Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 29 March 2020 22:13 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64E753A0E15 for <secdispatch@ietfa.amsl.com>; Sun, 29 Mar 2020 15:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Level:
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvASmHotPigm for <secdispatch@ietfa.amsl.com>; Sun, 29 Mar 2020 15:13:45 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403E83A0E11 for <secdispatch@ietf.org>; Sun, 29 Mar 2020 15:13:44 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id B9EE63897D; Sun, 29 Mar 2020 18:12:11 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A5981FC9; Sun, 29 Mar 2020 18:13:39 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Benjamin Kaduk <kaduk@mit.edu>, Eric Rescorla <ekr@rtfm.com>, IETF SecDispatch <secdispatch@ietf.org>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
In-Reply-To: <20200327193704.GQ50174@kduck.mit.edu>
References: <CA+k3eCTPisEFnxecjzpNAssSbTuUbUxQ+Hm+m+sjq__2Cpy9pg@mail.gmail.com> <CABcZeBPJO4j0KZk=zjopN2oEWLN-NrYRtKO=GuQ2e5CzH7=iPA@mail.gmail.com> <20200327193704.GQ50174@kduck.mit.edu>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Sun, 29 Mar 2020 18:13:39 -0400
Message-ID: <25595.1585520019@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/zTz9LUXcqiXAJUXUnTtM-xjp2u8>
Subject: Re: [Secdispatch] Request for secdispatch time slot in Vancouver IETF: Client-Cert HTTP Header
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Mar 2020 22:13:48 -0000

On Fri, Mar 27, 2020 at 10:21:17AM -0700, Eric Rescorla wrote:
    >> Overall, I agree that something like this is needed. However,
    >> I have two concerns about the mechanism described here.
    >>
    >> First, as you note in S B.1., if the header is not properly
    >> sanitized, there is a trivial attack and there are stronger
    >> mechanism that do not require sanitization:
    >>
    >> "Client-Cert" header that would appear to the backend to have come
    >> from the reverse proxy.  Although numerous other methods of
    >> detecting/preventing header injection are possible; such as the use
    >> of a unique secret value as part of the header name or value or the
    >> application of a signature, HMAC, or AEAD, there is no common general
    >> standardized mechanism.  The potential problem of client header
    >> injection is not at all unique to the functionality of this draft and
    >> it would therefor be inappropriate for this draft to define a one-off
    >> solution.  In the absence of a generic standardized solution existing
    >> currently, stripping/sanitizing the headers is the de facto means of
    >> protecting against header injection in practice today.  Sanitizing
    >>
    >> This seems like an odd argument to make: if a strong mechanism is
    >> in order, we should design one and make it generic, not just throw
    >> and continue to use weaker mechanisms.

I agree: it seems like we ought to make some kind of more generic mechanism.
It feels like we are creating a new reverse-proxy/framework channel.
The stupidest version I can imagine is two sets of HTTP headers... message/rfc822 like.

There are a bunch of such interfaces around already, and maybe we can do this
if we assume HTTP/2 here.

Benjamin Kaduk <kaduk@mit.edu> wrote:
    > Hmm, that requires the proxy to keep that state around (either locally or
    > in the resumption ticket).  Brainstorming, in TLS 1.3 one could also have
    > the application manage the authentication state by having the proxy not
    > issue tickets right at the handshake completion, and instead wait for the
    > application to return a blob to include in the ticket.  This would provide
    > a convenient excuse for adding a way to secure the proxy/backend channel,
    > with the proxy adding a header with a key fingerprint, and the backend
    > encrypting its response to that key, only if the key is whitelisted in the
    > application's configuration.  On the other hand, it's more moving

I think that you two have potentially given a reasonable technical reason why
this work is not as trivial as envisioned, and that we need to boil a bit
more water here, without an entire ocean.  That maybe it requires a
significant part of a WG, if not an entire WG.

It was mentioned that HTTPBIS plans to cleave of some pieces, but I don't
have the time to follow all of HTTPBIS...

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-