Re: Request-Response Binding Issues in httpbis-message-signatures-15

On Feb 8, 2023, at 11:20 PM, Martin Thomson <mt@lowentropy.net> wrote:

On Wed, Feb 8, 2023, at 15:32, Justin Richer wrote:
First, it’s important to know that this attack relies on their being a
weakness in the underlying cryptographic primitive:

Hi Justin,

This is not a weakness in the cryptographic primitive.  It is the result of a misunderstanding of what security properties are provided by a digital signature.  Dennis explained it better than I could, so I would strongly recommend re-reading his emails and maybe the "seems legit" paper (the intro is basically all you need at this level).  I've learned (again) just recently that these primitives have surprising sharp edges to them where our intuitions break down.

This seems like an opportune moment to ask again for a formal security analysis of the draft.  We have gotten feedback from two people (both of whose opinions I respect greatly on these subjects) that point to potential problems.  This specific problem seems like something that a tool like tamarin could discover given careful prompting, but there are plenty of good alternatives that would be convincing.


Hi Martin,

I agree that a formal analysis is a good thing, and that’s one of the things that the FAPI WG is looking to do as part of their own analysis of their own document which uses this draft:

https://openid.bitbucket.io/fapi/fapi-2_0-message-signing.html




  — Justin

Received on Thursday, 9 February 2023 17:11:56 UTC