W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2023

Re: Request-Response Binding Issues in httpbis-message-signatures-15

From: Justin Richer <jricher@mit.edu>
Date: Thu, 9 Feb 2023 17:11:12 +0000
To: Martin Thomson <mt@lowentropy.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <425C2BC3-569B-4532-A434-3480CE65EA66@mit.edu>
On Feb 8, 2023, at 11:20 PM, Martin Thomson <mt@lowentropy.net> wrote:

On Wed, Feb 8, 2023, at 15:32, Justin Richer wrote:
First, it’s important to know that this attack relies on their being a
weakness in the underlying cryptographic primitive:

Hi Justin,

This is not a weakness in the cryptographic primitive.  It is the result of a misunderstanding of what security properties are provided by a digital signature.  Dennis explained it better than I could, so I would strongly recommend re-reading his emails and maybe the "seems legit" paper (the intro is basically all you need at this level).  I've learned (again) just recently that these primitives have surprising sharp edges to them where our intuitions break down.

This seems like an opportune moment to ask again for a formal security analysis of the draft.  We have gotten feedback from two people (both of whose opinions I respect greatly on these subjects) that point to potential problems.  This specific problem seems like something that a tool like tamarin could discover given careful prompting, but there are plenty of good alternatives that would be convincing.

Hi Martin,

I agree that a formal analysis is a good thing, and that’s one of the things that the FAPI WG is looking to do as part of their own analysis of their own document which uses this draft:


  — Justin
Received on Thursday, 9 February 2023 17:11:56 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 9 February 2023 17:11:57 UTC