- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 8 Feb 2023 09:04:27 +1100
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Cc: Justin Richer <justin@bspk.io>, "Backman, Annabelle" <richanna@amazon.com>
- Message-Id: <BBAA198C-EAD8-4F41-B2AD-9803BA5BF885@mnot.net>
FYI > Begin forwarded message: > > From: Watson Ladd <watsonbladd@gmail.com> > Subject: [Last-Call] Last Call: <draft-ietf-httpbis-message-signatures-16.txt> (HTTP Message Signatures) to Proposed Standard > Date: 7 February 2023 at 6:24:42 pm AEDT > To: last-call@ietf.org > Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/KFdTYxe2kkMZswSfPyZgR9yQf_Y> > > Dear all, > > I believe this draft has substantial security issues that are similar > to ones that have been exploited unsafely, often and extremely well. > > This draft equates public key signatures with Message authentication > codes. MACs depend on having a shared key that is secret, and anyone > who knows the key can make a signature. Public key signatures separate > a private and a public key, and those with the private key may sign, > those with the public key can verify. > > These are different notions with different requirements on what the > material they are used on must have. But the draft uses exactly the > same container and the same language to refer to them, inviting that > same confusion in the mind of a reader, and the library author to > blithely permit the algorithm in the message to be used. > > This mistake in JWT lead to bug after bug in library and application. > Now we learn nothing, and choose once again to invite disaster with a > small oversight on the part of application authors. No, security > considerations will not prevent this mistake, and the ones in the > draft are woefully inconsiderate: they do not clearly indicate who > must do what, or refer to the details of the past bugs to indicate why > it is required. > > I believe we need a section to describe what libraries must do with > their interfaces to prevent such hazards and how application > developers must avoid them in system design. Instead we get that the > secure way is merely encouraged. This is not good enough: I believe > the signature spec should remove the algorithm entirely, letting the > key provided to verify indicate what is to be done. Or, if that isn't > possible use MUST language to indicate that the allowed signature > algorithm (singular) MUST be passed in with the key, that the verifier > MUST NOT look at the message to find the algorithm used. > > This of course means revising 3.2 step 6 to remove looking at the message. > > Sincerely, > Watson Ladd > > -- > Astra mortemque praestare gradatim > > -- > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 7 February 2023 22:05:03 UTC