W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

RE: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Wed, 27 Jan 2016 23:01:13 +0000
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CY1PR03MB1374BE68A92BACD8FA24A70087D90@CY1PR03MB1374.namprd03.prod.outlook.com>
Require EMS:  https://github.com/MikeBishop/http2-client-certs/commit/dfa59df62aec64044a407b0e8f67704e8eb91981

Smaller export:  https://github.com/MikeBishop/http2-client-certs/commit/3880e6069480523fcdfa6130fd28bc26ff6ebe9f

Cautions on AUTOMATIC_USE:  https://github.com/MikeBishop/http2-client-certs/commit/f1479486149e3d815662358d60d7be0bd877952c


I'm not doing the signature/hash changes quite yet, because I'm not sure what we want to restrict.

-----Original Message-----
From: ilariliusvaara@welho.com [mailto:ilariliusvaara@welho.com] 
Sent: Wednesday, January 27, 2016 12:48 AM
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: Martin Thomson <martin.thomson@gmail.com>; HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

On Wed, Jan 27, 2016 at 12:00:36AM +0000, Mike Bishop wrote:
> I believe the other comment is also around AUTOMATIC_USE, since both 
> occurrences of "future streams" are in that context.  Basically, it 
> means any future stream on which the server would have made the same 
> request, the server can just use the provided cert and not burn an RTT 
> asking.

And requests where that cert is inapporiate MUST NOT made on that connection.

Also, can it apply to streams that are none of:
1) The stream AUTOMATIC_USE is sent on
2) Stream in IDLE.
3) Stream in PUSH_PROMISE

At the time AUTOMATIC_USE is sent?

If yes, that would be a nasty surprise...

> Yes, the client loses visibility into whether the cert has been used, 
> and loses the ability to *not* use the cert if it chooses.  That's a 
> trade-off the client can make -- if it wants to retain those 
> capabilities (at the expense of 1 RTT per request), it just doesn't 
> set AUTOMATIC_USE.

I don't think server chosing to ignore cert is a problem, as it is equivalent to cert just provoding no privilege at all. But using a cert that should not be used is a *serious* security problem in presence of more than 2 parties (like in Web (but Web is far from being the only place where security problems happen)).

> The client makes the call -- and as Martin points out, it's 
> state-changing for the connection.  Once you AUTOMATIC_USE a 
> certificate, the server MAY apply it to any future request you make on the connection.
> If you change your mind later, new connection (and presumably GOAWAY 
> the old one).

Actually, in many cases where one would want to revoke certificate use, the old connection is not GOAWAY'd as it still might be useful.

> As to requiring EMS,

Basically, if you don't require EMS, maliscous server can hijack autenticated connection and misuse the certificates. HTTP/2 TLS use guidelines don't even come close to being able to prevent attacks like this.

> reducing exporter, and appropriate HashAndSignature algorithms, I'll 
> defer to those with more expertise in TLS-land.

Basically, I favor dropping insecure or excessively weak algorithms from new specifications or versions, even at severe cost to deploy- ability. We have gotten burned *far* too many times from not doing that, and *will* get burned in future if we continue allowing those.



-Ilari
Received on Wednesday, 27 January 2016 23:01:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC