Re: Adam Roach's No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT) from Mark Nottingham on 2018-01-10 (ietf-http-wg@w3.org from January to March 2018)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 11 Jan 2018 07:28:15 +1100
To: Adam Roach <adam@nostrum.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-origin-frame@ietf.org, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <EFC272DB-408E-461D-B00B-C59ED26725BD@mnot.net>
> On 11 Jan 2018, at 3:04 am, Adam Roach <adam@nostrum.com> wrote:
> 
> On 1/9/18 9:01 PM, Mark Nottingham wrote:
>> Hi Adam,
>> 
>>> On 10 Jan 2018, at 12:34 pm, Adam Roach <adam@nostrum.com> wrote:
>>> 
>>> This seems a good mechanism overall. The security property of no longer
>>> requiring DNS checks seems a slight bit troublesome, as it (as the draft
>>> acknowledges) makes mounting an attack significantly easier: all that is
>>> required is exploiting a CA, rather than the two-step process of doing that
>>> plus hijacking DNS in some way. Was there consideration given to advising that
>>> implementations perform DNS checks after the fact? This would provide the
>>> latency benefits this mechanism is defined for while allowing at least for
>>> detection of origin hijacking.
>> Not specifically.
> 
> Given that Mistakes Do Happen[1][2][3][4][5][6][7][8][9][10], it seems it probably should have been. I believe the document needs a bit more treatment of this issue before it moves forward.

We didn't discuss the particular mitigation that you suggest; that doesn't mean we didn't discuss the risk overall, along with several other potential mitigations (as outlined in the document, along with some others on the cutting room floor). 

What's the nature of the additional treatment you'd like to see? Please note this has been discussed pretty extensively in the WG, and the current text represents a consensus that I believe takes your point of view into account (i.e., I don't see any new argument here).

Later, you say:

> I've always viewed DNS + TLS as kind of a belt-and-suspenders kind of thing, where one needs to mount two (usually unrelated) exploits to successfully hijack an origin. I'm uncomfortable with backing down from that, but this might just be due to a misperception on my part: is CT deployed broadly enough that it provides a viable backstop against such attacks? (On a quick glance, I believe that zero of the ten defects I cited in my earlier message would have been thwarted by OCSP).

I think I agree if you mean OCSP-as-deployed, but note that the suggested mitigation in the document is to positively require they have a recent OCSP response that shows the certificate was not revoked, which is different than what's currently done by most browsers. Or CT (as discussed).


>>> Is the omission of wildcard-style origins intentional?
>> Yes, this was discussed a fair amount.
>> 
>>> Or was this an
>>> oversight? It seems that being able to, e.g., send an ORIGIN frame that claims
>>> authority over "https://*.blogspot.com:443" would be far more efficient than
>>> blasting out the several million or so origins that such machines would be
>>> authoritative for (yes, I know this won't be done in practice -- such domains
>>> simply won't be able reap the benefits of this mechanism).
>> The common case for a wildcard cert is to support all of the origins covered by the wildcard. This is already supported by NOT using ORIGIN.
> 
> So it ends up being an either/or proposition, then? That is, if I've claimed authority for a set of origins using a wildcarded cert, then I can't use the ORIGIN frame without blowing that away, right?

Yes.


>> The other case is supporting *most* of the certs, but leaving some out. That would require us to have a way to say "NOT these origins", and that was judged too complex.
> 
> I agree that the complication involved in introducing a mechanism like this is not warranted by its utility.
> 
>>> Ideally, I'd like to
>>> see text in here explaining why wildcards shouldn't be specified, or indicating
>>> that they might be specified in a future document.
>> We don't generally document why we don't do things; that would make our RFCs much longer and more difficult to use. Making statements about the future doesn't seem like a great idea either.
> 
> On the contrary, when a question is obvious but its answer is not, RFCs will frequently include rationale. For example -- we're in the middle of processing <https://datatracker.ietf.org/doc/draft-ietf-slim-negotiating-human-language/> right now, and the introduction includes significant discussion of design rationale, including in particular why certain things were not done.

I'm not disputing that in some circumstances it makes sense to define architecture or otherwise illuminate decisions. However, it's a judgement call as to what's appropriate to document in these cases, and in my judgement (as an editor of this document), this doesn't need explaining; it follows from the design. If we explained everything that people didn't understand on a first reading of the document, it would quickly become unreadable.

That said, I would agree with an argument that we should explicitly say that they aren't supported, so as not to confuse.


Cheers,

--
Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 10 January 2018 20:28:52 UTC