[secdir] Secdir early review of draft-ietf-httpbis-message-signatures-05

Daniel Migault via Datatracker <noreply@ietf.org> Fri, 30 July 2021 22:49 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Daniel Migault via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-httpbis-message-signatures.all@ietf.org, ietf-http-wg@w3.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <162768539570.14788.6438448354422571640@ietfa.amsl.com>
Reply-To: Daniel Migault <daniel.migault@ericsson.com>
Date: Fri, 30 Jul 2021 15:49:55 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/7cZmqYbU_15I2-49eFgzSOWT4Hk>
Subject: [secdir] Secdir early review of draft-ietf-httpbis-message-signatures-05

Reviewer: Daniel Migault
Review result: Has Issues

Hi,

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

The main issue I have is the absence of security considerations ;-), but
otherwise the text appears to me quite clear. I will review the document once
the security consideration is completed.

I do not see the document mentioning any sort of negotiation which limits the
scope of possible downgrade attacks or the ability from one party to
"orchestrate" in some ways, what the other party. In other words, if I did not
missed anything the signature is a local policy. This typically means that a
client may sign while responses may not be signed.  Section 1.5 defines what
needs to be agreed between multiple parties, but does not provides details how
this could be achieved.

Some very minor editorial comments.
section 1.4
<mglt>
   The qualified term "digital
   signature" refers specifically to the output of an asymmetric
   cryptographic signing operation.

May be that would be clearer to define digital signature before mentioning
"signature" is used for both digital signature and Keyed MAC. </mglt>

section 1.5
   *  The set of content identifiers (Section 2) that are expected and
      required.
<mglt>
I suppose that the content are security related, but it is unclear at least to
me at this stage if the content have any kind of limitation. Typically, if a
party is able require an specific header that leaks private information, that
may be an issue. I think the text might be able to clarify this.

Though I expected it to be detailed later and "expected" security related
information is always suspicious of ending in a best effort situation where
security is optional. These are simply what come to my mind when reading these
lines. There is no necessary some actions to be taken if you believe that is
not necessary. </mglt>

section 2.4
<mglt>
   If covered content references an identifier that cannot be resolved
   to a value in the message, the implementation MUST produce an error.
   Such situations are included but not limited to:

   *  The signer or verifier does not understand the content identifier.

   *  The identifier identifies a header field that is not present in
      the message or whose value is malformed.

If the value is malformed, it may indicate that the value is interpreted
previously the integrity has been checked. I am sure this is not what the text
is meaning, but this is how I read it, so I believe that some clarification may
be needed. </mglt>

[secdir] Secdir early review of draft-ietf-httpbi… Daniel Migault via Datatracker
Re: [secdir] Secdir early review of draft-ietf-ht… Mark Nottingham
Re: [secdir] Secdir early review of draft-ietf-ht… Justin Richer