W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2015

Re: secure HTTPS redirect - encoding a new trust anchor?

From: Kent Watsen <kwatsen@juniper.net>
Date: Thu, 13 Aug 2015 14:57:52 +0000
To: Martin Thomson <martin.thomson@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "Max Pritikin (pritikin)" <pritikin@cisco.com>
Message-ID: <D1F223EF.CBA09%kwatsen@juniper.net>

Hi Martin,

I'm good with an over-the-top solution, but do you think we can cleanly
embed a certificate in the message body of an HTTP redirect message? -
what would the Content-Type be?    If not, then we'd have to define an
explicit resource to get the secure redirect information (both the
hostname and certificate) - this is definitely doable, though it seems a
bit clumsy, what do you think?

Thanks,
Kent

On 8/12/15, 4:52 PM, "Martin Thomson" <martin.thomson@gmail.com> wrote:

>Would a narrower solution work?  Rather than looking for something
>generic (which is what you do when you ask on this list), you could
>design something specific.  None of this needs HTTP work, it is all
>over-the-top.  In fact, if it is made generic, that's when things get
>super scary.
>
>It could work like this: Widget vendor bakes in a "bootstrap trust
>anchor" and a "bootstrap URL" when it builds a widget.  When the
>widget first activates, it connects to the "bootstrap URL" and
>validates that URL with the "bootstrap trust anchor".  If that all
>works, then the widget can install the trust anchors it finds.  (If it
>fails, I don't know what, of course).
>
>Stephen, is your objection about the general nature of the query, or
>the specific mechanism?  I get the issue with making this general, but
>I'm a little less concerned about a specific anchor management feature
>in the form of the above.  If I install trust anchors on your device,
>or I make the software, or I make the hardware, then you need to trust
>me not to be doing things to enable spoofing.
>
>Of course, this adds another potentially weak link (the key bound to
>the temporary anchor), but that's not so abnormal.
>
>On 12 August 2015 at 13:32, Stephen Farrell <stephen.farrell@cs.tcd.ie>
>wrote:
>>
>> Hiya,
>>
>> On 12/08/15 17:56, Kent Watsen wrote:
>>> I think your question regards the general applicability of this idea by
>>> web browsers, where having the web browser dynamically learn a new
>>>trust
>>> anchor certificate, even if over a trusted connection, can lead to
>>>misuse.
>>>  Is that right?   - that is, is your concern is for generic use more so
>>> than the specific use of zerotouch bootstrapping?
>>
>> Sort of. I'm concerned with generic *ab*use (well also with specific
>> abuses:-)
>>
>> The example you gave would appear to allow widget-vendor.com to arrange
>> that the HTTP client ends up talking to widget-vendor.com but thinking
>> it is talking to my-os-update.com. I'd say that's a pretty dangerous
>> implement esp given the 1000's of perhaps not very highly experienced
>> and universally trusted widget vendors in the universe.
>>
>> Cheers,
>> S.
>>
>>
Received on Thursday, 13 August 2015 14:58:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:46 UTC