IETF Logo Mail Archive

Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt

Adam Barth <ietf@adambarth.com> Sun, 26 February 2012 17:54 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8605021F8568 for <websec@ietfa.amsl.com>; Sun, 26 Feb 2012 09:54:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.958
X-Spam-Level:
X-Spam-Status: No, score=-2.958 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaLmdqRiB6Pt for <websec@ietfa.amsl.com>; Sun, 26 Feb 2012 09:54:08 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id B9EC621F855B for <websec@ietf.org>; Sun, 26 Feb 2012 09:54:07 -0800 (PST)
Received: by eeke51 with SMTP id e51so509487eek.31 for <websec@ietf.org>; Sun, 26 Feb 2012 09:54:07 -0800 (PST)
Received-SPF: pass (google.com: domain of ietf@adambarth.com designates 10.14.120.210 as permitted sender) client-ip=10.14.120.210;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of ietf@adambarth.com designates 10.14.120.210 as permitted sender) smtp.mail=ietf@adambarth.com
Received: from mr.google.com ([10.14.120.210]) by 10.14.120.210 with SMTP id p58mr187299eeh.98.1330278847037 (num_hops = 1); Sun, 26 Feb 2012 09:54:07 -0800 (PST)
Received: by 10.14.120.210 with SMTP id p58mr142551eeh.98.1330278846846; Sun, 26 Feb 2012 09:54:06 -0800 (PST)
Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by mx.google.com with ESMTPS id s48sm47742835eem.0.2012.02.26.09.54.05 (version=SSLv3 cipher=OTHER); Sun, 26 Feb 2012 09:54:05 -0800 (PST)
Received: by lagj5 with SMTP id j5so1079802lag.31 for <websec@ietf.org>; Sun, 26 Feb 2012 09:54:04 -0800 (PST)
Received-SPF: pass (google.com: domain of ietf@adambarth.com designates 10.112.82.6 as permitted sender) client-ip=10.112.82.6;
Received: from mr.google.com ([10.112.82.6]) by 10.112.82.6 with SMTP id e6mr4411750lby.31.1330278844351 (num_hops = 1); Sun, 26 Feb 2012 09:54:04 -0800 (PST)
Received: by 10.112.82.6 with SMTP id e6mr3734344lby.31.1330278844202; Sun, 26 Feb 2012 09:54:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.112.1.230 with HTTP; Sun, 26 Feb 2012 09:53:34 -0800 (PST)
In-Reply-To: <C800BA3D-8988-4DDA-B5BB-759435634746@checkpoint.com>
References: <20120202220021.31936.37346.idtracker@ietfa.amsl.com> <C35E9FBD-8AF7-4F63-B798-1316B985E032@checkpoint.com> <255B9BB34FB7D647A506DC292726F6E114EC261141@WSMSG3153V.srv.dir.telstra.com> <7BC9C725-9604-49C9-9A6B-B24B6B088B0A@checkpoint.com> <255B9BB34FB7D647A506DC292726F6E114EC261EA8@WSMSG3153V.srv.dir.telstra.com> <C800BA3D-8988-4DDA-B5BB-759435634746@checkpoint.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sun, 26 Feb 2012 09:53:34 -0800
Message-ID: <CAJE5ia_hBFBC4ukd2pQTkLkO_qm0=BaMQfwqaLsUGe5TuqeoFA@mail.gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQlljAy7HGvaLKpuvzmYEO1cjNDvmjB9qrxgbDjWRqclwzreh5bcEdSzfb0ZcAXp0hGvSw99
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2012 17:54:08 -0000

2012/2/26 Yoav Nir <ynir@checkpoint.com>:
>
> On Feb 24, 2012, at 1:35 AM, Manger, James H wrote:
>
>> The scheme that you propose (a.sslvpn.example.comb.sslvpn.example.com,
>> etc.) really does work. In fact, the product that my company makes offers
>> this as an option.
>
> Good to hear.
>
>> Sadly, our customers don't like it, hence the other option.  Using
>> multiple FQDNs requires them to either buy multiple certificates, or a
>> wildcard certificate, both options are more expensive. Additionally this
>> requires them to add multiple DNS records, which for some reason they find
>> cumbersome.
>
> Not sure that that is a good enough reason to introduce extended origins.
>
>
> I checked the products of some of our competitors, and they seem to also
> offer both options. IMHO the cost and complexity of deployment for the user
> are valid considerations for engineering.
>
> In this case, the cost is incurred not because of technical necessity but
> because of the way browsers work with commercial CAs - that wildcard
> certificates are more expensive, and multiple certificates are also more
> expensive.  Regardless, the cost and complexity are real.
>
> I hope to have a -01 draft ready in time, which will address your other
> point.
>
> Thanks again for the review

Frankly, your proposal is very unlikely to be implemented.  The
engineering effort required to implement is quite large, if it's even
possible.  Consider, for example, that beyond just changing the
browser, you'd also need to change Flash, Java, and every other
plug-in that implements the same-origin policy.

In addition to that complexity, there are many assumptions in browsers
and in the software that surrounds browsers that origins are
determined by URL.  Your proposal breaks that assumption.

Adam

v2.23.0 | Report a Bug | By Email