- From: Erik Nygren <erik@nygren.org>
- Date: Tue, 3 May 2016 10:47:48 -0400
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>
- Message-ID: <CAKC-DJjkVdV--ECW0ey_3B=HrXPRxgx4H8VoMQtx7E1a9rDoHQ@mail.gmail.com>
On Tue, May 3, 2016 at 2:39 AM, Mark Nottingham <mnot@mnot.net> wrote: > It sounds like you think we can continue the encrypted and streaming > integrity content codings as separate work items (assuming we adopt MICE or > something like it, and provided that all signature functionality is > removed), perhaps including some text about the possible dangers of using > encryption in combination with signatures in Security Considerations of the > former. > > Future use cases that required signatures and encryption could be invented > as new content codings, or composed (carefully) with them. > It seems like there are a few dimensions and compositions here. Distribution use-cases seem to fall into 1:1 and 1:many scenarios. Key exchange use-cases seem to fall into out-of-band vs asymmetric. In all of these we presumably want both integrity and in some cases privacy. Full object decryption/validation vs streaming decryption/validation is another dimension where large objects likely require the latter. 1) In the 1:1 scenario with oob key exchange, it seems like encryption with AEAD gives you everything you need for privacy and integrity? 2) In the 1:many scenario with oob key exchange (eg, file sharing and blind caching) it seems like we always need something to provide integrity (ideally streaming content integrity such as MICE, or at least a full content MAC such as in SRI but that limits applicability), plus encryption (which can be AEAD but we may not get much from it?). Presumably if the content is also encrypted we should be doing encrypt-then-MAC? My big concern here is that since the "many" has the encryption key (even with asymmetric key exchange) then anyone recipient or cache can trivially alter the data. I haven't thought as much about the asymmetric key-exchange scenarios or how necessary they are for the complexity they add? So while it may make sense to drop the asymmetric key-exchange, I feel the subtleties of encrypted-content-encoding for the 1:many scenario resulting in a lack of integrity protections is going to be dangerous and lost on folks. As such, I'd much prefer to see something like MICE folded into encrypted-content-encoding or specified alongside it with clear cross-references on how to safely compose them (encrypt-then-MAC, or just-MAC with supported cipher+mac combos?) Erik
Received on Tuesday, 3 May 2016 14:48:17 UTC