[Last-Call] Last Call: <draft-ietf-httpbis-message-signatures-16.txt> (HTTP Message Signatures) to Proposed Standard
Watson Ladd <watsonbladd@gmail.com> Tue, 07 February 2023 07:24 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22574C151524 for <last-call@ietfa.amsl.com>; Mon, 6 Feb 2023 23:24:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gb57j3bPtlaV for <last-call@ietfa.amsl.com>; Mon, 6 Feb 2023 23:24:55 -0800 (PST)
Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB1DCC151522 for <last-call@ietf.org>; Mon, 6 Feb 2023 23:24:55 -0800 (PST)
Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-1685cf2003aso17965160fac.12 for <last-call@ietf.org>; Mon, 06 Feb 2023 23:24:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Ag1SXLrIgn846lMtsu5UlmPSv+eycSldv71dYDzvzeU=; b=MqVeAKSfMzRYq4PqujembvltStlbLLTtLgQY+19zrNtzVTZVUPF6IBTdriO0/l2olu ZScNvoV+Yj/7Fku+ZoX+MOiSug37mmAQg4op+dMjMu6YB95EsqDnDenrcOXGRE2hrUA5 e0hmgaKIMJXXPYhTslhstnhzV6qLb1Uv749rVUgNe/mGvoPWvogrbxqJNe+vuuXes9Yf X+crZ20bze+aN+rycmaP0TjDMgJYqrj0gcQCCFoLu9bFOaVM4o9f8y+dnrn2KAOXUg5Q YiuVvci/XWEOioIG0PRTHUCV/ISespkVi8SEmaTfqwlJpdBFEPXgOiqjZ7FyDZrOhb3H f6NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Ag1SXLrIgn846lMtsu5UlmPSv+eycSldv71dYDzvzeU=; b=vAf2mMFh/RMlj88bUZSghWs64EZm68IBP7wcQxJ/9PE6oN2GGt0Vy1PzKrPGOjFdEK wShNPvZmAFMox63JXG9DyIb41XRCYbtu/0hAWuM/oVleF7hlbr0ojzj6I3E3jSZg9rxP 2Jy/YZd1tUyPc8SLVbMcmonDeByVuPK745WMgs37IA/7E5jHIwWaWclGJ0vZdtV2tUuS HkgmtB+unaqMKWKWdutESYbIadsl/6yxd1wZOEAUPxItAgDD+s5zW6nFgme80UhSLNls Kih8Rj6Fe/WTKpv/12ot8wA4D/UWajmtGuVFwCWjLvUZVmA5AE8/h1XjfY4pLKGFVMq2 I0cg==
X-Gm-Message-State: AO0yUKWIJJFyFvir6VzL2ariJ20wLNShdsrKlReqlP8BfdsZ6vLMIIdT 4Skoytqkjmey4L/AQUZd7GtX+Hx5IFiQXprdrtfGkrRU7k0=
X-Google-Smtp-Source: AK7set/kyuLVvQgqns3ReOS7ysZ81d+kCnrMzh14I853+X1y9Behk4xWum39MCPaa9qU/zRUQFaLUOcHTLGII7dDo/Y=
X-Received: by 2002:a05:6870:658b:b0:16a:20a7:d06d with SMTP id fp11-20020a056870658b00b0016a20a7d06dmr1406528oab.125.1675754694414; Mon, 06 Feb 2023 23:24:54 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 06 Feb 2023 23:24:42 -0800
Message-ID: <CACsn0ckFdBD0D01wEzEFeyHEpBHzKZCjTE_=OohC9di_Bag25A@mail.gmail.com>
To: last-call@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/KFdTYxe2kkMZswSfPyZgR9yQf_Y>
Subject: [Last-Call] Last Call: <draft-ietf-httpbis-message-signatures-16.txt> (HTTP Message Signatures) to Proposed Standard
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 07:24:56 -0000
Dear all, I believe this draft has substantial security issues that are similar to ones that have been exploited unsafely, often and extremely well. This draft equates public key signatures with Message authentication codes. MACs depend on having a shared key that is secret, and anyone who knows the key can make a signature. Public key signatures separate a private and a public key, and those with the private key may sign, those with the public key can verify. These are different notions with different requirements on what the material they are used on must have. But the draft uses exactly the same container and the same language to refer to them, inviting that same confusion in the mind of a reader, and the library author to blithely permit the algorithm in the message to be used. This mistake in JWT lead to bug after bug in library and application. Now we learn nothing, and choose once again to invite disaster with a small oversight on the part of application authors. No, security considerations will not prevent this mistake, and the ones in the draft are woefully inconsiderate: they do not clearly indicate who must do what, or refer to the details of the past bugs to indicate why it is required. I believe we need a section to describe what libraries must do with their interfaces to prevent such hazards and how application developers must avoid them in system design. Instead we get that the secure way is merely encouraged. This is not good enough: I believe the signature spec should remove the algorithm entirely, letting the key provided to verify indicate what is to be done. Or, if that isn't possible use MUST language to indicate that the allowed signature algorithm (singular) MUST be passed in with the key, that the verifier MUST NOT look at the message to find the algorithm used. This of course means revising 3.2 step 6 to remove looking at the message. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
- [Last-Call] Last Call: <draft-ietf-httpbis-messag… Watson Ladd
- Re: [Last-Call] Last Call: <draft-ietf-httpbis-me… Julian Reschke