- From: Justin Richer <jricher@mit.edu>
- Date: Sun, 23 Jul 2023 17:36:25 +0000
- To: "rdd@cert.org" <rdd@cert.org>
- CC: John Scudder <jgs@juniper.net>, Martin Duke <martin.h.duke@gmail.com>, The IESG <iesg@ietf.org>, "draft-ietf-httpbis-message-signatures@ietf.org" <draft-ietf-httpbis-message-signatures@ietf.org>, "httpbis-chairs@ietf.org" <httpbis-chairs@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, "tpauly@apple.com" <tpauly@apple.com>, Paul Wouters <paul.wouters@aiven.io>
- Message-ID: <8AACE9C0-0460-4DAC-8611-2B407EE5C557@mit.edu>
Hi Roman, thanks for the detailed rundown. I have taken a stab at altering the registry as you suggest, based on the COSE specification text. Iâve incorporated that into this existing PR:
https://github.com/httpwg/http-extensions/pull/2570
Hopefully this addresses the concerns of the DISCUSS sufficiently.
â Justin
On Jul 20, 2023, at 9:36 AM, Roman Danyliw <rdd@cert.org> wrote:
Hi Justin!
Thanks for explaining some of the thinking. More below â¦
From: iesg <iesg-bounces@ietf.org<mailto:iesg-bounces@ietf.org>> On Behalf Of Justin Richer
Sent: Friday, June 23, 2023 3:19 PM
To: Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>
Cc: John Scudder <jgs@juniper.net<mailto:jgs@juniper.net>>; Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>>; The IESG <iesg@ietf.org<mailto:iesg@ietf.org>>; draft-ietf-httpbis-message-signatures@ietf.org<mailto:draft-ietf-httpbis-message-signatures@ietf.org>; httpbis-chairs@ietf.org<mailto:httpbis-chairs@ietf.org>; HTTP Working Group <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>; tpauly@apple.com<mailto:tpauly@apple.com>; Paul Wouters <paul.wouters@aiven.io<mailto:paul.wouters@aiven.io>>
Subject: Re: Roman Danyliw's Discuss on draft-ietf-httpbis-message-signatures-17: (with DISCUSS and COMMENT)
Hi Roman â thanks for the response, answers inline, I think weâre getting there.
On Jun 23, 2023, at 2:06 PM, Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>> wrote:
Hi Justin!
Thanks for the PR (https://github.com/httpwg/http-extensions/pull/2570). More inline and snipping to the relevant parts:
** Section 6.2. HTTP Signature Algorithms Registry.
-- What is the difference between how this âExpert Reviewâ registration
guidance as written (of being a DE review + spec) and one that is
âSpecification Requiredâ. Both appear to require an expert review and a
specification.
Iâm honestly not sure what the effective difference would be and
Iâll gladly defer to others for the appropriate IANA language here. We
do want a DE in place to make sure that any registered algorithm meets
all the stated criteria, but especially:
- That itâs fully specified (and doesnât have any variable parameters that
implementations would need to choose independently)
- That the name is fairly descriptive
- That itâs not an alias of something already in there
Formally, the difference between Expert Review and Specification Required is covered in Section 4.5 and 4.6 of RFC8126.
https://datatracker.ietf.org/doc/html/rfc8126#section-4.5
https://datatracker.ietf.org/doc/html/rfc8126#section-4.6
Colloquially, Expert Review doesn't require and formal document or stable reference. Specification Required requires such a stable reference and also included the review of the Designated Expert.
Given that this registry is pointing to a crypto algorithm, I don't see how one could fully described an algorithm in a registration template. If someone is expected to be able to find an algorithm in this registry and implement it, it seems to need to be a stable reference.
OK, that makes sense. I went with Expert Review because we wanted someone to be able to enforce the other considerations (ie, not registering an alias), and I didnât realize that the Specification Required mode effectively includes Expert Review as part of it. Iâll go change it to Specification Required.
I feel like I learn something new about IANA with each spec I work on. :)
[Roman] Sounds like a plan. Note possible refinement below â¦
-- What does âActiveâ mean? âDeprecatedâ is framed as the algorithm is âno
longer recommended for use and might be insecure or unsafeâ. Does âActiveâ
mean ârecommended and secure/safeâ? Is the DE responsible for assessing the
cryptographic properties of new registration? Is that a realistic expectation?
This was meant as a way to de-activate algorithms previously registered at some future time when theyâre no longer recommended for general use.
I read the following new text in the PR:
==[ snip ]==
When an algorithm is first registered, the status is set to "Active". If at a future time the algorithm as registered is found to have flaws, the registry entry can be updated and the algorithm can be marked as Deprecated to indicate that the algorithm has been found to have problems. This status does not preclude an application from using a particular algorithm, but serves to provide warning of possible known issues with an algorithm that need to be considered by the application.
==[ snip ]==
I appreciate the state of "Deprecated" and the workflow to get to it. My concern remains on what does "Active" mean. If "Deprecated" means that the "algorithm has been found to have problems", what assurances or claims are being made about "Active" -- is it that the algorithms is believed to be secure? the registrations are unvetted regarding security? How would one distinguish between the "trusted recommendations" made in this document and subsequent registrations?
Does the DE have any responsibility to assess the security properties if a request for "Active" is made, since there appears to be a responsibility to confirm lack of security in accepting a "Deprecated" update.
I referenced the TLS Cipher Suite registry (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4) because it side steps these issues. Specifically, it requires a stable reference (with a Specification Required registration policy); provides the flexibility to register any documented algorithm (with the Specification Required policy), but can signal what is an IETF vetted algorithm (Recommendation=Y) and what has either not been vetted or has issues (Recommendation=N)
My recommendation would be to do something similar.
âActiveâ in this case is effectively what TLS has when something is in the registry but has âNâ on the recommended column. That is to say, we donât really make a statement that a particular algorithm
is appropriate for a given use case. In other words, we want to be able to warn people about known-bad algorithms (âDeprecatedâ) but donât want to give people the wrong idea. Thatâs why we went with âActiveâ as the term as opposed to âRecommendedâ as the âNot Deprecatedâ label. This text from the PR was meant to capture some of that in the paragraph preceding the quoted one above:
==
The algorithms listed in this registry identify some possible cryptographic algorithms for applications to use with this specification, but the entries neither represent an exhaustive list of possible algorithms nor indicate fitness for purpose with any particular application of this specification. An application is free to implement any algorithm that suits its needs, provided the signer and verifier can agree to the parameters of that algorithm in a secure and deterministic fashion. When an application has a need to signal the use of a particular algorithm at runtime using the `alg` signature parameter, this registry provides a mapping between the value of that parameter to a particular algorithm. However, use of the `alg` parameter needs to be treated with caution to avoid various forms of algorithm confusion and substitution attacks, such as discussed in {{security-keydowngrade}} and others.
==
As well as this description of the Status field:
==
A value of "Active" indicates that an algorithm has been fully specified and registered, but does not indicate that an algorithm is suitable for all use cases or applications.
==
I donât really want to put the DE into the position of vetting a âgoodâ algorithm. Algorithm choice is going to be very application specific and itâs not expected to be a point of interoperability in general. Since applications of HTTP Signatures are going to have drastically different requirements for their algorithms, I donât want to give a false sense of security even if an algorithm is recommended for general use. For example, HMAC is going to make sense in, say, a data center with HKMâs or key derivation techniques that can be drawn from the environment and context of a call, but probably not a good idea for a general application to use it (and thereâs a security consideration to that effect).
[Roman] Agree that the DE shouldnât be put in that position.
TLS benefits from many years of deployment experience and lots of formal analysis of the crypto algorithms, as well as a wide and invested community in its review. Iâd be afraid that if we follow the TLS example of a âRecommendedâ field with similar review requirements (as I understand them), weâd end up with a registry that never got anything set to âYâ on that field.
[Roman] I donât follow. The document already specifies a number of algorithms in Section 3.3.1 â 3.3.6. Arenât these implicitly, consensus based recommendations. The only time you would get something set to âyesâ if there was a âvetting processâ â standards action would be one of them. Weâve been talking about TLS, but this is also what is done for COSE (https://www.iana.org/assignments/cose/cose.xhtml#algorithms).
[Roman] There are also existing patterns for handling recommended algorithms that donât have general applicability. See CCM_8 cipher suites in https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4.
What if instead of a âStatusâ column we simply have a âDeprecatedâ column that has a value of âNâ by default and gets changed to âYâ if an algorithm needs to be marked as problematic? Itâs functionally the same as what we have here now, but perhaps gives a better impression of what we mean by it. Iâd be happy to change over to that approach if that makes things better in presentation.
[Roman] It appears the text would create two categories algorithms â âunknown security propertiesâ and âknown to be insecureâ. However, I think we are already in âthree category systemâ â âvettedâ, âunvettedâ, and âknow to be badâ (aka, what TLS and COSE already use). New registrations could follow a âspecification requiredâ registration will be registered as âunvettedâ (or âactiveâ in the earlier parlance). Certain things that were previously in the registry may be marked as âknown to be badâ/âdeprecatedâ likely based on how they were registered. Additionally, this document has already made the âvettedâ list with Section 3.3.1 â 3.3.6. If the WG doesnât have confidence that these arenât âvettedâ/âsafeâ choices then they likely donât belong in a PS or at least some clear discussion needs to establish why a PS document is proposing unsafe cryptographic choices.
[Roman] Practically, doesnât the COSE/RFC8152 Section 16.4 definition of âRecommendedâ support the flexibility for future agility and maintenance.
Recommended: Does the IETF have a consensus recommendation to use
the algorithm? The legal values are 'Yes', 'No', and
'Deprecated'.
[Roman] Yes = takes a Standards Action and is vetted via the standards process; N = take Specification Required and provides a code point, but no validation of security properties (as you propose above); and âDeprecatedâ roughly aligns to the above definitions of how to handle something in the future that becomes problematic.
Roman
Received on Sunday, 23 July 2023 17:36:58 UTC