Re: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
Patrick Meenan <pmeenan@google.com> Wed, 07 August 2024 23:42 UTC
Received: by ietfa.amsl.com (Postfix) id B8013C1D4CEC; Wed, 7 Aug 2024 16:42:04 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7412C1D4CCD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Aug 2024 16:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.36
X-Spam-Level:
X-Spam-Status: No, score=-10.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="EdhQQJiv"; dkim=pass (2048-bit key) header.d=w3.org header.b="OKLK4/DQ"; dkim=pass (2048-bit key) header.d=google.com header.b="NDb40ocZ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnIxGrsUsQqv for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Aug 2024 16:42:04 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E353C1654F2 for <httpbisa-archive-bis2Juki@ietf.org>; Wed, 7 Aug 2024 16:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=e0jGc+qBvuIqXhtf9EWv019MQytLRqK/0LvGqdXUEaU=; b=EdhQQJivAqD/cu1k9ICNJebmUj oNzJgGHrCp++uqKLVpJjzu6PP28MgfWN1aTJIYQcMVQAwPv/jP1zD9MtY6cp0o7aR/1ShEUvEfdCk /8KkHvQtq03v0cOIXzZ/ZH1UQwA4bEj6kZtCnL8Us/jz1OAf06NMvrnkq9VmDJAFIAhp+fCWbTnU5 BaR+CEPw1OMtig000pNp3xrhcWDKm8qSMB99FCcbJYPN+qxG0hP+k4/DZzzkqvwNNhDW4ejuhiUkq D+K2tOtcegJpq4Ls/JmLUXE8exreFHpEzMQyWuFe6Rp/86+mlfgeMOCFhMbcZdERVheEPAyUvgY/A 5naYfdCA==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1sbqHF-007iYD-1S for ietf-http-wg-dist@listhub.w3.org; Wed, 07 Aug 2024 23:41:09 +0000
Resent-Date: Wed, 07 Aug 2024 23:41:09 +0000
Resent-Message-Id: <E1sbqHF-007iYD-1S@mab.w3.org>
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <pmeenan@google.com>) id 1sbqHC-007iXL-2u for ietf-http-wg@listhub.w3.internal; Wed, 07 Aug 2024 23:41:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=e0jGc+qBvuIqXhtf9EWv019MQytLRqK/0LvGqdXUEaU=; t=1723074066; x=1723938066; b=OKLK4/DQ12SCd0NMTvXBWrs5jHjvl1wEEOaVPycXmezvv/OHjqZMCRVSjAfRe5zoDssfcERMKqa ZVzQ3Li2lG+/mWOaWwu1YgUo7RDZ48NWZcRQWzD9idVfwooNlRzIqOmBXasXXMZaxBzpQYTznIhUw JWsKtCPRxx3/8XWxG1zIOzChLaUHmIabKBTNRrNNaSeIt4EL2QFMSFLrcmHKVggLFsSb+PSPNMCFk WtNPgFbSbK9cmfiBjNl3rX0wRkZCSt0S2+72o8LzJW6F5nKfOUMxpSMS/Jh9vbcvfFfmREwlhdwQE XMfq7rCSX8Ln4+f5cxDI7qPOoLUd4nVl0UBg==;
Received-SPF: pass (puck.w3.org: domain of google.com designates 2607:f8b0:4864:20::b2c as permitted sender) client-ip=2607:f8b0:4864:20::b2c; envelope-from=pmeenan@google.com; helo=mail-yb1-xb2c.google.com;
Received: from mail-yb1-xb2c.google.com ([2607:f8b0:4864:20::b2c]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <pmeenan@google.com>) id 1sbqHB-009DcK-2E for ietf-http-wg@w3.org; Wed, 07 Aug 2024 23:41:06 +0000
Received: by mail-yb1-xb2c.google.com with SMTP id 3f1490d57ef6-e0bfd14aff7so311889276.3 for <ietf-http-wg@w3.org>; Wed, 07 Aug 2024 16:41:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1723074062; x=1723678862; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=e0jGc+qBvuIqXhtf9EWv019MQytLRqK/0LvGqdXUEaU=; b=NDb40ocZaroJszZkX5134NYdyn+4siZBfzCLAXZKZp7wy4t36TbITUUpt5OD6H+NJx TlOEcWqLqKZNpVYXLx8phUZNPYxk8WohJvAisVaZuPYJrYPOrI+ty1bkjhjsKxjrne8+ 57OlioHqrXQ8D3Y4z0ITgi3j0KswR9FBPq2r5o15X4K98khmxgWxaTlPdMA+V0J08pvM fsms4GyAXoDBW7yfGqa4pDUBJJJ9FiDXvj905fxB6TF+PFyQM+El7fzsZtyySIjgP18e Z46sPYNqjfLtw5KSY+DRb4LVcrvYJGVoI/8WUF8t56tQVXM5o8J2fj34s+zqNIK3lZsn f3fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723074062; x=1723678862; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=e0jGc+qBvuIqXhtf9EWv019MQytLRqK/0LvGqdXUEaU=; b=nXOlb2hG2INEFDCFORCzVE2kRLElD/OgWTx6Y2nnsLC1ukbGTeQ2X/VNJilhgIcAW0 T0tzndy2omC67K8kzoxbinN89jMBiEuKKTpS/L6kcktkoHBybQg5chJ6zKDW5pStAOSk 5L36CKAN9tDpV+BhnuTr4Rks3lrGPXnqhL1Dv+hO7p0lGYakfxDkCRkQglvQN0OxtPLw J+v2UQmr/3M109MPx9lDdBTXwVa2SaD9DapqlLwV8auzg0gGsKsCo5WS4vQkIlTrxePr dIQ6Mel9Xxig3RSQc66jOzZL88jao+ky7M4QEt3/iZxPdWuqIcDxF+Uft8yQ9/+FR0t4 f4Tw==
X-Forwarded-Encrypted: i=1; AJvYcCWSLAr2SNUxiS4aPEWVF8Shvx1Td4Vv5TDND/iUzO4xvVJKVuVr7ZdHgkjdFjbiSnFbR3W3IjK480fxCINbh/3qR8AN
X-Gm-Message-State: AOJu0YxPogBKqPgyehJxBjiRV/JcES5AcDiLKB9UwpWpGrQ3SBjOc+Py 6Suxs5fkAzS+vbAaanpE2dQbudJcslyuTU8wiPDb1FMkjaTwguNwDnxgVEQjtJ5d4iznRwFm0dB n8LU0vbQiuvcGxpBcR7T0yCDVK9xmS7/Rq4zM
X-Google-Smtp-Source: AGHT+IHfDQNpNgoIirynEU+FEluaRifD5seZZxhEpQWfV+MXVj0Dd2GFW+ONWB9ntVTbJ9oXq6Y9nTcLvwqhO0AmDX0=
X-Received: by 2002:a05:6902:2e0f:b0:e0b:f69b:da19 with SMTP id 3f1490d57ef6-e0e9dbb268bmr221004276.40.1723074061846; Wed, 07 Aug 2024 16:41:01 -0700 (PDT)
MIME-Version: 1.0
References: <172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k>
In-Reply-To: <172307181050.195.15472875602261483639@dt-datatracker-6df4c9dcf5-t2x2k>
From: Patrick Meenan <pmeenan@google.com>
Date: Wed, 07 Aug 2024 19:40:49 -0400
Message-ID: <CACPgMqWT_jaqM2U94oV9=GX-iQL_3WwCAxrazQgZinODWoP2Ew@mail.gmail.com>
To: Nancy Cam-Winget <ncamwing@cisco.com>
Cc: secdir@ietf.org, draft-ietf-httpbis-compression-dictionary.all@ietf.org, ietf-http-wg@w3.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="00000000000061d173061f2071fa"
X-W3C-Hub-DKIM-Status: validation passed: (address=pmeenan@google.com domain=google.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-21.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1sbqHB-009DcK-2E c292eac702a180705b54c3fc6962cd41
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Secdir last call review of draft-ietf-httpbis-compression-dictionary-09
Archived-At: <https://www.w3.org/mid/CACPgMqWT_jaqM2U94oV9=GX-iQL_3WwCAxrazQgZinODWoP2Ew@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/52194
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Thank you for the review. The intent of providing the hash of the "Available-Dictionary" is to be sure that the contents of the dictionary on the client are the same as what the server is using for the compression (more for integrity than anything else). It also acts as a default identifier in the negotiation if an explicit ID isn't provided. Both ZStandard and Brotli also use hashes to verify the dictionary before decompression to prevent corruption but providing it in the request header allows for the server to not send an invalid response in the first place in case the payloads got modified somewhere in the path previously or something else got out of sync. It is allowed (and expected) that there may be multiple dictionaries for the same resource (i.e. version 1.1 of example.js and version 1.2 of example.js both used as dictionaries for version 1.3 for different delta updates) and the hash makes differentiating them automatic (and standard). It's not meant as a protection against explicit attack - that is expected to be handled by the transport itself (encryption, cert verification, etc). An attack on the dictionary or payload would have the same risks and vulnerabilities as an attack on the uncompressed response itself (that part is where the same-origin dictionary/payload requirement comes from). Thanks, -Pat On Wed, Aug 7, 2024 at 7:03 PM Nancy Cam-Winget via Datatracker < noreply@ietf.org> wrote: > Reviewer: Nancy Cam-Winget > Review result: Ready > > SECDIR review of draft-ietf-httpbis-compression-dictionary-09 > > Reviewer: Nancy Cam-Winget > > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > > This document defines HTTP headers that can be used for negotiating > for enabling compression by using dictionaries. The negotiation > defines an external dictionary that provides the mapping or patterns > to decode when compression is enabled. The document leverages the use > of Brotli (RFC7932) and Standard (RFC8878) as the compression schemes. > > > The document reads well and I have found no issues but have > One minor question: > > Section 2.2 > * Is the intent of providing the hash of the "Available-Dictionary" > meant to be for protection or for compression? > > Section 9.1 > * To my point in Section 2.2, we presume that all headers are > encrypted and protected, so I think it would depend on what protection > is being achieved. That is, I think it should be stated that if the > header protection is found to be weak, this can be made vulnerable too > (I think this is somewhat covered in 9.2 maybe?) > > > >
- Secdir last call review of draft-ietf-httpbis-com… Nancy Cam-Winget via Datatracker
- Re: Secdir last call review of draft-ietf-httpbis… Patrick Meenan
- Re: Secdir last call review of draft-ietf-httpbis… Patrick Meenan