Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)
Cullen Jennings <fluffy@iii.ca> Tue, 01 May 2018 23:47 UTC
Return-Path: <fluffy@iii.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A450A12AAB6 for <rtcweb@ietfa.amsl.com>; Tue, 1 May 2018 16:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyryUzOPwmsg for <rtcweb@ietfa.amsl.com>; Tue, 1 May 2018 16:47:19 -0700 (PDT)
Received: from smtp81.ord1d.emailsrvr.com (smtp81.ord1d.emailsrvr.com [184.106.54.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EADFB129C6E for <rtcweb@ietf.org>; Tue, 1 May 2018 16:47:18 -0700 (PDT)
Received: from smtp19.relay.ord1d.emailsrvr.com (localhost [127.0.0.1]) by smtp19.relay.ord1d.emailsrvr.com (SMTP Server) with ESMTP id 509CE60084; Tue, 1 May 2018 19:47:18 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp19.relay.ord1d.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id E9C1D60069; Tue, 1 May 2018 19:47:17 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [10.1.3.91] (S0106004268479ae3.cg.shawcable.net [70.77.44.153]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:25 (trex/5.7.12); Tue, 01 May 2018 19:47:18 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <MWHPR14MB13764FEDD2B88E2AF03E500A83820@MWHPR14MB1376.namprd14.prod.outlook.com>
Date: Tue, 01 May 2018 17:47:16 -0600
Cc: Martin Thomson <martin.thomson@gmail.com>, RTCWeb IETF <rtcweb@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3992EB2F-E5B8-4118-AB75-B42BC0847BEA@iii.ca>
References: <F436DDBE-218E-43BC-B242-7D136126D91A@sn3rd.com> <A548BD26-A724-4F18-BA7D-3FB2C68605B4@sn3rd.com> <7A02A97A-56AC-45A1-AB86-C77B6263D799@iii.ca> <MWHPR14MB1376A806A5BB431D0B9DA10D838C0@MWHPR14MB1376.namprd14.prod.outlook.com> <3FE62B51-C01D-4238-902D-6867ABF8549E@iii.ca> <CABkgnnXx-TGenyAfuvAqFWZbegfUhxhC7X08OewCVcRqU73BcA@mail.gmail.com> <MWHPR14MB13764FEDD2B88E2AF03E500A83820@MWHPR14MB1376.namprd14.prod.outlook.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/1Fcgd6TKZFjwT8gOdAU493m4CeA>
Subject: Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2018 23:47:23 -0000
> On Apr 30, 2018, at 9:20 AM, Tim Hollebeek <tim.hollebeek@digicert.com> wrote: > > It's entirely possible that there isn't actually a problem if you do all the right things. > But it's important that all those right things are actually required, and the rationale > is clearly explained in the security considerations. For example, doing certificate > expiration checks, so that there isn't crypto data lying around that can be used in > "interesting" ways in the future when the standard may have evolved into something > else, seems like a good idea to me. I certainly think it would be worth advising the IdP protocols designers that they they probably want to consider making the tokens only valid for a short time such as 30 seconds and they are welcome to have a way to invalidate and check validity of tokens if they want to do that. > > I also think the musings in Martin's last paragraph make sense and are headed in the > right direction. There's no harm in making protocols robust against attack scenarios > we haven't thought of yet. For sure - but we don’t want to do is make it so hard to use that no one uses. Something the IETF excels at :-) But as long as we can improve the robustness of the security without huge complication to use, I’m for that. > > -Tim > >> -----Original Message----- >> From: Martin Thomson [mailto:martin.thomson@gmail.com] >> Sent: Monday, April 30, 2018 12:30 AM >> To: Cullen Jennings <fluffy@iii.ca> >> Cc: Tim Hollebeek <tim.hollebeek@digicert.com>; RTCWeb IETF >> <rtcweb@ietf.org> >> Subject: Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb- >> security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch) >> >> I agree with Cullen. >> >> I would also point out that with an intended recipient, the IdP can limit the >> information that can be obtained from an assertion. If the assertion were >> provided to other than the intended recipient, the IdP could refuse to provide >> an identity. That requires authenticating the recipient as well, which isn't >> something we naturally assume, but the mechanisms for enabling that are all in >> place. >> >> FWIW, I think that an abundance of caution suggests that limiting the assertion >> to a particular session is sensible. The problem there is that we would need a >> session identifier in order to do that. Until we discovered that RTCCertificate >> was portable, that was considered sufficient, I would prefer to remove that >> portability. Maybe we should consider adding an origin to RTCCertificate that >> would allow it to be moved to other origins, but not be used by them. >> >> On Sun, Apr 29, 2018 at 2:01 AM, Cullen Jennings <fluffy@iii.ca> wrote: >>> >>> Tim - that sounds about right but this is the part I don’t get…. >>> >>> All the identity assertion does is bind the public key from the TLS >>> connection to the a name/identity. Think of it like a certificate that >>> binds my private key to name. Anyone can get my cert and pass it >>> around however they want. That is fine. Similarly the assertion can be >>> passed around handed to bad people etc. But anyone using it need to >>> match it with a TLS connection that does proof of possession of the >>> private key that matches the public key. That private key is going to >>> be very narrowly scoped on what has access to it. People that want to >>> rely on this identity assertion have to be sure that they require proof of >> possession of private key. >>> >>> So I do not see the issue at all that the identity assertion, just >>> like a normal X508 certificate, can be passed around. I’m not getting >>> whey this is Slightly Less than Awesome :-) >>> >>> I’m not arguing there is no problem, but I am not getting what the >>> problem is. >>> >>> Cullen >>> >>> >>> >>> On Apr 27, 2018, at 6:13 PM, Tim Hollebeek >>> <tim.hollebeek@digicert.com> >>> wrote: >>> >>> I’m going from my memory from the IETF 101 hackathon here, so someone >>> feel free to correct me if I’m remembering the details wrong (I >>> probably am for at least some of it), but as I recall it, the issue >>> was essentially that when one requests an identity assertion, if one >>> presents it to someone, the security properties are Awesome [TM] >>> because only authorized persons can get an identity assertion from the IDP. >>> >>> However, after one has presented an identity assertion to a >>> potentially untrusted party, presentation of that assertion to >>> additional parties is Slightly Less Than Awesome [TM], because the >>> additional parties cannot distinguish between the person who >>> legitimately obtained the identity assertion, and the party to which >>> the identity assertion was previously presented. >>> >>> Various arguments were made that this is not a problem because the >>> lifetime of identity assertions is short, with lifetimes on the order >>> of days to hours. There was also some discussion (before the issue >>> was found) about if expiration of the relevant temporary certificates >>> needed to be checked at all. Call me crazy, but only having a few >>> hours to carry out my attack doesn’t hinder me much as an attacker! >>> >>> One solution that was discussed, which may or may not work for all use >>> cases and this certainly should be explored, was that identity >>> assertions are cheap and therefore supporting the complexity of >>> identity assertion re-use might not make sense. We discussed simply >>> adding a nonce to the creation of identity assertions, so IDPs could >>> enforce that they are validated only once, essentially turning them >>> into bearer tokens. If the process fails (network hiccup, etc) it is >>> possible to transparently regenerate a new assertion and retry. IIRC >>> certain non-attack failure scenarios needed this retry logic anyway. >>> >>> If needed, I can go back and re-read the messages from that weekend to >>> help refresh my memory, but that’s what I remember. >>> >>> -Tim >>> >>> From: rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Cullen >>> Jennings >>> Sent: Thursday, April 26, 2018 9:03 PM >>> To: Sean Turner <sean@sn3rd.com> >>> Cc: RTCWeb IETF <rtcweb@ietf.org> >>> Subject: Re: [rtcweb] Addressing WGLC comments for >>> draft-ietf-rtcweb-security-arch? (was Re: WGLC for >>> draft-ietf-rtcweb-security-arch) >>> >>> >>> >>> >>> On Apr 12, 2018, at 7:45 AM, Sean Turner <sean@sn3rd.com> wrote: >>> >>> 1) Tweak protocol to include an identifier to prevent reuse of >>> assertion on every RTCPeerConnection: >>> >>> More complex sites frequently generate multiple RTCPeerConnection >>> instances for their communications, especially for group >>> conversations. If the browser requests an assertion once and they use >>> that value for every RTCPeerConnection, then that's OK. From my >>> perspective, I would be happy modifying the protocol to include an >>> identifier and prevent that; for this the IdP can use caching or its >>> local storage. >>> >>> So, what would that look like? >>> >>> >>> It’s not clear to me what the problem we are solving here is. Who are >>> we trying to stop from reusing an assertion and why. The assertion is >>> already bound to the specific private key and specific web origin. The >>> IdP can bind it to a narrow time range if the IdP wants ( most do). >>> I’m not seeing the big difference from reusing an assertion vs. asking the for a >> bunch of them. >>> The protocol that users the assertion may end up forking the same >>> assertion to many places regardless of what the browser does. >>> >>> Changing this so that the IdP see how many PeerConnections are formed >>> seems like it just reveal more usage information to the IdP and does >>> not help security. >>> >>> Assuming I am just not getting the problem and we do want to solve >>> this … I is not clear to me how to make this all work with tls-id due >>> to all the bundle issues. Another approach would the browser greater a >>> GUID for the PeerConnection and that is passed in the IdP proxy code >>> and the IdP can bind it into the assertion or not but if it does bind >>> into the assertion, then the browser will only validate the assertion >>> on the PeerConnection with matching GUID. This is probably wrong and >>> half baked as I don’t really get the problem. >>> >>> >>> >>> _______________________________________________ >>> rtcweb mailing list >>> rtcweb@ietf.org >>> https://www.ietf.org/mailman/listinfo/rtcweb >>>
- [rtcweb] WGLC for draft-ietf-rtcweb-security-arch Sean Turner
- [rtcweb] Addressing WGLC comments for draft-ietf-… Sean Turner
- Re: [rtcweb] Addressing WGLC comments for draft-i… Nils Ohlmeier
- Re: [rtcweb] Addressing WGLC comments for draft-i… Eric Rescorla
- Re: [rtcweb] Addressing WGLC comments for draft-i… Martin Thomson
- Re: [rtcweb] Addressing WGLC comments for draft-i… Christer Holmberg
- Re: [rtcweb] Addressing WGLC comments for draft-i… Sean Turner
- Re: [rtcweb] Addressing WGLC comments for draft-i… Cullen Jennings
- Re: [rtcweb] Addressing WGLC comments for draft-i… Christer Holmberg
- Re: [rtcweb] Addressing WGLC comments for draft-i… Tim Hollebeek
- Re: [rtcweb] Addressing WGLC comments for draft-i… Cullen Jennings
- Re: [rtcweb] Addressing WGLC comments for draft-i… Martin Thomson
- Re: [rtcweb] Addressing WGLC comments for draft-i… Tim Hollebeek
- Re: [rtcweb] Addressing WGLC comments for draft-i… Cullen Jennings
- Re: [rtcweb] Addressing WGLC comments for draft-i… Cullen Jennings
- Re: [rtcweb] Addressing WGLC comments for draft-i… Martin Thomson
- Re: [rtcweb] Addressing WGLC comments for draft-i… Harald Alvestrand
- Re: [rtcweb] Addressing WGLC comments for draft-i… Martin Thomson
- Re: [rtcweb] Addressing WGLC comments for draft-i… Cullen Jennings
- Re: [rtcweb] Addressing WGLC comments for draft-i… Martin Thomson
- Re: [rtcweb] Addressing WGLC comments for draft-i… Cullen Jennings
- Re: [rtcweb] Addressing WGLC comments for draft-i… Martin Thomson
- Re: [rtcweb] Addressing WGLC comments for draft-i… Sean Turner
- Re: [rtcweb] Addressing WGLC comments for draft-i… Christer Holmberg
- Re: [rtcweb] Addressing WGLC comments for draft-i… Sean Turner