Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 29 March 2020 22:13 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64E753A0E15 for <secdispatch@ietfa.amsl.com>; Sun, 29 Mar 2020 15:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Level:
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvASmHotPigm for <secdispatch@ietfa.amsl.com>; Sun, 29 Mar 2020 15:13:45 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403E83A0E11 for <secdispatch@ietf.org>; Sun, 29 Mar 2020 15:13:44 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id B9EE63897D; Sun, 29 Mar 2020 18:12:11 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A5981FC9; Sun, 29 Mar 2020 18:13:39 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Benjamin Kaduk <kaduk@mit.edu>, Eric Rescorla <ekr@rtfm.com>, IETF SecDispatch <secdispatch@ietf.org>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
In-Reply-To: <20200327193704.GQ50174@kduck.mit.edu>
References: <CA+k3eCTPisEFnxecjzpNAssSbTuUbUxQ+Hm+m+sjq__2Cpy9pg@mail.gmail.com> <CABcZeBPJO4j0KZk=zjopN2oEWLN-NrYRtKO=GuQ2e5CzH7=iPA@mail.gmail.com> <20200327193704.GQ50174@kduck.mit.edu>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 29 Mar 2020 18:13:39 -0400
Message-ID: <25595.1585520019@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/zTz9LUXcqiXAJUXUnTtM-xjp2u8>
Subject: Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Mar 2020 22:13:48 -0000
On Fri, Mar 27, 2020 at 10:21:17AM -0700, Eric Rescorla wrote: >> Overall, I agree that something like this is needed. However, >> I have two concerns about the mechanism described here. >> >> First, as you note in S B.1., if the header is not properly >> sanitized, there is a trivial attack and there are stronger >> mechanism that do not require sanitization: >> >> "Client-Cert" header that would appear to the backend to have come >> from the reverse proxy. Although numerous other methods of >> detecting/preventing header injection are possible; such as the use >> of a unique secret value as part of the header name or value or the >> application of a signature, HMAC, or AEAD, there is no common general >> standardized mechanism. The potential problem of client header >> injection is not at all unique to the functionality of this draft and >> it would therefor be inappropriate for this draft to define a one-off >> solution. In the absence of a generic standardized solution existing >> currently, stripping/sanitizing the headers is the de facto means of >> protecting against header injection in practice today. Sanitizing >> >> This seems like an odd argument to make: if a strong mechanism is >> in order, we should design one and make it generic, not just throw >> and continue to use weaker mechanisms. I agree: it seems like we ought to make some kind of more generic mechanism. It feels like we are creating a new reverse-proxy/framework channel. The stupidest version I can imagine is two sets of HTTP headers... message/rfc822 like. There are a bunch of such interfaces around already, and maybe we can do this if we assume HTTP/2 here. Benjamin Kaduk <kaduk@mit.edu> wrote: > Hmm, that requires the proxy to keep that state around (either locally or > in the resumption ticket). Brainstorming, in TLS 1.3 one could also have > the application manage the authentication state by having the proxy not > issue tickets right at the handshake completion, and instead wait for the > application to return a blob to include in the ticket. This would provide > a convenient excuse for adding a way to secure the proxy/backend channel, > with the proxy adding a header with a key fingerprint, and the backend > encrypting its response to that key, only if the key is whitelisted in the > application's configuration. On the other hand, it's more moving I think that you two have potentially given a reasonable technical reason why this work is not as trivial as envisioned, and that we need to boil a bit more water here, without an entire ocean. That maybe it requires a significant part of a WG, if not an entire WG. It was mentioned that HTTPBIS plans to cleave of some pieces, but I don't have the time to follow all of HTTPBIS... -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Secdispatch] Request for secdispatch time slot i… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Michael Richardson
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Benjamin Kaduk
- Re: [Secdispatch] Request for secdispatch time sl… Mohit Sethi M
- Re: [Secdispatch] Request for secdispatch time sl… Michael Richardson
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Salz, Rich
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Salz, Rich
- Re: [Secdispatch] Request for secdispatch time sl… Michael Richardson
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla
- Re: [Secdispatch] Request for secdispatch time sl… Salz, Rich
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Brian Campbell
- Re: [Secdispatch] Request for secdispatch time sl… Eric Rescorla