Re: [websec] Digest URI scheme
stephen.farrell@cs.tcd.ie Thu, 29 September 2011 21:58 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54A5921F8ED6 for <websec@ietfa.amsl.com>; Thu, 29 Sep 2011 14:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.399
X-Spam-Level:
X-Spam-Status: No, score=-106.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0w99fBRljX9F for <websec@ietfa.amsl.com>; Thu, 29 Sep 2011 14:58:00 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 1A36621F8B5C for <websec@ietf.org>; Thu, 29 Sep 2011 14:57:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 24174171C64; Thu, 29 Sep 2011 23:00:48 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:mime-version:user-agent :reply-to:from:subject:date:references:in-reply-to:message-id :received:received:received:x-virus-scanned; s=cs; t=1317333640; bh=ZnxD6R8YgtYWZWXlYlr91tRYvqOn9QihhoPEJbJNk4U=; b=FLqCshTaA3+H eA8jKhZ4i4a+QDvXBfKCKLPKnBO6ON697fB/KvybMVZkldcj0Q5npSlrgXnWqABd 9iggoOxifjw/l9GQvVpAq8I5n9Bf/rNFLPf033WokE7zzc86FhFtz+vQgYmHWeVU dFLyiLYcvFZy6XQLm6wEZ4J3DFXnMHIaAW/TW7WBBhk7520YctlElIqfhfuKOgf5 vMFgUuTvHdmS4T2xKtRD31ZGuHM0+T19+kh9b3ZAXAYbFea69oYyFgs4fTyZJiqh yWmhmly3wJuRmgAL3h6c/xkHzDXZ3H4EWcQhakcHSU/++QL27RhTr06YCsIbUVzR alv862oGtA==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id Ks3g7uG2xNIg; Thu, 29 Sep 2011 23:00:40 +0100 (IST)
Received: from webmail.scss.tcd.ie (localhost [127.0.0.1]) by smtp.scss.tcd.ie (Postfix) with ESMTP id 3FFF2171C62; Thu, 29 Sep 2011 23:00:40 +0100 (IST)
Received: from 200.129.163.17 (SquirrelMail authenticated user sfarrel6) by webmail.scss.tcd.ie with HTTP; Thu, 29 Sep 2011 23:00:40 +0100 (IST)
Message-ID: <7bd9badd19e0e9296750117013a93aa0.squirrel@webmail.scss.tcd.ie>
In-Reply-To: <CAMm+LwjrW=yZCfvsqtBP48ZYJ=-XHMxCGaX=4-+vicetPbLGxQ@mail.gmail.com>
References: <CAMm+LwjrW=yZCfvsqtBP48ZYJ=-XHMxCGaX=4-+vicetPbLGxQ@mail.gmail.com>
Date: Thu, 29 Sep 2011 23:00:40 +0100
From: stephen.farrell@cs.tcd.ie
To: Phillip Hallam-Baker <hallam@gmail.com>
User-Agent: SquirrelMail/1.4.15
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Digest URI scheme
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stephen.farrell@cs.tcd.ie
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2011 21:58:01 -0000
<no hats> I agree with the motivation but not the design. A while ago I posted my idea for a design for this. [1] It may become a work item for the DECADE WG, ... or not, we'll see. S. [1] http://tools.ietf.org/html/draft-farrell-ni-00 > As I mentioned previously, the need to refer to a static data object > by means of a digest comes up frequently. Rather than re-invent the > mechanism for creating a reference each time we need one, it would be > better if we had a single format that could be re-used. > > We used to have this back in the days when we trusted MD5 since we > used that everywhere as a 'fingerprint'. Then things got muddy after > the Dobertin attack and it became SHA1 and MD5. With SHA2 vs SHA3 it > will be very muddy. > > This would be relevant to the cert pinning debate. > > > I wrote a draft making the proposal: > > http://www.ietf.org/id/draft-hallambaker-digesturi-00.txt > > > On the digest front the objective would be to make it possible to use > the URI format with any digest at all in theory but strongly encourage > people to only use the digests IETF is confident in. Use of OIDs as > the identifier has the nice property that anyone can get an identifier > to distinguish their algorithm from other people's but getting an OID > does not produce any paper trail that can be used to imply an IETF > endorsement. > > We could add in support for the text based identifiers as well, but > since the only identifiers that I would want to encourage are SHA2 and > SHA3, I don't see a need. For all applications that make sense it is > going to be perfectly OK to simply generate the prefix for the > identifier part as a static array of octets and append / verify it as > such whenever it is needed. I do not see any need to write ASN.1 > handling code for these apps :-) > > > The basic idea here is that we need to allow for algorithm agility and > to prevent a content substitution attack. So imagine that we have web > page A linking to some off site static content via a digest. Site A > regards the static content as a PNG and has checked out the page and > it works fine. What they don't know is that buried in the PNG there is > some malicious Jscript and if the content server delivers it as > application/script the result will be a series of syntax errors (that > are silently ignored because the app is stupid) and then it finds the > malicious code... ooops. > > OK, so maybe not an attack that you find to be a worry in every > circumstance, but it is definitely an attack vector we should address > in a general purpose crypto building block. > > > Having produced a static building block like this it is very easy to > generate a fingerprint for a static data object in a cut and paste > ready format. I don't need a separate tool to generate digest > identifiers for WebSec vs other applications. In terms of ease of use > we get back to what things were like when we used MD5 fingerprints. > > It is also quite easy to make use of truncated fingerprints should > that be necessary. For example, to put on a business card. > > -- > Website: http://hallambaker.com/ > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Paul Hoffman
- Re: [websec] Digest URI scheme Manger, James H
- Re: [websec] Digest URI scheme Bjoern Hoehrmann
- Re: [websec] Digest URI scheme Bjoern Hoehrmann
- Re: [websec] Digest URI scheme Gervase Markham
- Re: [websec] Digest URI scheme Martin J. Dürst
- Re: [websec] Digest URI scheme Tobias Gondrom
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- [websec] Content type (was: Re: Digest URI scheme) Paul Hoffman
- Re: [websec] Digest URI scheme Paul Hoffman
- Re: [websec] Digest URI scheme Tobias Gondrom
- Re: [websec] Digest URI scheme stephen.farrell
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme stephen.farrell
- Re: [websec] Digest URI scheme Tobias Gondrom
- Re: [websec] Digest URI scheme Martin J. Dürst
- Re: [websec] Digest URI scheme Martin J. Dürst
- Re: [websec] Digest URI scheme Julian Reschke
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Paul Hoffman
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Paul Hoffman
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Paul Hoffman
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Bjoern Hoehrmann
- Re: [websec] Digest URI scheme Bjoern Hoehrmann
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Bjoern Hoehrmann
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Bjoern Hoehrmann
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Martin J. Dürst
- Re: [websec] Digest URI scheme Martin J. Dürst
- Re: [websec] Digest URI scheme Phillip Hallam-Baker
- Re: [websec] Digest URI scheme Julian Reschke
- Re: [websec] Digest URI scheme Phillip Hallam-Baker