On 10/02/2016 08:40 AM, Richard Barnes wrote: > the need to provide a valid signature provided some minimal validation > of the request that could be performed totally statelessly by the server. This would only filter out requests that are otherwise well-formed, but have a bad signature, which are a vanishingly small fraction of requests. I just sampled 100k POSTs from Let's Encrypt's logs, and exactly 0 of them have that property. So I don't think this "stateless validation" has an advantage.
> Nonetheless, key comparison does not seem that risky to me -- it's > what undergirds every TLS and SSH session you've ever engaged in The main concern is not key comparison, it's "verify, then lookup" vs "lookup, then verify." Your SSH example actually supports my point: In SSH, the client sends a user id to the server, which the server then uses to look up the public keys with which to authenticate the user. On 10/02/2016 05:34 PM, Hugo Landau wrote: > Can we point to any historical vulnerabilities caused by an implementation error of this kind? The specific kind of bug that the "verify, then lookup" pattern makes possible is one where the "lookup" phase looks up the wrong thing. That type of bug happens a lot. For instance, one of these Rails snippets has a security flaw that would allow misissuance, because of the "verify, then lookup" pattern. Can you tell which one just by looking at them? ----------------------------------------------------------- header_key = jws_body.header.jwk if !jws_body.verify(header_key) return "Bad signature" account = Account.find_by jwk: header_key authorizations = Authorization.find_by account: account.id if authorizations.any? {|a| a.fqdn == requested_fqdn } issue_cert() ----------------------------------------------------------- ----------------------------------------------------------- header_key = jws_body.header.jwk if !jws_body.verify(header_key) return "Bad signature" account = Account.find_by! jwk: header_key authorizations = Authorization.find_by! account: account.id if authorizations.any? {|a| a.fqdn == requested_fqdn } issue_cert() ----------------------------------------------------------- _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme