[Webpush] Eric Rescorla's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Tue, 15 August 2017 23:42 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: webpush@ietf.org
Delivered-To: webpush@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F2EF3132666; Tue, 15 Aug 2017 16:42:29 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Eric Rescorla <ekr@rtfm.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-webpush-vapid@ietf.org, Phil Sorber <sorber@apache.org>, webpush-chairs@ietf.org, sorber@apache.org, webpush@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.58.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150284054989.12518.11340069078773708886.idtracker@ietfa.amsl.com>
Date: Tue, 15 Aug 2017 16:42:29 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/HYW9NcUioQo5X2Np-d2hjCzB1Fo>
Subject: [Webpush] Eric Rescorla's Discuss on draft-ietf-webpush-vapid-03: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 23:42:30 -0000
Eric Rescorla has entered the following ballot position for draft-ietf-webpush-vapid-03: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-webpush-vapid/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- This design seems to have the unfortunate security property that the JWT is really just a bearer token. The only reason it has to involve public key cryptography at all is to allow the push cient to refer to the public key when it makes a subscription. However, as the Security Considerations acknowledge, this allows a cut-and-paste attack (more than just replay) by an attacker who acquires any JWT, because it does not include the message itself. The primary motivation for this appears to be to minimize CPU cost on the push service. However, there are designs which do this without allowing replay. For instance: - Have the push service have a static public key K_svc which is published to application servers (e.g., via well-known). - In order to form the JWT, have the application server generate a fresh DH key K_app, which is embedded in the JWT. - The message which the app server sends to the push service is then MACed with the DH shared secret Z. This removes the cut-and-paste attack (though of course replay attacks are still possible) unless the push service keeps a replay cache. The replay service can trivially amortize the DH computation (it has to amortize the signature verification in any case to get any computational benefit) but it's soft state, so it can just forget it at any time. Ultimately, this is a WG decision, but given that there are designs with much better security properties, I'd like to know that the WG considered and rejected this kind of design alternative before we advance the weaker design. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Abstract This identification information can be used to restrict the use of a push subscription a single application server. to a single S 1. Additionally, this design also relies on endpoint secrecy as any application server in possession of the endpoint is able to send messages, albeit without payloads. In situations where usage of a subscription can be limited to a single application server, the ability to associate a subscription with the application server could reduce the impact of a data leak. I don't understand this text. S 1.2 The words "MUST", "MUST NOT", "SHOULD", and "MAY" are used in this document. It’s not shouting, when they are capitalized, they have the special meaning described in [RFC2119]. This seems over-cute. We now have a document that describes this convention. S 2. This JWT is included in an Authorization header field, using an auth- scheme of "vapid". A push service MAY reject a request with a 403 (Forbidden) status code [RFC7235] if the JWT signature or its claims are invalid. Given that "vapid" is tied to "P-256" it seems like it would be better to rename this "vapid-p256" S 4.2. When a push subscription has been associated with an application server, the request for push message delivery MUST include proof of possession for the associated private key that was used when creating the push subscription. This really isn't a proof of possession, as the Security Considerations makes clear. S 5. You should call out that the email address is just a bare assertion.
- [Webpush] Eric Rescorla's Discuss on draft-ietf-w… Eric Rescorla
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… Martin Thomson
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… Eric Rescorla
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… Ben Campbell
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… Adam Roach
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… Martin Thomson
- [Webpush] Breaking Changes (was Re: Eric Rescorla… Adam Roach
- Re: [Webpush] Breaking Changes (was Re: Eric Resc… Martin Thomson
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… Eric Rescorla
- Re: [Webpush] Breaking Changes (was Re: Eric Resc… Ben Campbell
- Re: [Webpush] Breaking Changes (was Re: Eric Resc… Ben Campbell
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… jr conlin
- Re: [Webpush] Breaking Changes (was Re: Eric Resc… Ted Hardie
- Re: [Webpush] Eric Rescorla's Discuss on draft-ie… Martin Thomson