Re: [Privacy-pass] Roman Danyliw's Discuss on draft-ietf-privacypass-protocol-14: (with DISCUSS and COMMENT)
Christopher Wood <caw@heapingbits.net> Fri, 22 September 2023 21:10 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0030C151557; Fri, 22 Sep 2023 14:10:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b="ayHqSnp5"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="VBXBGCGr"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C3_G8-DIM898; Fri, 22 Sep 2023 14:10:20 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E11B5C151534; Fri, 22 Sep 2023 14:10:19 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 0ADC05C0160; Fri, 22 Sep 2023 17:10:19 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Fri, 22 Sep 2023 17:10:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1695417019; x= 1695503419; bh=BrqvmHVuMF2p1TTOqQNig/0O6AQcFJIEQ0oVwa97KtI=; b=a yHqSnp5+nG+ty5nQiTI3nq4OFeoynvJpwnBYKlrj1qwU2cZkPWBesM7xBknJ6HRF MRnUlpEok7bEzzsXTNLeMEsu+C35lWbqRPX5EPidfBmDKD39bxxWZTTj8U8lj3zF QpLNn9TyYDxH5ZlRVfxc7IFAbpWUGMjETbbOGsLM3hGK12fudv/nrFxwwbMEjyyd oF3xVL5B8f4off9fE8Wmad2WdCvdBPzMMBS1ImgqHwof0AiMl7jiBRe1vkrJfh83 TnxEnp4j6QKxLy4mSVIidxQzlohl+Y/QkLuaMVKcYctG3GhSwZbhI0vwUr+muM4e 8gfqwlwneNPzhsNI/JOfQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1695417019; x=1695503419; bh=BrqvmHVuMF2p1 TTOqQNig/0O6AQcFJIEQ0oVwa97KtI=; b=VBXBGCGroJt1tYyZjBbVc7ovPgqoz prmbTuneP7h/omhGcuKuZeMd5S5XabbucEsGXiBC6P61Y+F6ur/5P/j8W9DsmUiC hKZoWQU7XDZrPMGN5Et+39mnSBWSNg4wrp1A9I+URFbOOTmtwSFqkE7ktBk0SvxC ZrFixKihqExhDrkIxanFZEWMJ8QvO7BC56ZldrHFE1TnViv72bMwLArQGhfCQI4M ccyYF5kJ7uzJQ+7fMRH+i/RYjwupO6viZ1zBM6KSyofLD9VfkdyPmaKcjQ32KiJN j+i1Cj5Lo1mPkWXBoI1mf9Vl/lauGeDF0iRcMOOvn2uwIfwN6ibYwe6jQ==
X-ME-Sender: <xms:ugIOZS_-Mpxw399tG1qrSzek0vYrOytYUPCMEwhmX-M298mcHXYXnw> <xme:ugIOZSuQXq_Yqe9klAB_WDf9ylLrKTckdJRqy70TLjmPlWW_0YxF4Dw4bZKa6Eqlj uotQNpOFk4zVYbxty8>
X-ME-Received: <xmr:ugIOZYBczsmxHfIf0hri9XHA98-6ScANdZKLURkmSOGtPy8aCjpr1GpTdj1TkjoKTqaxUyGmdtXj2N-U7cVFSoB5PS-t4QZW26p-t1QuEf9fk0lvZEwXWg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrudekkedgudeflecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhkfgtggfuffgjvefvfhfosegrtdhmrehhtdejnecuhfhrohhmpeevhhhr ihhsthhophhhvghrucghohhougcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucggtffrrghtthgvrhhnpeeugfevvdeufefhteeigefhffdtheeiudeuleehffetjeej leefleefvdejudffveenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhivghtfhdroh hrghdpvgguihhtohhrihgrlhdrphhoshhtpdgvgigrmhhplhgvrdhnvghtnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpih hnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:ugIOZafO296Npnm_In5ndg40t6SrDrvjjkwwFfTB9GMPqe766zWgFg> <xmx:ugIOZXPLeO8u9JmAl2P_tDZaIf0mo5Ku_Chy6asXq9vMqUkJWnC7Hw> <xmx:ugIOZUmOIkanRIdSHU7BwzRdJqmUnW0-clfrcF7V07u9G1CUGoMJXg> <xmx:uwIOZcojql-M6nv3Ej__yA6dQVwT0UFQ4hpSm5qCrs0rAS15tnWmDQ>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 22 Sep 2023 17:10:18 -0400 (EDT)
From: Christopher Wood <caw@heapingbits.net>
Message-Id: <00708A2B-C8B9-44EE-B913-50B42E048796@heapingbits.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A811FDDA-E7F9-4816-A4D7-A6BE33979D17"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Fri, 22 Sep 2023 17:10:07 -0400
In-Reply-To: <169524803666.14540.17472223836902353053@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-privacypass-protocol@ietf.org, privacypass-chairs@ietf.org, privacy-pass@ietf.org, jsalowey@gmail.com
To: Roman Danyliw <rdd@cert.org>
References: <169524803666.14540.17472223836902353053@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/bnUhdUnCAsVixvQ72atQc6sSWQc>
Subject: Re: [Privacy-pass] Roman Danyliw's Discuss on draft-ietf-privacypass-protocol-14: (with DISCUSS and COMMENT)
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Pass Protocol <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2023 21:10:24 -0000
Thanks for the thorough review, as always, Roman. We addressed your comments in the following PR: https://github.com/ietf-wg-privacypass/base-drafts/pull/494 Please see inline below for responses to specific feedback. Best, Chris > On Sep 20, 2023, at 6:13 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-privacypass-protocol-14: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-privacypass-protocol/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Two things related to references ... > > ** Section 7. Given the deferment of security and privacy considerations to > [ARCHITECTURE] and [CONSISTENCY], both seem to be a normative references. Making the architecture a normative reference seems fine, but the referenced consistency document doesn’t rise to the same bar. That document provides guidance for how someone might implement a consistency mechanism, but it doesn’t actually specify a protocol. In this way, I consider it to be an informational reference. > > ** The reference for the format of SPKI (for RSA key material) doesn’t seem > right based on my read of the ASN.1 references. > > -- Section 6.5 > The key identifier for a keypair (skI, pkI), denoted token_key_id, is > computed as SHA256(encoded_key), where encoded_key is a DER-encoded > SubjectPublicKeyInfo (SPKI) object carrying pkI. The SPKI object > MUST use the RSASSA-PSS OID [RFC5756], which specifies the hash > algorithm and salt size. > > -- Section 8.2.2 says: > * Token Key Encoding: Serialized as a DER-encoded > SubjectPublicKeyInfo (SPKI) object using the RSASSA-PSS OID > [RFC5756] > > SubjectPublicKeyInfo (SPKI) seems to be defined in RFC5280. Additionally, RFC > 4055 provides the “algorithm” OBJECT IDENTIFIER as id-RSASSA-PSS, “parameters” > are RSASSA-PSS-params, and the “subjectPublicKey” is RSAPublicKey. Wow, indeed, the current references do not seem correct! I believe the PR correctly references the necessary definitions, and also makes an attempt to use the proper terms. I will ask for review from people more familiar with the X.509 details to ensure it’s correct and matches what is deployed today. > > ==[ snip from RFC5280 ]== > AlgorithmIdentifier ::= SEQUENCE { > algorithm OBJECT IDENTIFIER, > parameters ANY DEFINED BY algorithm OPTIONAL } > > SubjectPublicKeyInfo ::= SEQUENCE { > algorithm AlgorithmIdentifier, > subjectPublicKey BIT STRING } > ==[ snip from RFC5280 ]== > > ==[ snip from RFC4055 ]== > -- Used in SubjectPublicKeyInfo of X.509 Certificate. > RSAPublicKey ::= SEQUENCE { > modulus INTEGER, -- n > publicExponent INTEGER } -- e > > -- AlgorithmIdentifier parameters for id-RSASSA-PSS. > -- Note that the tags in this Sequence are explicit. > > RSASSA-PSS-params ::= SEQUENCE { > hashAlgorithm [0] HashAlgorithm DEFAULT > sha1Identifier, > maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT > mgf1SHA1Identifier, > saltLength [2] INTEGER DEFAULT 20, > trailerField [3] INTEGER DEFAULT 1 } > > HashAlgorithm ::= AlgorithmIdentifier > > MaskGenAlgorithm ::= AlgorithmIdentifier > ==[ snip from RFC4055 ]== > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Alexey Melnikov for the SECDIR review. > > ** Section 2. The definition of Client and Issue as defined here seems > slightly different than those in Section 2 of [ARCHITECTURE]. Is that > intentional? Why redefine them? Good point. I replaced these definitions with references to the architecture document. > > ** Section 4. token-key > > -- Please explicitly say that the contents and formatting of this field are > defined by the value of token-type. > > -- Please provide a normative reference for base64URL encoding. > > -- The openssl decode in in Section 6.5 was very helpful. Consider providing a > full example of a base64 encoded blob, which is then decoded with openssl. Good idea — the PR listed above adds one such example. > > ** Section 4. Editorial. Why is the “not-before” field not included in Table 2 > which described all of the fields in the token-keys object? It’s an optional field, rather than a mandatory field, so we opted to demote it from the table. > > ** Section 5.1. Editorial. > > nonce = random(32) > > Please explain in the prose what this is doing. Is that returning 32-bytes of > random data? Indeed — we use the same notational conveniences as OHTTP for this, and updated the prose to denote that the nonce value is 32 bytes. I think that provides sufficient clarity. > > ** Section 5.1. Editorial. > > POST /request HTTP/1.1 > Host = issuer.example.net > Accept = application/private-token-response > Content-Type = application/private-token-request > Content-Length = <Length of TokenRequest> > > Shouldn’t this read “Host: issuer.example.net” and not “Host = > issuer.example.net”, or is this not trying to show an HTTP header? Yep, thanks. We fixed that. > > ** Section 6.5. Per the openssl decode of the SPKI file, where is the public > key in that example? It’s the final BIT STRING in the SPKI blob. > > ** Appendix B.2. Test Vector #2. I had trouble verifying the token of the > second test vector in the example. I didn’t try any other example. I tried > the following: What are you trying to do here? The token is a Token structure, which openssl won’t be able to parse. Are you trying to verify the signature of the token using the public key in the test vector? > > $ cat privacy-pass-token.hexbin (no line breaks in the file) > 0002a1aa8b371c37c9a8ddbd7342ab4f9dd5227d5b1600dca6517b60f63143cd43a3bb8a8cf1c59e7a251358ed76fe0ccff61044bc79dd261f16020324d22f2d434cca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd27082899f4bc385b4147a650a3e7efc7d23a743cb944bb53e2ed8b88ee03a9c0b1cf1f73fd7f15c1bd1f850a5a96a34d4ee9f295543f30ac920825e9a0ce26e924f2c145583019dd14408c565b660e8b702fbea559908b1a8c8f9d21ef22f7cc6a4641c57c146e6c5497d2890ca230a6749f5f83a8fdd79eba0722f10dff9e81a2fb2d05fa4d989acc2e93f595ae69c98c3daa3b169efcdd6e59596b2f049f16ba49528761f661032da65a3ee0fe8a22409766e90daf8c60323c16522818c49273c795f26bbab306dc63cfc16fe1702af2464028cf819cc647d6f9b8a8f54d7d6585a268fdb8c75f76618c64aba266836a3b2db7cdd739815a021d7ff2b36ef91f23 > > $ xxd -r privacy-pass-token.hexbin | openssl asn1parse -dump -inform DER > Error: offset out of range > > $ xxd -r -p privacy-pass-token.hexbin | openssl asn1parse -dump -inform DER > 0:d=0 hl=2 l= 2 prim: EOC > 0000 - a1 aa
- [Privacy-pass] Roman Danyliw's Discuss on draft-i… Roman Danyliw via Datatracker
- Re: [Privacy-pass] Roman Danyliw's Discuss on dra… Christopher Wood
- Re: [Privacy-pass] Roman Danyliw's Discuss on dra… Roman Danyliw