Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make the CanSignHttpExchanges extension non-critical. #247

Merged
merged 3 commits into from
Jul 18, 2018
Merged

Make the CanSignHttpExchanges extension non-critical. #247

merged 3 commits into from
Jul 18, 2018

Conversation

jyasskin
Copy link
Member

@jyasskin jyasskin commented Jul 6, 2018
edited
Loading

But warn servers away from using it in TLS servers.

Fixes #238.

@sleevi and any CA folks who see this, do you think I'm right to say "Conforming CAs MUST NOT mark this extension as critical.", or should I leave them without a requirement here?

Spec: Preview, Diff

Impl draft: Preview, Diff

@jyasskin jyasskin requested a review from irori July 6, 2018 23:54
sleevi
sleevi suggested changes Jul 7, 2018
View reviewed changes
Copy link

@sleevi sleevi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few nits, but overall looking good :)

draft-yasskin-http-origin-signed-responses.md Outdated
{{!I-D.ietf-tls-tls13}}). This simplifies security analysis of this protocol
and avoids encouraging server operators to put exchange-signing keys on servers
Conforming CAs MUST NOT mark this extension as critical. This allows new clients
with old operating systems to handle the extension.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we'd want to include the second sentence in the spec. That is, it presumes that new clients use the OS verifier, or that they even have an OS verifier, which... isn't going to hold :)

draft-yasskin-http-origin-signed-responses.md Outdated
(Section 4.4.2.2 of {{!I-D.ietf-tls-tls13}}). This discourages server operators
from using the same certificate to sign both TLS connections and signed
exchanges, which in turn simplifies security analysis of this protocol and
avoids encouraging server operators to put exchange-signing keys on servers
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the motivation might be better detailed in security considerations.

The reason this is a bit tricky is that by virtue of non-critical, clients that don't recognize this extension WILL accept this extension in TLS connections. So we don't have a hard security boundary. Because of this motivation, it seems like it makes sense to be discussed in the security section, calling out that this is not a security boundary itself, but simply an ecosystem health thing.

@jyasskin
Copy link
Member Author

jyasskin commented Jul 9, 2018

Ok, @sleevi, I've moved the whole rationale to the security considerations. That section is a bit awkward: I could try to move some bits into 6.2 or 6.4, or decide that we don't need the full explanation at all, or just keep what I have.

irori
irori approved these changes Jul 13, 2018
View reviewed changes
Copy link
Collaborator

@irori irori left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jyasskin jyasskin merged commit 112fa93 into WICG:master Jul 18, 2018
@jyasskin jyasskin deleted the non-critical-extension branch July 18, 2018 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sleevi sleevi sleevi requested changes

@irori irori irori approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jyasskin @irori @sleevi