W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Content security model

From: Grahame Grieve <grahame@healthintersections.com.au>
Date: Thu, 26 Jul 2012 01:05:59 +0000
Message-ID: <CAG47hGYa9ZSQZ-qW7C-m0a_73YWc9ZXG0Tpm6_C48GxYiLuViA@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: James French <jfrench@denirostaff.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
well, perhaps I should express my thinking like this:

   trust is not layered. it's all captured to either the intermediary
   or the server. I wish it were otherwise.

Grahame

On Thu, Jul 26, 2012 at 11:00 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> A trusted intermediary can do anything it likes and the recipient will
> accept the data (provided that the trusted intermediary
> re-authenticates it)
>
> Now the trusted intermediary may not be trustworthy, but that is a
> whole different thing entirely.
>
> On Wed, Jul 25, 2012 at 8:43 PM, Grahame Grieve <grahame@kestral.com.au> wrote:
>>> The objective should be to ensure that Web Services do not malfunction
>>> in the presence of intermediaries, not to require them to attempt to
>>> repair the damage.
>>
>> of course. But since we live in the real world too, we shouldn't prevent
>> their use to repair the damage.
>>
>>> Where security is concerned the problem is that either something is
>>> inside the authentication boundary or it is not. If it is inside the
>>> boundary it must not be modified in any way whatsoever if the
>>> integrity check is to work at all. If it is outside the boundary then
>>> the dispatch service should probably not see it at all lest it end up
>>> making assumptions that it is trustworthy.
>>
>> yes, quite. So currently there is a binary choice: you can have managed
>> interactions, or secure interactions. As you say, in an ideal world, we
>> would not need managed interactions (nor secure ones, really), But in
>> the real world we do live in, we very much need secure interactions, and
>> we also need managed ones. I'd like for the protocol to avoid making
>> this a binary choice, though it smells ugly to me.
>>
>>> What it comes down to is that intermediaries that modify HTTP messages
>>> can cause Web Services to stop working.
>>
>> oh yes, though they can also cause them to work in the first place.
>>
>>> Which is probably a good thing
>>> since it is rather unlikely that an intermediary that does not
>>> understand the semantics of the Web Service concerned is going to do
>>> anything other than introduce breakage or worse introduce a subtle
>>> error that it is not readily apparent.
>>
>> well, typically, in my world, the intermediary is a general purpose
>> toolkit introduced over the exchange with the express purpose of
>> bridging between two end-points that have very specific disagreements
>> about how things work. This is a common requirement when actually
>> integrating two off-the-shelf packages that both thought they'd implemented
>> the same semantics, but in actual case haven't. In the context of a
>> secure exchange, the general purpose toolkit gets to mount a MITM
>> attack on them too. This works until the end-to-end security becomes
>> part of the transaction semantics, at which point the MITM is no longer
>> transparent, and there is no way forward.
>>
>> Grahame
>>
>> p.s. this is obviously about application to application web services, and
>> the general argument doesn't make sense in a consumer web context.
>
>
>
> --
> Website: http://hallambaker.com/



-- 
-----
http://www.healthintersections.com.au /
grahame@healthintersections.com.au / +61 411 867 065
Received on Thursday, 26 July 2012 08:48:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 July 2012 08:48:53 GMT