDS]) that > conveys an ascending, relative, weighted preference. It must be > in the range 0 to 10 inclusive. 1 is the least preferred, 10 is > the most preferred, and a value of 0 means "not acceptable". > > -- Can multiple algorithms share the same preference value? For example, > could > multiple algorithms be labeled “not acceptable”? > > -- If yes, would their ordering determine preference? > Yes they can have the same value. We had a issue for this and concluded to not say anything specific about preference, which aligns with existing HTTP semantics. See https://github.com/httpwg/http-extensions/issues/2389. > ** Section 6.1. Recommend adding cautionary language about the > capabilities of > an adversary like those stated in Peter’s SECDIR review. Perhaps: > > OLD > Integrity fields are not intended to be a general protection against > malicious tampering with HTTP messages. This can be achieved by > combining it with other approaches such as transport-layer security > or digital signatures (for example, HTTP Message Signatures > [SIGNATURES]). > > NEW > Integrity fields are not intended to be a general protection against > malicious > tampering with HTTP messages. In the absence of additional security > mechanisms, > an on-path, malicious actor can remove or recalculate and substitute a > digest > value. This attack can be mitigated by combining mechanisms described in > this > document with other approaches such as transport-layer security or digital > signatures (for example, HTTP Message Signatures [SIGNATURES]). > Thank you for this suggestion, we'll incorporate this into the editor's copy. Cheers, Lucas
- Roman Danyliw's No Objection on draft-ietf-httpbi… Roman Danyliw via Datatracker
- Re: Roman Danyliw's No Objection on draft-ietf-ht… Lucas Pardue
- Re: Roman Danyliw's No Objection on draft-ietf-ht… Roberto Polli
- Re: Roman Danyliw's No Objection on draft-ietf-ht… Lucas Pardue