IETF Logo Mail Archive

Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

Martin Thomson <martin.thomson@gmail.com> Thu, 28 January 2016 01:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1ABF1A003A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 27 Jan 2016 17:05:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TowTVT3A6fxC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 27 Jan 2016 17:05:39 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FD961A0021 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 27 Jan 2016 17:05:39 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aOayh-0007E6-5o for ietf-http-wg-dist@listhub.w3.org; Thu, 28 Jan 2016 01:02:27 +0000
Resent-Date: Thu, 28 Jan 2016 01:02:27 +0000
Resent-Message-Id: <E1aOayh-0007E6-5o@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1aOayb-0007DP-9x for ietf-http-wg@listhub.w3.org; Thu, 28 Jan 2016 01:02:21 +0000
Received: from mail-io0-f180.google.com ([209.85.223.180]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <martin.thomson@gmail.com>) id 1aOayY-0007c9-8h for ietf-http-wg@w3.org; Thu, 28 Jan 2016 01:02:20 +0000
Received: by mail-io0-f180.google.com with SMTP id 1so38547976ion.1 for <ietf-http-wg@w3.org>; Wed, 27 Jan 2016 17:01:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=RglbeGGSC5uG2chxZVeXl1IotMHXfOC20JNWQe7meV8=; b=pK8OtVV9PwFOZT4enZrjoH+gBAtDAUZWb61oRiGlNGeFCxU6qmOIpLV4aYh0UymoC5 xR4u0MlqUGPITlEqJ+DKCiX+Io4NOQlhlXCo8n5Oeb417jp8B9URowe8yS/xUxTpMFHb 0suxm6JZfMz5hXW0Xl2E+hE47qUB2ebGFRjeJoWNKUhJ+kc41dqf7w317kal0YEYPmrQ Kja0Fq56yzHuEpcQvk1xJRDjk+f7xtUv/hNVF1xt+3PYx0xrsh14JKnoGXUEGCK5grZv 8VuQJLYNgYf0B2GPo4WRDeNLdf30h2MJ2XWEeUUr3L9WbpbGoU8bWmUe+zC4xuv8PfA7 5K1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=RglbeGGSC5uG2chxZVeXl1IotMHXfOC20JNWQe7meV8=; b=nJlgB+Tz6eHPC8PGW+6n0Bieg8FmLYenqeQh5YZHZ95n5CeJblv7WmSRR16VIuea4P NOLlKM7c7QomKtyCDBGzw6BWeHrEH36TfUVKqT5CK9DDAL4FPmfD3nI8vvNG3qGzXpVn ZJSHLpN+vtT/OTLVq2wj+gcQEhdeQVA2Rs4dmqob5GilUieIaWetwTkOCFWnm+mrN1hj 85UbOksnkYygdEKUOYs9GNYs+miq/BI46OXpbHCM5PtqseJw3TcUdyZxpuJpxwm9x1TM fQyu0MFo6u9ntl1ElYbHYf7DOdhzTKZWoy8mgcRyKGA2FNgXC6F2DRpeoCZTLtOtpZXN gBWQ==
X-Gm-Message-State: AG10YOR2wSz0Vn/cUS+iZIqZaEzQrgqT0EthpDFIPgvltckqZz1bPes4fwpCSp0poj7SACIcHn6F+G7zNgEh7A==
MIME-Version: 1.0
X-Received: by 10.107.33.14 with SMTP id h14mr820410ioh.108.1453942911477; Wed, 27 Jan 2016 17:01:51 -0800 (PST)
Received: by 10.36.149.130 with HTTP; Wed, 27 Jan 2016 17:01:51 -0800 (PST)
In-Reply-To: <CY1PR03MB1374BE68A92BACD8FA24A70087D90@CY1PR03MB1374.namprd03.prod.outlook.com>
References: <20160122222315.28781.93913.idtracker@ietfa.amsl.com> <CY1PR03MB1374890E32B6F6CA2AB78D8D87D80@CY1PR03MB1374.namprd03.prod.outlook.com> <20160126213813.GA5528@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnVXvdLr7fh=Dc2HswE=hAmq30k2aXMvdi7u18=jj2iv9w@mail.gmail.com> <CY1PR03MB13742153C8F4DF64EEA67D8687D90@CY1PR03MB1374.namprd03.prod.outlook.com> <20160127084759.GA8247@LK-Perkele-V2.elisa-laajakaista.fi> <CY1PR03MB1374BE68A92BACD8FA24A70087D90@CY1PR03MB1374.namprd03.prod.outlook.com>
Date: Thu, 28 Jan 2016 12:01:51 +1100
Message-ID: <CABkgnnWEkDYDqg+1zm3=1gMHHnLGGoau8ncaWi5m7UYsGMvjbw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.223.180; envelope-from=martin.thomson@gmail.com; helo=mail-io0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.833, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1aOayY-0007c9-8h b5cc035719dc3778a79477075b69ba59
X-Original-To: ietf-http-wg@w3.org
Subject: Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt
Archived-At: <http://www.w3.org/mid/CABkgnnWEkDYDqg+1zm3=1gMHHnLGGoau8ncaWi5m7UYsGMvjbw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31016
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

GIthub is unicorny again [1], so I'm going to dump this into email for
later action.

This should say that only the signature algorithms supported in the
negotiated version of TLS can be used.  Plus the following MUST NOT be
used:
 - MD5
 - SHA1
 - SHA224
 - DSA
 - ECDSA with curves on prime fields that are less than 240 bits wide
 - RSA with a prime modulus less than 2048 bits

I think that's about as aggressive without starting to prohibit some
things that are in common use.  Would that work for you Ilari?


[1] translation: argh, my Internet is down again

On 28 January 2016 at 10:01, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
> Require EMS:  https://github.com/MikeBishop/http2-client-certs/commit/dfa59df62aec64044a407b0e8f67704e8eb91981
> Smaller export:  https://github.com/MikeBishop/http2-client-certs/commit/3880e6069480523fcdfa6130fd28bc26ff6ebe9f
> Cautions on AUTOMATIC_USE:  https://github.com/MikeBishop/http2-client-certs/commit/f1479486149e3d815662358d60d7be0bd877952c
>
> I'm not doing the signature/hash changes quite yet, because I'm not sure what we want to restrict.
>
> -----Original Message-----
> From: ilariliusvaara@welho.com [mailto:ilariliusvaara@welho.com]
> Sent: Wednesday, January 27, 2016 12:48 AM
> To: Mike Bishop <Michael.Bishop@microsoft.com>
> Cc: Martin Thomson <martin.thomson@gmail.com>; HTTP Working Group <ietf-http-wg@w3.org>
> Subject: Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt
>
> On Wed, Jan 27, 2016 at 12:00:36AM +0000, Mike Bishop wrote:
>> I believe the other comment is also around AUTOMATIC_USE, since both
>> occurrences of "future streams" are in that context.  Basically, it
>> means any future stream on which the server would have made the same
>> request, the server can just use the provided cert and not burn an RTT
>> asking.
>
> And requests where that cert is inapporiate MUST NOT made on that connection.
>
> Also, can it apply to streams that are none of:
> 1) The stream AUTOMATIC_USE is sent on
> 2) Stream in IDLE.
> 3) Stream in PUSH_PROMISE
>
> At the time AUTOMATIC_USE is sent?
>
> If yes, that would be a nasty surprise...
>
>> Yes, the client loses visibility into whether the cert has been used,
>> and loses the ability to *not* use the cert if it chooses.  That's a
>> trade-off the client can make -- if it wants to retain those
>> capabilities (at the expense of 1 RTT per request), it just doesn't
>> set AUTOMATIC_USE.
>
> I don't think server chosing to ignore cert is a problem, as it is equivalent to cert just provoding no privilege at all. But using a cert that should not be used is a *serious* security problem in presence of more than 2 parties (like in Web (but Web is far from being the only place where security problems happen)).
>
>> The client makes the call -- and as Martin points out, it's
>> state-changing for the connection.  Once you AUTOMATIC_USE a
>> certificate, the server MAY apply it to any future request you make on the connection.
>> If you change your mind later, new connection (and presumably GOAWAY
>> the old one).
>
> Actually, in many cases where one would want to revoke certificate use, the old connection is not GOAWAY'd as it still might be useful.
>
>> As to requiring EMS,
>
> Basically, if you don't require EMS, maliscous server can hijack autenticated connection and misuse the certificates. HTTP/2 TLS use guidelines don't even come close to being able to prevent attacks like this.
>
>> reducing exporter, and appropriate HashAndSignature algorithms, I'll
>> defer to those with more expertise in TLS-land.
>
> Basically, I favor dropping insecure or excessively weak algorithms from new specifications or versions, even at severe cost to deploy- ability. We have gotten burned *far* too many times from not doing that, and *will* get burned in future if we continue allowing those.
>
>
>
> -Ilari

v2.23.0 | Report a Bug | By Email