Re: Please review: PR#144 on adding RP ID to signature format from J.C. Jones on 2016-07-15 (public-webauthn@w3.org from July 2016)

From: J.C. Jones <jc@mozilla.com>
Date: Fri, 15 Jul 2016 15:33:07 -0700
To: Vijay Bharadwaj <vijaybh@microsoft.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Message-ID: <CAObDDPBA=kCN0yJaozbTQ2GJ=abEDds7H2dJn1m8zeeyyLrhOQ@mail.gmail.com>

Whoops. You're correct, of course. For some reason I wasn't considering
that the RP ID is checked against the origin.

Uh, happy Friday!
Cheers,
J.C.

On Fri, Jul 15, 2016 at 3:29 PM, Vijay Bharadwaj <vijaybh@microsoft.com>
wrote:

> Thanks for the review, and thanks for getting Travis-CI working again. I
> merged from master to trigger a new build and it works now.
>
>
>
> Nit: this isn’t entirely accurate:
>
>
>
> Ø  We should all be comfortable then with SHA2's collision resistance
> surviving for the life of the standard
>
>
>
> For a meaningful attack on this, you really need to break SHA256’s second
> preimage resistance.
>
>
>
> Collision resistance means that you can find two strings that hash to the
> same value. The odds of either such string being a valid RP ID are
> infinitesimal. What an attacker really cares about is finding an RP ID that
> hashes to the same value as someone else’s existing RP ID. That’s a second
> preimage attack.
>
>
>
> This is important because historically second preimage attacks have been a
> lot harder to find than collision attacks. For instance, MD5 is horribly
> broken from a collision perspective but I’m not aware of a practical second
> preimage attack.
>
>
>
> *From:* J.C. Jones [mailto:jc@mozilla.com]
> *Sent:* Friday, July 15, 2016 1:48 PM
> *To:* Vijay Bharadwaj <vijaybh@microsoft.com>
> *Cc:* W3C WebAuthn WG <public-webauthn@w3.org>
> *Subject:* Re: Please review: PR#144 on adding RP ID to signature format
>
>
>
> Vijay,
>
> This looks good to me (and I posted as such on the PR).
>
> Just for everyone's note, with this change we're defining SHA-256 as being
> a required algorithm for producing the digest of the RP ID for the lifetime
> of the spec. There's not an obvious clean way to provide crypto agility
> here without having compat issues. We should all be comfortable then with
> SHA2's collision resistance surviving for the life of the standard, or
> resign ourselves to compat issues moving credentials from one system to
> another.
>
> Cheers,
>
> J.C.
>
>
>
> On Thu, Jul 14, 2016 at 5:30 PM, Vijay Bharadwaj <vijaybh@microsoft.com>
> wrote:
>
> Apologies, forgot to include the link:
> https://github.com/w3c/webauthn/pull/144
>
>
>
>
>
> *From:* Vijay Bharadwaj
> *Sent:* Thursday, July 14, 2016 5:30 PM
> *To:* W3C WebAuthn WG <public-webauthn@w3.org>
> *Subject:* Please review: PR#144 on adding RP ID to signature format
>
>
>
> I mentioned this PR on the call yesterday – it adds the RP ID to the
> signature format. Since the call, I’ve made another pass at the sections
> and tightened up a few things in the wording. I also added the RP ID to the
> ClientData since otherwise the RP has nothing to check the RP ID hash
> against, and this is needed especially for makeCredential.
>
>
>
> Since I have been pushing commits to this over the course of the day, I
> figured I’d let everyone know that I’m now done messing with it and it’s
> ready for review.
>
>
>
> Please take a look at the PR and send feedback. Thanks!
>
>
>
> --
>
> -Vijay
>
>
>

Received on Friday, 15 July 2016 22:34:01 UTC