[quicwg/base-drafts] Ben Kaduk's HTTP/3 Discuss 2 (#4775)
Lucas Pardue <notifications@github.com> Wed, 20 January 2021 19:37 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54D3E3A134B for <quic-issues@ietfa.amsl.com>; Wed, 20 Jan 2021 11:37:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.369
X-Spam-Level:
X-Spam-Status: No, score=-3.369 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3bj4a5L1Ht8e for <quic-issues@ietfa.amsl.com>; Wed, 20 Jan 2021 11:37:34 -0800 (PST)
Received: from smtp.github.com (out-22.smtp.github.com [192.30.252.205]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F2EF3A1343 for <quic-issues@ietf.org>; Wed, 20 Jan 2021 11:37:33 -0800 (PST)
Received: from github.com (hubbernetes-node-4c7e3c7.ac4-iad.github.net [10.52.120.49]) by smtp.github.com (Postfix) with ESMTPA id 36950560BE9 for <quic-issues@ietf.org>; Wed, 20 Jan 2021 11:37:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1611171453; bh=u90A3D7tEGJWduX55QBq+60GzQO1aI1IlUnaQKwPSws=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=JtUBeSqbJqbSZasEOTZzqcv5W7KyD3cYkQ9o47Jqk5zRQi2wQF/WET89lm1SmhVGW E2Mx9/QVsMT/AgOje3fWMbwyCrIE5Jwq8Kuzel1AYQfKduuFjObHdbHIvJYZmi+PZ6 tMoqu1gHoAGWOji9COO9444PWVhnCzZfGzIvb1No=
Date: Wed, 20 Jan 2021 11:37:33 -0800
From: Lucas Pardue <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKYLTPCOBUAV7IDBUAN6CRTX3EVBNHHC6GTCZQ@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/4775@github.com>
Subject: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discuss 2 (#4775)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_6008867d3307b_3e1a04183a8"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: LPardue
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/M9Xz5fLMP3K_H481rswQ5i2S484>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 19:37:36 -0000
@kaduk said > I also think that the procedure, as written, for coalescing HTTP > requests against different URI authority components onto a single HTTP/3 > connection is under-specified and seems inconsistent both with earlier > WG conclusions and with previous IETF-mandated practices for certificate > validation. > > [begin historical tracethrough] > There appears to be quite a long history in this space (and I probably > missed some of it, even). The idea of coalescing has been around back > from the days when we only allowed Alt-Svc as discovery for using QUIC > (no direct access), with > https://github.com/quicwg/base-drafts/issues/940 being an early issue > leading to https://github.com/quicwg/base-drafts/pull/1024/files, with > text that requires both Alt-Svc and valid certificate in order to be > authoritative. Then we had > https://github.com/quicwg/base-drafts/issues/2223 that notes that this > Alt-Svc requirement is more restrictive than RFC 7540, which allegedly > only requires the certificate to match a given name. (One might argue > that 7540's "additionally depends on having a certificate that is valid" > implies the "depends on the host having resolved to the same IP address" > still applies, though of course ORIGIN weakens that if it was ever > present and this is not terribly relevant to the current question.) > Comments on #2223 seem to confirm that the intent is to largely parallel > what HTTP/2 does; I'll come back to that in a bit. The corresponding > text changes here are > https://github.com/quicwg/base-drafts/pull/3558/files that brings in the > concept that "a server is considered authoritative for all URIs with the > 'https' scheme for which the hostname in the URI is present in the > authenticated certificate provided by the server, either as [...]". > This text got moved a bit and reworded slightly in response to the > secdir review (https://github.com/quicwg/base-drafts/pull/4419/files), > but the intent is largely still present as "If a server presents a valid > certificate and proof that it controls the corresponding private key, > then a client will accept a secured TLS session with that server as > being authoritative for all origins with the "https" scheme and a host > identified in the certificate." > [end historical tracethrough] > > So now we have text that says: > > > If a server presents a valid certificate and proof that it controls > > the corresponding private key, then a client will accept a secured > > TLS session with that server as being authoritative for all origins > > with the "https" scheme and a host identified in the certificate. > > This seems problematic to me, and divergent from HTTP/2, in that it > focuses on the contents of a certificate *all* being valid/authoritative, > as opposed to a certificate being valid for a given host/name. To quote > §9.1.1 of RFC 7540: > > > For "https" resources, connection reuse additionally depends on > > having a certificate that is valid for the host in the URI. The > > certificate presented by the server MUST satisfy any checks that the > > client would perform when forming a new TLS connection for the host > > in the URI. > > A representative discussion of these checks is included in RFC 6125, and > the general procedure for (server) certificate validation takes as input a > candidate name of a service or entity that the client is attempting to > contact, a certificate (chain) and signature presented by the server, > and the application context in which the decision is being made [0]. In > short, the question is always "do I (as the client) trust the peer > entity to act as this specific name?", and the answer may differ across > names present in a single certificate! So I think we need to refresh > this text once more, to bring back the sense that for each name that we > might want to allow the server to act as an authority for, we have to do > the normal validation checks. Saying that we validate a certificate > once along with proof of possession of its private key and then the > holder of the key is a valid authority for all names in the certificate > invites violation of the client's security policy. For example, the > client's trust database might not allow the CA(s) in the presented chain > to certify some of the names contained in the certificate, among other > reasons. > > (discuss point 2.1) > There is probably some extra excitement surrounding revocation, in that > the "normal certificate validation procedures" typically involve some form > of attempt at a revocation check. What should happen if this check > determines that the certificate has been revoked is not entirely clear. > Presumably the attempt to use a new name from the certificate would > fail, but does it also imply that the entire connection should be torn > down, since it was built using the now-revoked certificate? > > (discuss point 2.2) > In practice, the procedure of "check the name in question against the > certificate chain" seems to mean that a client that is willing to > coalesce connections needs to retain the certificate and chain presented > by the peer, so that it is available as input to the certificate > validation engine (typically accessed via the TLS stack, I suppose) at > the time when an authentication decision needs to be made for a given > name. This operational practice, as well as the actual mechanics of > running a fresh certificate validation procedure, should probably be > mentioned down in Section 3.3 where we discuss the actual connection reuse > procedures. In particular, I think it would be very benficial to > indicate what protocol interactions trigger an attempt by the client to > validate a new name from the certificate for use as the authority for > HTTP responses, as well as to note clearly that the certificate+chain > have to be retained in order to run these checks. > > (discuss point 2.3) > I think we should also look at the procedures for server push as they > relate to coalescing; my understanding is that pushed responses are > allowed to be for requests to a different authority, and thus that a > client will need to discard or reject pushes that are from an authority > that the client does not accept the peer as being authoritative for. I > guess this is in some sense a check that the client always has to do for > all pushed responses, but I'm not entirely sure whether or where that is > currently described. > > [0] This context includes things like the set of trust anchors, as well > as potentially information about restrictions on trust anchors, > revocation checks, pinning or other restrictive information that reduces > the set of CAs that might be allowed to certify a given name, etc. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/4775
- [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discuss 2… Lucas Pardue
- Re: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discu… Martin Thomson
- Re: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discu… Lars Eggert
- Re: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discu… Mike Bishop
- Re: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discu… Mike Bishop
- Re: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discu… Mike Bishop
- Re: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discu… Lucas Pardue
- Re: [quicwg/base-drafts] Ben Kaduk's HTTP/3 Discu… Lucas Pardue