[Webpush] Eric Rescorla's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Tue, 15 August 2017 23:42 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: webpush@ietf.org
Delivered-To: webpush@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F2EF3132666; Tue, 15 Aug 2017 16:42:29 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Eric Rescorla <ekr@rtfm.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-webpush-vapid@ietf.org, Phil Sorber <sorber@apache.org>, webpush-chairs@ietf.org, sorber@apache.org, webpush@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.58.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150284054989.12518.11340069078773708886.idtracker@ietfa.amsl.com>
Date: Tue, 15 Aug 2017 16:42:29 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/HYW9NcUioQo5X2Np-d2hjCzB1Fo>
Subject: [Webpush] Eric Rescorla's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 23:42:30 -0000

Eric Rescorla has entered the following ballot position for
draft-ietf-webpush-vapid-03: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-webpush-vapid/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

This design seems to have the unfortunate security property that the
JWT is really just a bearer token. The only reason it has to involve
public key cryptography at all is to allow the push cient to refer to
the public key when it makes a subscription. However, as the
Security Considerations acknowledge, this allows a cut-and-paste attack
(more than just replay) by an attacker who acquires any JWT,
because it does not include the message itself.

The primary motivation for this appears to be to minimize CPU cost
on the push service. However, there are designs which do this
without allowing replay. For instance:

- Have the push service have a static public key K_svc which
  is published to application servers (e.g., via well-known).
- In order to form the JWT, have the application server generate
  a fresh DH key K_app, which is embedded in the JWT.
- The message which the app server sends to the push service
  is then MACed with the DH shared secret Z.

This removes the cut-and-paste attack (though of course replay
attacks are still possible) unless the push service keeps a replay
cache. The replay service can trivially amortize the DH computation
(it has to amortize the signature verification in any case to
get any computational benefit) but it's soft state, so it can
just forget it at any time.

Ultimately, this is a WG decision, but given that there are designs
with much better security properties, I'd like to know that the WG
considered and rejected this kind of design alternative before
we advance the weaker design.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Abstract
   This identification information can be used to restrict the use of a
   push subscription a single application server.

to a single


S 1.
   Additionally, this design also relies on endpoint secrecy as any
   application server in possession of the endpoint is able to send
   messages, albeit without payloads.  In situations where usage of a
   subscription can be limited to a single application server, the
   ability to associate a subscription with the application server could
   reduce the impact of a data leak.

I don't understand this text.


S 1.2
   The words "MUST", "MUST NOT", "SHOULD", and "MAY" are used in this
   document.  It’s not shouting, when they are capitalized, they have
   the special meaning described in [RFC2119].

This seems over-cute. We now have a document that describes this
convention.


S 2.
   This JWT is included in an Authorization header field, using an auth-
   scheme of "vapid".  A push service MAY reject a request with a 403
   (Forbidden) status code [RFC7235] if the JWT signature or its claims
   are invalid.

Given that "vapid" is tied to "P-256" it seems like it would be better
to rename this "vapid-p256"


S 4.2.
   When a push subscription has been associated with an application
   server, the request for push message delivery MUST include proof of
   possession for the associated private key that was used when creating
   the push subscription.

This really isn't a proof of possession, as the Security Considerations
makes clear.


S 5.
You should call out that the email address is just a bare assertion.