Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2
Amos Jeffries <squid3@treenet.co.nz> Sun, 17 July 2016 07:54 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91CA012D1BB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 17 Jul 2016 00:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.208
X-Spam-Level:
X-Spam-Status: No, score=-8.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7JFib2e7oGh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 17 Jul 2016 00:54:21 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E91812D1A2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 17 Jul 2016 00:54:21 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bOgq5-00017M-IN for ietf-http-wg-dist@listhub.w3.org; Sun, 17 Jul 2016 07:50:13 +0000
Resent-Date: Sun, 17 Jul 2016 07:50:13 +0000
Resent-Message-Id: <E1bOgq5-00017M-IN@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bOgq1-00016R-Oe for ietf-http-wg@listhub.w3.org; Sun, 17 Jul 2016 07:50:09 +0000
Received: from [121.99.228.82] (helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bOgpz-00056O-8C for ietf-http-wg@w3.org; Sun, 17 Jul 2016 07:50:09 +0000
Received: from [192.168.20.251] (unknown [121.98.40.13]) by treenet.co.nz (Postfix) with ESMTP id 8A22EE6FBF for <ietf-http-wg@w3.org>; Sun, 17 Jul 2016 19:49:34 +1200 (NZST)
To: ietf-http-wg@w3.org
References: <F9D2CFF3-57C2-41BD-ACB1-FA6C991458D7@mnot.net> <CABcZeBPTYgcfecKErhacR=jfXkoRPESgUQ=1pzPEWg092fqZvw@mail.gmail.com> <BL2PR03MB1905D20659B406937EA7C021873B0@BL2PR03MB1905.namprd03.prod.outlook.com> <CABcZeBOuf0k5VwSO1nMp-P0YXF-j8pZ7ZVF1h-_pMU54LnwpJQ@mail.gmail.com> <CABkgnnXL-hS-raH5cC3c0nzpTHWP8speLbOhFNppv4p5LB5nQQ@mail.gmail.com> <CAOdDvNoVYPojUzqTgZBv=bqKFDPy8pg-w78s37Aa1WYQ0=g3GA@mail.gmail.com> <BLUPR03MB1330DCF6DD19EF369A56949A87340@BLUPR03MB1330.namprd03.prod.outlook.com>
From: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <6cec80ab-dd00-41ef-f2ea-e92d8f00cbdc@treenet.co.nz>
Date: Sun, 17 Jul 2016 19:49:33 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <BLUPR03MB1330DCF6DD19EF369A56949A87340@BLUPR03MB1330.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-1.234, BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bOgpz-00056O-8C df949a28e71544a79f66ffe3cafe4dd0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: Secondary Certificate Authentication in HTTP/2
Archived-At: <http://www.w3.org/mid/6cec80ab-dd00-41ef-f2ea-e92d8f00cbdc@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31988
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 17/07/2016 7:30 a.m., Mike Bishop wrote: > Thanks for the editorial catches! > > Server might also prefer encrypted SNI, but with this model it’s only > the client that decides whether to conceal the identity it actually > intends to make requests of. We can tweak the wording. Your point > about not calling it the “”real” certificate” with quotes is another > candidate for wordsmithing. The certificate of the origin to which > it actually intends to make requests? I’m basically taking this off > of EKR and DKG’s idea that you do an external TLS handshake with an > innocuous hostname, then get the cert for the hostname you actually > care about inside the encrypted context. So “fake” in that it’s not > actually the origin you care about, not “fake” in the not-valid > sense. So one certificate is about the channel and one about the origin. Can we agree to use those terms (or similar polite equivalents) to describe them? I agree with Patrick. Lets avoid branding anything "fake" if its an expected or required part of the protocol, even if only by implication of derived from something else being "real". > > Yeah, the stream states aren’t ideal. I was trying to define invalid > stream states, and basically came down to only one stream state where > this exchange can’t be made. And you’re correct – it will normally > either be done on an idle stream (pre-HEADERS) or a closed stream > (unauthenticated push). We could simplify that if we just said that > servers MUST provide the certificate prior to pushing, which is > probably worthwhile. If we’re not expecting/permitting clients to > just remember which certificates were collocated, then the server > always knows exactly what set of certificates the client has seen > from it on the current connection. Considered the other way, what use is the certificate if its not received until (long?) after the recipient has delivered the related stream data[1] on to other unsuspecting actors? Because thats what it will probably be doing once a stream is closed. There is also the case of the stream closure triggering the whole connection closure and in-transit octets being discarded unseen. [1] I mean the transaction data in its general sense. HTTP headers, metadata and payload inclusive, either partially or in whole > > We’ve gotten into the is-it/isn’t-it of IP routing, name resolution, > and the PKI’s interrelationship in the security model a couple times > now. I think you’ve mostly convinced me that we’re effectively > betting the farm on certs and routing is just our security blanket, I don't see why you would need convincing of that. This draft is about certificate security - its name says as much. One expects it to focus on the certificate part of the system and rely on external resources to define the other parts. > but the reality is that this would still make the use of a cert > compromise / spoof much nastier. I don’t have to get you to connect > to me with the origin I compromised, I just have to get you to > connect to me with some origin. And the restriction does exist in > HTTP/2 already, so I’d like a little better motivation to change it > than just having thought better of it. If it’s actually wrong, > should we be updating RFC 7540 independent of this work? Do you > ignore DNS for coalescing purposes if the presented cert is valid for > the origin? But yes, I’d like to see us clarify our security model > and assumptions, and if this helps move us down that road, I’m > happy. Calling the important dependencies out is good of course, but not at expense of drowning out the document focus. HTH Amos
- Re: Call for Adoption: Secondary Certificate Auth… Martin Thomson
- Re: Call for Adoption: Secondary Certificate Auth… Eric Rescorla
- RE: Call for Adoption: Secondary Certificate Auth… Mike Bishop
- Re: Call for Adoption: Secondary Certificate Auth… Eric Rescorla
- Re: Call for Adoption: Secondary Certificate Auth… Martin Thomson
- Re: Call for Adoption: Secondary Certificate Auth… Ilari Liusvaara
- Re: Call for Adoption: Secondary Certificate Auth… Martin Thomson
- Re: Call for Adoption: Secondary Certificate Auth… Nick Sullivan
- RE: Call for Adoption: Secondary Certificate Auth… Mike Bishop
- Re: Call for Adoption: Secondary Certificate Auth… Cory Benfield
- Re: Call for Adoption: Secondary Certificate Auth… Ilari Liusvaara
- Call for Adoption: Secondary Certificate Authenti… Mark Nottingham
- Re: Call for Adoption: Secondary Certificate Auth… Ilari Liusvaara
- Re: Call for Adoption: Secondary Certificate Auth… Martin Thomson
- Re: Call for Adoption: Secondary Certificate Auth… Ilari Liusvaara
- Re: Call for Adoption: Secondary Certificate Auth… Amos Jeffries
- RE: Call for Adoption: Secondary Certificate Auth… Mike Bishop
- Re: Call for Adoption: Secondary Certificate Auth… Patrick McManus
- Re: Call for Adoption: Secondary Certificate Auth… Kazuho Oku
- Re: Call for Adoption: Secondary Certificate Auth… Nick Sullivan