[quicwg/base-drafts] Provide guideline on token validation (#2132)

MikkelFJ <notifications@github.com> Wed, 12 December 2018 17:57 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CD02F131195 for <quic-issues@ietfa.amsl.com>; Wed, 12 Dec 2018 09:57:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.459
X-Spam-Status: No, score=-9.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id QMsZMrAJp7do for <quic-issues@ietfa.amsl.com>; Wed, 12 Dec 2018 09:57:55 -0800 (PST)
Received: from out-2.smtp.github.com (out-2.smtp.github.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB9E013118E for <quic-issues@ietf.org>; Wed, 12 Dec 2018 09:57:55 -0800 (PST)
Date: Wed, 12 Dec 2018 09:57:54 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1544637474; bh=nRBt1CPwXp3FENxpBpvUQC5Ac6b+UsPjCjwwTBpOfAY=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=bNbkKn7BGoF6yx1w3/CYlAP5nQiz7iGDCqH/A6UW/3TN1YNy1K4GH7lTJVkOtRjN0 sXdI6qLcNtDzs4dEdiynH1VObuLTBRcg3Rp2qtQIJxREAHLF15gn8gOJDTOhyWhes/ ozoBFbXV8bUf1E5RORjJ/noaMH9UVCMbPYdjEPE8=
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab9cbe490038586afdd84bfcf1497bf21573d7e7fe92cf0000000118290e2292a169ce17442498@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2132@github.com>
Subject: [quicwg/base-drafts] Provide guideline on token validation (#2132)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c114c229c9eb_7bbf3fada62d45b81943a"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/OCRb_oYqMZJJQVcJ2A850dz1HhU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 17:57:58 -0000

When receiving a token during handshake, several scenarios are possible following the same overall pattern even when the implementation and deployment decides the algorithmic and encoding details.

1. injection attack - replay etc.
2. valid token
3. valid token, but expired, based on servers internal algorithm
4. invalid token, fails servers integrity check

It would be helpful with guidance on how to approach these scenarios.

A token might be valid but timed out because there is an embedded timestamp, but it could also be because the server farm is being upgraded and new instances cannot validate old tokens thus potentially allowing a grace period where they ignore tokens they can verify at all.

Attacks are not trivially known to be attacks, or they wouldn't be attacks, but their existence affect how safe it is to reject a token with a closed connection vs ignoring the token. #2097 discusses injection attacks.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: