IETF Logo Mail Archive

Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 30 April 2018 15:20 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 765381205D3 for <rtcweb@ietfa.amsl.com>; Mon, 30 Apr 2018 08:20:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b566ESTbQBwB for <rtcweb@ietfa.amsl.com>; Mon, 30 Apr 2018 08:20:37 -0700 (PDT)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF3E51200E5 for <rtcweb@ietf.org>; Mon, 30 Apr 2018 08:20:37 -0700 (PDT)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-12.bemta-12.messagelabs.com id 29/8E-16074-54437EA5; Mon, 30 Apr 2018 15:20:37 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSfUxTZxTGe+693F6Va15uqxwrLrGOqGgbUUx INFGTzTCNm/rPYtW4y7ij1bZgbzF1S5Qao1BUyIJTSkwhNG5+bCSKX4kLUDNxihLrtwJaWyEi fhDnRGLQ3t7ix39P3t9z3ue85z0cLXSzBk7yuCWXU7Qb2dFMh7khzfRVTq9l1mDp2NwXjYOQe 7N9GHL/HN6pXUjnnfF3afOCwTdU3rWOAVhOW1Jszvwizw8p1t23H0Dx2RJPd2cPUwpRqw9Gcw x5TmH7o1atD0ZxAvmNwvNeUQECeQBYEWxhFMCSWXjz7zZK0XryLVY+60tomkzG/34PsEqBjpQ BXngZTprKAdu8i33AJQq2XdmiHDMkE70t7aBonqzBO/09jBoWo7BnRzergFFkBdZGGxPBQMbj 64tHk2HpeDcWSGgkeoxcvcSqehw+jg6nqP41eOBlKHluxL/6O5P+SRgOVIAShqSJwiO3ToEKT Phi715aBS2Ap32PaKVrJFl4d0ivyg3YcjlTtS9F37sQq9qDNL6tqk0GZGBd4JVWBcdYPNlcl6 LOtACrD49URAEbr9UkknXEgF3Xy6EKsvyfvM4f99EkAFjl9bL+xJzS8N+aGKOasjC47Z1W1TP wYP0TWtXzcP9QK+tP/kl1RSTpmYtP/hmAOuAOwzRZcm2SXKac2eZ8l63Q6naINrspO3u22SHJ slgo2cV82fxjkeMYxLdsq0YDp+Fq/eoQTOAo4zieaeixCGPziwo2W0XZus5VYpfkEGRwnBH5K XN6LUKaSyqUPD/Z7PFVHcHIpRr1/EwF83Kx6JBthSq6CHO4zqZfd9Fc2fPqXbTAOIuckiGdNy tWolitJc4PF42sfRgmGXQ8aDQaIbVYcjls7s95H6RzYNTxOcotqTan+0NeX7wVKt7KRIgprbj Fj8hQCtt108Pzl63qnXo8on9ouXf/jH0Pf73mi8rNDlPVEgpvNGyUhVuZy1oHov93cEfvxL58 Ot/avNLTFf7uF0FzAuqr+9ZG6LWX9hdsH1wwZeI3r84fWnLBse/s+u+3hrQnxkxurTR9/cfPG UONVPPurjdNB9vK5i6qm9Ffey6yaQz9tLx7nZGRrWJ2Fu2SxfcYH6VS8QMAAA==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-2.tower-219.messagelabs.com!1525101635!184330264!1
X-Originating-IP: [207.46.163.17]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 29541 invoked from network); 30 Apr 2018 15:20:36 -0000
Received: from mail-dm3nam03lp0017.outbound.protection.outlook.com (HELO NAM03-DM3-obe.outbound.protection.outlook.com) (207.46.163.17) by server-2.tower-219.messagelabs.com with AES256-GCM-SHA384 encrypted SMTP; 30 Apr 2018 15:20:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mU+9jdKOr7VzPd65djd9UP7ByZkfslcLQVYqgZ/LElQ=; b=VWgGN318cV+JucdhAbcwou4Y48H0/KrOfR+ROBnMDlnW8uOkaUd89gngUFaGSj/F1vTiHBs0zqZy7lM68D4o9ke2eV8RS0pG8te6fK8NQLe3tb8n8aGjNGogJoczry4svzxFCI5e9jmirOBI1XTm4xuEZsHPzVUK6/Qzw9Tl5Iw=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1182.namprd14.prod.outlook.com (10.173.101.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.715.20; Mon, 30 Apr 2018 15:20:33 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::c033:7973:d34d:e13f]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::c033:7973:d34d:e13f%17]) with mapi id 15.20.0715.018; Mon, 30 Apr 2018 15:20:33 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Martin Thomson <martin.thomson@gmail.com>, Cullen Jennings <fluffy@iii.ca>
CC: RTCWeb IETF <rtcweb@ietf.org>
Thread-Topic: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)
Thread-Index: AQHT0mSHdSosj9h75EqZv/oIt1x5RqQT4huAgAGAhZCAAQzegIACY3AAgACzY8A=
Date: Mon, 30 Apr 2018 15:20:32 +0000
Message-ID: <MWHPR14MB13764FEDD2B88E2AF03E500A83820@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <F436DDBE-218E-43BC-B242-7D136126D91A@sn3rd.com> <A548BD26-A724-4F18-BA7D-3FB2C68605B4@sn3rd.com> <7A02A97A-56AC-45A1-AB86-C77B6263D799@iii.ca> <MWHPR14MB1376A806A5BB431D0B9DA10D838C0@MWHPR14MB1376.namprd14.prod.outlook.com> <3FE62B51-C01D-4238-902D-6867ABF8549E@iii.ca> <CABkgnnXx-TGenyAfuvAqFWZbegfUhxhC7X08OewCVcRqU73BcA@mail.gmail.com>
In-Reply-To: <CABkgnnXx-TGenyAfuvAqFWZbegfUhxhC7X08OewCVcRqU73BcA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [98.111.253.132]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1182; 7:sekepx7AvsMB4ZAxyrdntj4sZA0cPMxXbTXRkPecHTKxo3MrGc/jvCGzcUP37aoBqM5q2AAJKJWD6JMX9jKIEQRD6TMLABR492UQIK8Vm9iDohmenzuPasDxd400zG8bu9wiGH8E316u9h9aeFnuV9Eo40vu5f8YAbVlNrBsOW9eb0rm0N5VwJJIax/0NOdGcPwVX7WshXxbfeFUOPoMBPdlSLyqnD9Rm/cb7ceRWVsGndWVGJtuFVJoVVKAoCRj
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1182;
x-ms-traffictypediagnostic: MWHPR14MB1182:
x-microsoft-antispam-prvs: <MWHPR14MB11824AC60E222CC3629C3ED183820@MWHPR14MB1182.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231254)(944501410)(52105095)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:MWHPR14MB1182; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1182;
x-forefront-prvs: 0658BAF71F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(366004)(396003)(376002)(39850400004)(39380400002)(199004)(189003)(51444003)(13464003)(316002)(9686003)(110136005)(97736004)(6306002)(74316002)(33656002)(229853002)(3660700001)(105586002)(7696005)(106356001)(99286004)(76176011)(53936002)(5660300001)(3280700002)(14454004)(66066001)(6116002)(55016002)(3846002)(5250100002)(11346002)(44832011)(305945005)(7736002)(39060400002)(186003)(476003)(99936001)(2900100001)(68736007)(81166006)(8676002)(486006)(81156014)(86362001)(26005)(2906002)(15650500001)(6506007)(6436002)(102836004)(59450400001)(53546011)(4326008)(8936002)(478600001)(966005)(446003)(25786009)(6246003)(93886005); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1182; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Zy7GVSE74q7oISLTjG2B8vej74vf3p6a1yXiL+eaBVLoQGofpoTue9/TdtpUQLYeWEo+fdMCSi6UaaudvI9iRi1+Ns5d7KpUJW/taH5vFC5596Tzwo1oZfwy/hxYS78iaJfoCQOP1Cp8kG0kbvp5h+D/ZWqrcNPVspOXV6AB+h45oCgjUi0hfiKCUoOxSM8V
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_017E_01D3E075.3EF315B0"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 0594a227-defc-4681-e336-08d5aeadeaad
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0594a227-defc-4681-e336-08d5aeadeaad
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2018 15:20:33.0132 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1182
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/zf6mWM8OXMI0VQpkBAMKkiDfEj4>
Subject: Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2018 15:20:40 -0000

It's entirely possible that there isn't actually a problem if you do all the right things.
But it's important that all those right things are actually required, and the rationale
is clearly explained in the security considerations.  For example, doing certificate 
expiration checks, so that there isn't crypto data lying around that can be used in 
"interesting" ways in the future when the standard may have evolved into something 
else, seems like a good idea to me.

I also think the musings in Martin's last paragraph make sense and are headed in the 
right direction.  There's no harm in making protocols robust against attack scenarios
we haven't thought of yet.

-Tim

> -----Original Message-----
> From: Martin Thomson [mailto:martin.thomson@gmail.com]
> Sent: Monday, April 30, 2018 12:30 AM
> To: Cullen Jennings <fluffy@iii.ca>
> Cc: Tim Hollebeek <tim.hollebeek@digicert.com>; RTCWeb IETF
> <rtcweb@ietf.org>
> Subject: Re: [rtcweb] Addressing WGLC comments for draft-ietf-rtcweb-
> security-arch? (was Re: WGLC for draft-ietf-rtcweb-security-arch)
> 
> I agree with Cullen.
> 
> I would also point out that with an intended recipient, the IdP can limit the
> information that can be obtained from an assertion.  If the assertion were
> provided to other than the intended recipient, the IdP could refuse to provide
> an identity.  That requires authenticating the recipient as well, which isn't
> something we naturally assume, but the mechanisms for enabling that are all in
> place.
> 
> FWIW, I think that an abundance of caution suggests that limiting the assertion
> to a particular session is sensible.  The problem there is that we would need a
> session identifier in order to do that.  Until we discovered that RTCCertificate
> was portable, that was considered sufficient, I would prefer to remove that
> portability.  Maybe we should consider adding an origin to RTCCertificate that
> would allow it to be moved to other origins, but not be used by them.
> 
> On Sun, Apr 29, 2018 at 2:01 AM, Cullen Jennings <fluffy@iii.ca> wrote:
> >
> > Tim - that sounds about right but this is the part I don’t get….
> >
> > All the identity assertion does is bind the public key from the TLS
> > connection to the a name/identity. Think of it like a certificate that
> > binds my private key to name. Anyone can get my cert and pass it
> > around however they want. That is fine. Similarly the assertion can be
> > passed around handed to bad people etc. But anyone using it need to
> > match it with a TLS connection that does proof of possession of the
> > private key that matches the public key. That private key is going to
> > be very narrowly scoped on what has access to it. People that want to
> > rely on this identity assertion have to be sure that they require proof of
> possession of private key.
> >
> > So I do not see the issue at all that the identity assertion, just
> > like a normal X508 certificate, can be passed around. I’m not getting
> > whey this is Slightly Less than Awesome :-)
> >
> > I’m not arguing there is no problem, but I am not getting what the
> > problem is.
> >
> > Cullen
> >
> >
> >
> > On Apr 27, 2018, at 6:13 PM, Tim Hollebeek
> > <tim.hollebeek@digicert.com>
> > wrote:
> >
> > I’m going from my memory from the IETF 101 hackathon here, so someone
> > feel free to correct me if I’m remembering the details wrong (I
> > probably am for at least some of it), but as I recall it, the issue
> > was essentially that when one requests an identity assertion, if one
> > presents it to someone, the security properties are Awesome [TM]
> > because only authorized persons can get an identity assertion from the IDP.
> >
> > However, after one has presented an identity assertion to a
> > potentially untrusted party, presentation of that assertion to
> > additional parties is Slightly Less Than Awesome [TM], because the
> > additional parties cannot distinguish between the person who
> > legitimately obtained the identity assertion, and the party to which
> > the identity assertion was previously presented.
> >
> > Various arguments were made that this is not a problem because the
> > lifetime of identity assertions is short, with lifetimes on the order
> > of days to hours.  There was also some discussion (before the issue
> > was found) about if expiration of the relevant temporary certificates
> > needed to be checked at all.  Call me crazy, but only having a few
> > hours to carry out my attack doesn’t hinder me much as an attacker!
> >
> > One solution that was discussed, which may or may not work for all use
> > cases and this certainly should be explored, was that identity
> > assertions are cheap and therefore supporting the complexity of
> > identity assertion re-use might not make sense.  We discussed simply
> > adding a nonce to the creation of identity assertions, so IDPs could
> > enforce that they are validated only once, essentially turning them
> > into bearer tokens.  If the process fails (network hiccup, etc) it is
> > possible to transparently regenerate a new assertion and retry.  IIRC
> > certain non-attack failure scenarios needed this retry logic anyway.
> >
> > If needed, I can go back and re-read the messages from that weekend to
> > help refresh my memory, but that’s what I remember.
> >
> > -Tim
> >
> > From: rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Cullen
> > Jennings
> > Sent: Thursday, April 26, 2018 9:03 PM
> > To: Sean Turner <sean@sn3rd.com>
> > Cc: RTCWeb IETF <rtcweb@ietf.org>
> > Subject: Re: [rtcweb] Addressing WGLC comments for
> > draft-ietf-rtcweb-security-arch? (was Re: WGLC for
> > draft-ietf-rtcweb-security-arch)
> >
> >
> >
> >
> > On Apr 12, 2018, at 7:45 AM, Sean Turner <sean@sn3rd.com> wrote:
> >
> > 1) Tweak protocol to include an identifier to prevent reuse of
> > assertion on every RTCPeerConnection:
> >
> >  More complex sites frequently generate multiple RTCPeerConnection
> > instances for their communications, especially for group
> > conversations.  If the browser requests an assertion once and they use
> > that value for every RTCPeerConnection, then that's OK.  From my
> > perspective, I would be happy modifying the protocol to include an
> > identifier and prevent that; for this the IdP can use caching or its
> > local storage.
> >
> > So, what would that look like?
> >
> >
> > It’s not clear to me what the problem we are solving here is. Who are
> > we trying to stop from reusing an assertion and why. The assertion is
> > already bound to the specific private key and specific web origin. The
> > IdP can bind it to a narrow time range if the IdP wants ( most do).
> > I’m not seeing the big difference from reusing an assertion vs. asking the for a
> bunch of them.
> > The protocol that users the assertion may end up forking the same
> > assertion to many places regardless of what the browser does.
> >
> > Changing this so that the IdP see how many PeerConnections are formed
> > seems like it just reveal more usage information to the IdP and does
> > not help security.
> >
> > Assuming I am just not getting the problem and we do want to solve
> > this … I is not clear to me how to make this all work with tls-id due
> > to all the bundle issues. Another approach would the browser greater a
> > GUID for the PeerConnection and that is passed in the IdP proxy code
> > and the IdP can bind it into the assertion or not but if it does bind
> > into the assertion, then the browser will only validate the assertion
> > on the PeerConnection with matching GUID. This is probably wrong and
> > half baked as I don’t really get the problem.
> >
> >
> >
> > _______________________________________________
> > rtcweb mailing list
> > rtcweb@ietf.org
> > https://www.ietf.org/mailman/listinfo/rtcweb
> >

v2.23.0 | Report a Bug | By Email