IETF Logo Mail Archive

Re: Discussion of 9.2.2

Greg Wilkins <gregw@intalio.com> Thu, 25 September 2014 16:14 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AE6F1A8546 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 09:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.065
X-Spam-Level:
X-Spam-Status: No, score=-7.065 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBvNGcqYD6Wy for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Sep 2014 09:14:50 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A5D1A8034 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 25 Sep 2014 09:14:48 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XXBdt-00006e-Rq for ietf-http-wg-dist@listhub.w3.org; Thu, 25 Sep 2014 16:11:41 +0000
Resent-Date: Thu, 25 Sep 2014 16:11:41 +0000
Resent-Message-Id: <E1XXBdt-00006e-Rq@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XXBdD-0008W1-03 for ietf-http-wg@listhub.w3.org; Thu, 25 Sep 2014 16:10:59 +0000
Received: from mail-wi0-f170.google.com ([209.85.212.170]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <gregw@intalio.com>) id 1XXBd1-0007mw-PQ for ietf-http-wg@w3.org; Thu, 25 Sep 2014 16:10:58 +0000
Received: by mail-wi0-f170.google.com with SMTP id fb4so8651189wid.5 for <ietf-http-wg@w3.org>; Thu, 25 Sep 2014 09:10:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=MC8bjZRU+dTVAfVwhwvxxi8oK9MxkSNsjGkw7Srbqpw=; b=TN2a3CJWD7xcduZmjoClSgk7VZwOiPeUd0mEyOGvu4MiadLm9qLz2jMsnqzJA641SE wp+O0vXAyDAmP3MUOdEdklD/XG7C644aZtJjmjz9WEo0+8S5+plD5W25hfxxjk0lG+PQ 9ROuGnyjsJq2vQurCaat24E+9r69mXwhasdy7qS2ZHmF8wFEPckqAXib2f6BXmSupi40 FzHfFkLCf6j+fl2/P7XacO9oDIBaxBOclY27S+QD3VOlexEIzpJ1BT9SjYlTAtjccRdR 3irsYCRFUnIWTQVOMNXWzFlRfBQ4BzmaxTCGQRTORte/Y5aLMlMkaRquD6adocrWZGBr JnXA==
X-Gm-Message-State: ALoCoQlF98+MSushJ0B+oYeAp3kIh9ipyf+bypBfXdKZnrBXR6fA8mdwRL/zc+tPLRmBU4g8xd/W
MIME-Version: 1.0
X-Received: by 10.180.10.9 with SMTP id e9mr20352793wib.74.1411661419461; Thu, 25 Sep 2014 09:10:19 -0700 (PDT)
Received: by 10.194.169.98 with HTTP; Thu, 25 Sep 2014 09:10:19 -0700 (PDT)
In-Reply-To: <CABkgnnV0HFeshNAe9CAzFDeED6Os_GmG6kxm827N18wduCkjiA@mail.gmail.com>
References: <F0D4BA2A-46B2-4F1A-8A23-1A319A3E5FC0@mnot.net> <CABkgnnV0HFeshNAe9CAzFDeED6Os_GmG6kxm827N18wduCkjiA@mail.gmail.com>
Date: Fri, 26 Sep 2014 02:10:19 +1000
Message-ID: <CAH_y2NFu=kyTVK_neACEVyWp9m4wfLOUu-=Dc9nZoMhP+fNSsg@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a11c26a3a7f53e20503e609ec"
Received-SPF: permerror client-ip=209.85.212.170; envelope-from=gregw@intalio.com; helo=mail-wi0-f170.google.com
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.087, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1XXBd1-0007mw-PQ 99f2aad1c32381c2753b8eaf95bee0dd
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Discussion of 9.2.2
Archived-At: <http://www.w3.org/mid/CAH_y2NFu=kyTVK_neACEVyWp9m4wfLOUu-=Dc9nZoMhP+fNSsg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27233
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 25 September 2014 18:30, Martin Thomson <martin.thomson@gmail.com> wrote:

> Based on this discussion, I think that there needs to be a d) here
> where we note that implementations MUST NOT offer cipher suites where
> these properties (PFS, stream/block mode) are unknown.  This was an
> assumption on my part that turns out to be important.  With that
> change, I think that the concern about fragility becomes immaterial.
>


I think that something like that, if it applies to all offered protocols,
will help a bit with the fragility issue.  What that effectively means is
that weak ciphers for h1 fallback can only be offered if they are known by
the client to be non-h2 compliant.

If the server receives an unknown cipher, then it cannot accept h2 on it
and should thus avoid INADEQUATE_SECURITY.  The server will then only
accept h2 if it knows the cipher to be good and it can be reasonably
confident that the client will not be offering a h2 acceptable cipher
unknowingly

However I still have several lingering concerns:

   - Black listing ciphers for which properties are unknown may be a
   significant impediment to the adoption of new better cyphers.
   - Implementations that do not have direct access to the properties of a
   cipher will still probably resort to black/white listing of h2 acceptable
   ciphers.   It will be impossible to prevent such configuration breaking
   your rule d), however having such a configuration will at least reduce the
   barrier to introducing new ciphers...  So INADEQUATE_SECURITY can still
   occur if such configurations are over zealously updated in contradiction to
   9.2.2
   - I am concerned that "No block/stream ciphers except AEAD" is a
   sufficiently future proof specification.  Could there be block/stream
   ciphers that use something other than AEAD to make them sufficiently strong
   for h2?  If so, how would such ciphers be knowingly included?
   - Rather than whitelisting h2 ciphers based on their properties, would
   it not be simpler to.

So a similar counter proposal would be to replace c) with an explicit white
list of currently known weak ciphers that can be offered for h1 fallback.
This list would be immutable as it only exists to transit from known weak
ciphers.

This would give certainty to the sever side if they receive an unknown
cipher.  Since it is unknown, it is not in the h1 fallback whitelist, so it
is not being offered for h1 only.    Thus the server knows that if it
accepts it for h2 the client will also accept it (otherwise it would not
have been offered).

Both the client and server would then be empowered to have their own policy
on using unknown ciphers.  Clients can choose not to offer unknown ciphers
and servers can choose not to accept them.  But the key here is that this
choice is made independent of any protocol selection and can be achieved
through existing white/black list configuration.

regards


















-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

v2.46.0 | Report a Bug | By Email | System Status