DNS Security with HTTP/2 ORIGIN
draft-bishop-httpbis-origin-fed-up-00

Document Type Active Internet-Draft (individual)
Last updated 2019-01-08
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
HTTPbis                                                        M. Bishop
Internet-Draft                                                 E. Nygren
Updates: 8336 (if approved)                                       Akamai
Intended status: Standards Track                         January 8, 2019
Expires: July 12, 2019

                    DNS Security with HTTP/2 ORIGIN
                 draft-bishop-httpbis-origin-fed-up-00

Abstract

   The definition of the HTTP/2 ORIGIN frame "relaxes" the requirement
   to check DNS for various reasons.  However, experience has shown that
   such relaxation leads to security risks and is inadvisable.  This
   document restores the original requirements.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 12, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Bishop & Nygren           Expires July 12, 2019                 [Page 1]
Internet-Draft          DNS Security with ORIGIN            January 2019

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Some Alternative Means  . . . . . . . . . . . . . . . . . . .   3
     2.1.  Certificate Transparency  . . . . . . . . . . . . . . . .   3
     2.2.  OCSP  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Balancing Concerns  . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  Improving Privacy . . . . . . . . . . . . . . . . . . . .   5
     3.2.  Limiting Scope of Certificate Compromise  . . . . . . . .   5
     3.3.  Updates to RFC 8336 . . . . . . . . . . . . . . . . . . .   6
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   [ORIGIN] describes a method whereby an HTTP/2 server can enumerate
   the HTTP origins for which it purports to be authoritative.  This set
   can be greater or lesser than the set of origins over which the
   client might originally have considered the server to be
   authoritative.  Of course, the client will generally not send
   requests to a server unless it considers the server to be
   authoritative for that origin.

   Section 2.4 of [ORIGIN] states that:

      ...clients "MAY avoid consulting DNS to establish the connection's
      authority for new requests to origins in the Origin Set; however,
      those that do so face new risks, as explained in Section 4.

   In Section 4 of [ORIGIN], the attacks this enables are described,
   along with the note that "Clients that blindly trust the ORIGIN
   frame's contents will be vulnerable to a large number of attacks.
   See Section 2.4 for mitigations."

   The mitigation recommended in Section 2.4 is to require the use of
   TLS and that the certificate presented be authoritative for the
   origin in question; the latter is a requirement already present in
   [HTTP2] for HTTP/2 connections using TLS.  In Section 4, it is
   further recommended that:

      ...clients opting not to consult DNS ought to employ some
      alternative means to establish a high degree of confidence that
      the certificate is legitimate.

Bishop & Nygren           Expires July 12, 2019                 [Page 2]
Internet-Draft          DNS Security with ORIGIN            January 2019

   Several methods of increasing certificate trust are referenced.
   However, during the discussion of [SecondaryCerts], the ability to
Show full document text