Re: Web Keys and HTTP Signatures
Amos Jeffries <squid3@treenet.co.nz> Thu, 18 April 2013 13:57 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1290F21F89A5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 06:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJ3F1KUJHcOV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Apr 2013 06:57:12 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 8482221F8D6A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Apr 2013 06:57:12 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USpJt-00057R-FX for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 13:56:13 +0000
Resent-Date: Thu, 18 Apr 2013 13:56:13 +0000
Resent-Message-Id: <E1USpJt-00057R-FX@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1USpJq-00056d-Ex for ietf-http-wg@listhub.w3.org; Thu, 18 Apr 2013 13:56:10 +0000
Received: from ip-58-28-153-233.static-xdsl.xnet.co.nz ([58.28.153.233] helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1USpJp-0001Y7-3v for ietf-http-wg@w3.org; Thu, 18 Apr 2013 13:56:10 +0000
Received: from [192.168.2.7] (103-9-43-128.flip.co.nz [103.9.43.128]) by treenet.co.nz (Postfix) with ESMTP id AEC16E711D for <ietf-http-wg@w3.org>; Fri, 19 Apr 2013 01:55:44 +1200 (NZST)
Message-ID: <516FFB5D.4000904@treenet.co.nz>
Date: Fri, 19 Apr 2013 01:55:41 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <516F14E1.5040503@digitalbazaar.com> <9DF0F237-62DC-4E82-A545-B09C6083849B@tzi.org> <CADcbRRN2XWa9QwuaXAoxjMdkcguvQiiGq934RXU=-1ntzGpWNQ@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1150C90E93E@WSMSG3153V.srv.dir.telstra.com> <CABkgnnXoY3iOH7M=A5hCo+eTnDiPODvgmdnDay0AKUo4PsuoMg@mail.gmail.com> <516FF833.1000401@digitalbazaar.com>
In-Reply-To: <516FF833.1000401@digitalbazaar.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=58.28.153.233; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1USpJp-0001Y7-3v a58bb0197587ef4bfcdb3c68d5b2ab6f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Web Keys and HTTP Signatures
Archived-At: <http://www.w3.org/mid/516FFB5D.4000904@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17332
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 19/04/2013 1:42 a.m., Manu Sporny wrote: > On 04/17/2013 08:00 PM, Martin Thomson wrote: >> Yeah, that's a pretty bad. Switching two date-formatted headers >> might be a simple thing to gain advantage on. (Last-Modified and >> Date, might work to poison a cache with old content if the cache >> isn't rigorous about checking Date). It seems like a simple fix >> would be to include the list of headers under the signature as the >> first item. > Carsten, James, Martin - good catch, thanks. We had assumed that the > implementation included the headers names as well as the values in the > data being digitally signed. As Dave Lehn pointed out, this is a work in > progress, but we wanted to get something out as sooner than later. > > The attack is only possible if a message is passed over a non-secure > channel, right? That is, the spec is clear about passing all messages > over HTTPS. Granted, that's not an excuse for the approach taken and it > should be fixed, but the attack is only possible if messages are sent > over an insecure channel, correct? We had this argument out in the Bearer auth discussions. HTTPS is just one layer of security, it can (and routinely is) broken into by transparent proxies. Your auth scheme needs to be as self-contained as possible and take advantage of every little bit of security that it can do without relying on external layers such as the SSL/TLS layer. It is better to be doubly-strong when HTTPS works than to depend on it alone break at the first sign of trouble. IMO signed message schemes like this stand a far better chance of being rolled out if they work on plain-HTTP. There are a number of web applications and service which require security without the sledgehammer and limitations of TLS. Amos
- Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures David I. Lehn
- RE: Web Keys and HTTP Signatures Manger, James H
- Re: Web Keys and HTTP Signatures Martin Thomson
- Re: Web Keys and HTTP Signatures David I. Lehn
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Amos Jeffries
- Re: Web Keys and HTTP Signatures Daniel Friesen
- Re: Web Keys and HTTP Signatures Stephen Farrell
- Re: Web Keys and HTTP Signatures David Morris
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Ken Murchison
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Carsten Bormann
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Manu Sporny
- Re: Web Keys and HTTP Signatures Nico Williams
- Re: Web Keys and HTTP Signatures Nico Williams