Re: secure HTTPS redirect - encoding a new trust anchor? from Kent Watsen on 2015-08-12 (ietf-http-wg@w3.org from July to September 2015)

From: Kent Watsen <kwatsen@juniper.net>
Date: Wed, 12 Aug 2015 16:56:52 +0000
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
CC: "Max Pritikin (pritikin)" <pritikin@cisco.com>
Message-ID: <D1F0E7D0.CAD42%kwatsen@juniper.net>

[CC-ing Max Pritikin]

Hi Stephen,

Comments inlined below.

Thanks,
Kent

On 8/12/15, 11:59 AM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote:

>
>Hi Kent,
>
>On 12/08/15 16:33, Kent Watsen wrote:
>> 
>>                          Trusted
>>                       Internet-based      Deployment-specific
>> Device               Bootstrap Server       Bootstrap Server
>>   |                          |                     |
>>   |                          |                     |
>>   | HTTPS using factory      |                     |
>>   | default trust anchor     |                     |
>>   |------------------------->|                     |
>>   |                          |                     |
>>   |    HTTP redirect, with   |                     |
>>   |    deployment-specific   |                     |
>>   |    trust anchor          |                     |
>>   |<-------------------------|                     |
>>   |                          |                     |
>>   |                                                |
>>   |HTTPS using learned trust anchor                |
>>   |----------------------------------------------->|
>>   |                                                |
>> 
>> 
>> 
>> FWIW, this is considered secure, as the trust anchor is learned through
>>a
>> trusted connection.
>
>Eh... considered secure by whom? I would not consider
>that "secure" if any widget-vendor from whom I purchase
>anything can then pretend to be any web site.

Well, both Max and I felt it was OK for the bootstrapping use case.
Admittedly, it has not been thoroughly reviewed yet...though this email
thread is taking it on now  :)

The widget-vendor isn't pretending to be another website - it is
redirecting the client to another website.  For instance:

  Request (assuming device's serial number is "123456")
  -------
  GET https://widget-vendor.com/bootstrap-server:devices/device=123456

  Response
  --------
  HTTP/1.1 200 OK
  Content-Type: application/xrd+xml
  Content-Length: nnn

  Location: 
https://rightful-owner.com/bootstrap-server:devices/device=123456
  <X.509v3 CA certificate for rightful-owner.com here>

>Do you really mean trust-anchor here? Or perhaps you
>mean "some kind of special public key only to be used
>for the specific URL that is in this 30x response and
>only for 1 (really 1?) time"?

My terminology may be incorrect, but as the above example implies, the
X.509v3 cert returned is expected to be subsequently used to verify the
HTTPS server (rightful-owner.com).   This in lieu of relying a global CA
certificates, such as are distributed by web browsers.

>And what if that URL is say bigbank.example.com? How
>is that to not work?

I think your question regards the general applicability of this idea by
web browsers, where having the web browser dynamically learn a new trust
anchor certificate, even if over a trusted connection, can lead to misuse.
 Is that right?   - that is, is your concern is for generic use more so
than the specific use of zerotouch bootstrapping?

Thanks again,
Kent

Received on Wednesday, 12 August 2015 16:57:21 UTC