Re: [secdir] Secdir last call review of draft-ietf-secevent-http-push-10
Mike Jones <Michael.Jones@microsoft.com> Tue, 09 June 2020 00:17 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8903A0809; Mon, 8 Jun 2020 17:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYf2Gtb9qoVA; Mon, 8 Jun 2020 17:17:34 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650120.outbound.protection.outlook.com [40.107.65.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC5B83A0807; Mon, 8 Jun 2020 17:17:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UhFP75jR3u7qcmPHaNTUYfXwfFkDXbzvQS+iz/S9JDkdv4OoSdHRDQp58D++egYnsq8S62G2IUrSo03cNCNRv1c24I/4+tpMLa/jQKiZ2LQ2aqFBw2hZG8dDKlQ3n2Pr4AnH0aSNWcnJjiWrCVKfsAkkD5Xi0mN6kNgKqSEaOtAT1a7gJKfreLVCw9fAdH5SYRykMD8SkBXxs8wY6aUK66Epd50MYP1yx6vDmz7u27ebONOtgdbObAK++Y4/Aid/d3DoQZriOttJNuwUyRIlUPdSh3zjHj9nLi9ecj7/4k0rCB+7aAesEcgTE4XPfbXAV1N9dumxKBzeZluNahC0HQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CUCoGObbV9qx98GqQvLqnEC1WfL/Ljw6Nwa6QaLeo7o=; b=gTJXrCmmaQfFEP/uyC7kmFd6SwhB8cayrBDE0TLPGiPppwHpRn3+ugZ3OlMZo8HxweBysuAW8Yg5ThMggokvsF5qDu+8EL1AkF56Wg2yBznXJ3C2+hIsK6IRkDNXcYMUXDnJZxSrqdt5lwjA7Yd3LlsbPWNSoHUFQ3oZNCeKiJZqm6fyrjwhRW2hCH8+sbyhfpvw7+qxHQaazVJDMxFjIC7Ja30VU8d4LjyYJNzeSVeJyKqyNbse9dSSuFWoAX+Si6Qfpow8s1wyMGIPMzkOE88JkY67/LOlb7p6YrHKEo21soASN9x1I6azyvyc9IG1+Gpv73CG8ORmvtSc7ZboiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CUCoGObbV9qx98GqQvLqnEC1WfL/Ljw6Nwa6QaLeo7o=; b=SNGLP8oBcTyvkSX28SWUG+KLVhIgYRau8KlvNBue0QORbbTFcPGscVggtTL3YOCodR+w+GSC/Oj/DF7Av7m6fnOxYqXGrrgu8NVw8rNP7kzkrUkRy2JNgz/EPe/UZK67g3L/SzGYZshr3efVhOYah1PC/uMlab93+jepfzAcfTk=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0558.namprd00.prod.outlook.com (2603:10b6:208:fd::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3114.0; Tue, 9 Jun 2020 00:17:28 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::b816:9dfb:f80d:3b9f]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::b816:9dfb:f80d:3b9f%8]) with mapi id 15.20.3114.000; Tue, 9 Jun 2020 00:17:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Valery Smyslov <valery@smyslov.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-secevent-http-push.all@ietf.org" <draft-ietf-secevent-http-push.all@ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-secevent-http-push-10
Thread-Index: AdY981rMjMYzrf79SkyZJEfuKyvEOA==
Date: Tue, 09 Jun 2020 00:17:28 +0000
Message-ID: <MN2PR00MB0686B13FDBAF9463D965FDFDF5820@MN2PR00MB0686.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=0a67fbe7-4946-4b44-a5c1-0000c7f1db91; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-08T23:52:51Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: smyslov.net; dkim=none (message not signed) header.d=none;smyslov.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 1ceff2dc-9b77-4200-3adf-08d80c0a7ea8
x-ms-traffictypediagnostic: MN2PR00MB0558:
x-microsoft-antispam-prvs: <MN2PR00MB0558B4FA4EAF7B3FAA2548F2F5820@MN2PR00MB0558.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 042957ACD7
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: G7bZxwLZAYAB49qW31ktdxPxLO6Qz5D3pm221B/SkYfbXpe2hxFTGbaomtQvS3vjNTCzo8jgTux0A2dzj0hcn4lGtXg+BU0Ox8in31/9WGiCr2+GpehdHB+hIcuBUtJOOZqVwCHqJW7sW4hp3QOVOYix8/mqvPTf0BSYV7mEyKl8rhvVf7MXAOQVeTJKkw68zlEgmhYBE+ss3MuUZIaGemQDS8KeoEqJ2oCuyeih6dUPHnSZkFiqFIkO39WR4nvuMMnC6Nl0WmZWEyOmm+nCTlXrlSmSyrLJLMMRmlyZKpb0GaAtu3byTsaD/o39B4v0u0W/d4RGnMbuL5wKV2FUW/2y8oA+uxwqk6ymzqSZN8HwD8kdI+uBteEOVPd8LRC5XIpvm0JxqWODPqIUsvEerQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0686.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(366004)(376002)(396003)(39860400002)(4326008)(55016002)(26005)(186003)(86362001)(82960400001)(82950400001)(2906002)(9686003)(966005)(53546011)(8990500004)(7696005)(71200400001)(6506007)(66556008)(64756008)(10290500003)(66946007)(478600001)(110136005)(54906003)(5660300002)(316002)(33656002)(66446008)(52536014)(66476007)(76116006)(8676002)(83380400001)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: rYiQgX0wQ5zUlFLvAPx96u+16Iz976QBrb5P6WxLo4yln9BfLccQX3Qxq5P3eP7j+xu6fKglV4nTPMgEQOY/gugfd8/LwwS/6pso32LS02EWyisV/2ME+izWZ24FzPSaBCPBboshFlOuaRO6M0KOX6Mzw5KPsjADE6D/sabtXU8Wp8M4bmgmxoltcBeLr0dWRszQ3eh5bHYJS270XOsy1ouyDVfDdk7zHUKKicLK4Ym1UdRkthKq0xdRRXs3+ha0MLNzcvCszLJ7gY0T2h0q3l4LTJiu515yRFrxgvNdwtat5EPmlG84hY4H/hgdhfQNG3mT2Q3OL8EZXYcscFW7+4ph5IiB23QMXxp1iPUv4iMZmCFmsnrgQ5Z8bQBZzqH+FZZI8Vt4Y+wiVESIj5CFd3nfG05MkfYlkfTN6Wo9w34uOB++u670otBScZ+8qxhODRporfxzoM2nfgoRH2DCAYn2f4v6L8NgZgI5HYi7BuI=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1ceff2dc-9b77-4200-3adf-08d80c0a7ea8
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2020 00:17:28.5223 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1yJptO9e31rFl1dYG7MmhCHAjiaTjP+JGKN3RUDMduG9xfMet0acLef1lvnLDzWH7VpjJqw+dr6yCoe9MoLx6g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0558
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/oVLE-p-eRsFv4LHe1AeGphEWoiU>
Subject: Re: [secdir] Secdir last call review of draft-ietf-secevent-http-push-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 00:17:36 -0000
Thanks for your useful review, Valery. I've attempted to address your comments in https://tools.ietf.org/html/draft-ietf-secevent-http-push-11. Replies are inline, prefixed by "Mike>". -----Original Message----- From: Valery Smyslov via Datatracker <noreply@ietf.org> Sent: Saturday, May 2, 2020 11:39 PM To: secdir@ietf.org Cc: last-call@ietf.org; draft-ietf-secevent-http-push.all@ietf.org; id-event@ietf.org Subject: Secdir last call review of draft-ietf-secevent-http-push-10 Reviewer: Valery Smyslov Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document defines push-based Security Event Tokens (SET) delivery using HTTP transport. I think the document has few issues that are easy to fix. Major issue: 1. Section 5.1: In scenarios where HTTP authorization or TLS mutual authentication are not used or are considered weak, JWS signed SETs SHOULD be used (see [RFC7515] and Section 5 of [RFC8417]). I think this "SHOULD" is inconsistent with RFC8417, which states: Unless integrity of the JWT is ensured by other means, it MUST be signed using JWS [RFC7515] by an issuer that is trusted to do so for the use case so that the SET can be authenticated and validated by the SET recipient. If you believe that there are valid use-cases when unsigned SETs can be transferred over unauthenticated transport (violating MUST from RFC8417), then please describe them. Mike> In https://tools.ietf.org/html/draft-ietf-secevent-http-push-11#section-5.1, I removed the odd start of the sentence that you called out, leaving only an actionable statement that is consistent with RFC 8417. 2. Section 6. I think that Privacy Considerations lack discussion of what information an attacker can learn by analyzing HTTP responses if the HTTP connection is not protected by TLS. In this case even if the SET itself is encrypted, the attacker is able to get some useful information if it can read HTTP responses (e.g. if it is on the path). In particular, it can learn whether the SET is accepted or not and the reason for its rejection. Mike> I added a new paragraph at the end of the Privacy Considerations section https://tools.ietf.org/html/draft-ietf-secevent-http-push-11#section-6 to add this information. Minor issues: 1. Section 5.1: This [using JWS] enables the SET Recipient to validate that the SET Transmitter is authorized to deliver the SET. I think this sentence is formally wrong, because SET signature allows to identify SET Issuer, but not SET Transmitter. From my reading of the draft they can be different entities. The SET Transmitter in this case remains mostly anonymous. Mike> Thanks - corrected. 2. Section 5.2: As stated in Section 2.7.1 of [RFC7230], an HTTP requestor MUST NOT generate the "userinfo" (i.e., username and password) component (and its "@" delimiter) when an "http" URI reference is generated with a message, as they are now disallowed in HTTP. This requirement is already in RFC7230, so is there any need to repeat it? Is it related to security or to interoperability? In the latter case it's better to mention this requirement in Section 2.1. In the former case a few words explaining security implications of this requirement would help. Mike> I deleted this redundant statement. 3. Section 5.4: This may be mitigated by authenticating SET Transmitters with a mechanism with low runtime overhead, such as mutual TLS. I don't think that TLS can be attributed as "a mechanism with low runtime overhead" when you talk about DoS protection. TLS itself may be a target for DoS attacks, because server have to do quite a lot of computations before client presents its authentication information, which may be bogus. So, it has exactly the same problem you described earlier in this para. Mike> I deleted the "low runtime overhead" clause. 4. Section 6. In some cases, subject identifiers themselves may be considered sensitive information, such that their inclusion within a SET may be considered a violation of privacy. SET Transmitters should consider the ramifications of sharing a particular subject identifier with a SET Recipient (e.g., whether doing so could enable correlation and/or de-anonymization of data) and choose appropriate subject identifiers for their use cases. In my understanding of the draft SET Transmitters may be different entities from SET Issuers. I think it is SET Issuers who prepare SETs, not SET Transmitters. In general SET Transmitters don't know what's inside the SET (if JWE is used) and cannot modify it (if JWS is used). Mike> Good catch. I changed "SET Transmitters" to "SET Issuers". 5. (not related to security) Section 2.4: Implementations SHOULD expect that other Error Codes MAY also be received, as the set of Error Codes is extensible via the IANA "Security Event Token Delivery Error Codes" registry established in Section 7.1. I think that the normative "MAY is used improperly here and should be "may" instead. I also think that some words of what implementations should do with unknown error codes would help. Mike> Thanks - corrected. Nits: 1. Table 1 is difficult to read due to unusual text formatting within the cells. Mike> I'll work on this with the RFC editor, should it remain difficult to read when using xml2rfc v3 output. Thanks again, -- Mike
- [secdir] Secdir last call review of draft-ietf-se… Valery Smyslov via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Mike Jones