IETF Logo Mail Archive

exposing certificate information (current + upcoming)

Stefan Eissing <stefan.eissing@greenbytes.de> Fri, 10 May 2019 10:50 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E16A4120072 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2019 03:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3
X-Spam-Level:
X-Spam-Status: No, score=-3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=greenbytes.de header.b=bFA/foye; dkim=pass (1024-bit key) header.d=greenbytes.de header.b=bFA/foye
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id thZeHjEoaWqF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2019 03:50:06 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE500120026 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 10 May 2019 03:50:05 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hP33h-0003Dc-D4 for ietf-http-wg-dist@listhub.w3.org; Fri, 10 May 2019 10:47:21 +0000
Resent-Date: Fri, 10 May 2019 10:47:21 +0000
Resent-Message-Id: <E1hP33h-0003Dc-D4@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <stefan.eissing@greenbytes.de>) id 1hP33e-0003Cl-6Z for ietf-http-wg@listhub.w3.org; Fri, 10 May 2019 10:47:18 +0000
Received: from mail.greenbytes.de ([217.91.35.233]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <stefan.eissing@greenbytes.de>) id 1hP33c-00073g-7g for ietf-http-wg@w3.org; Fri, 10 May 2019 10:47:17 +0000
Received: by mail.greenbytes.de (Postfix, from userid 117) id A5B6E15A1181; Fri, 10 May 2019 12:46:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=greenbytes.de; s=mail; t=1557485213; bh=3Mo7fCfHsQJnXcY0asOaG/iw6aRZYhdkZ8NE80RFqzo=; h=From:Subject:Date:To:From; b=bFA/foyedwE8vTtFEn4R0Z9GdqwNE248RBgP0CsoJJy+eO8DgyzU3A7hRdEV/umx/ av1ZN21DB5JPuMrzSTNNFCdjv5u9Wn/RIjFgrwXtO8ut9IQ7uOMFmRsrf4l6sSP2l8 hII5SkG8AyhUrUrx3I903XBmtMkHWoyE2Hy26b5w=
Received: from resistance.greenbytes.local (unknown [217.91.35.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id 4319815A0448 for <ietf-http-wg@w3.org>; Fri, 10 May 2019 12:46:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=greenbytes.de; s=mail; t=1557485213; bh=3Mo7fCfHsQJnXcY0asOaG/iw6aRZYhdkZ8NE80RFqzo=; h=From:Subject:Date:To:From; b=bFA/foyedwE8vTtFEn4R0Z9GdqwNE248RBgP0CsoJJy+eO8DgyzU3A7hRdEV/umx/ av1ZN21DB5JPuMrzSTNNFCdjv5u9Wn/RIjFgrwXtO8ut9IQ7uOMFmRsrf4l6sSP2l8 hII5SkG8AyhUrUrx3I903XBmtMkHWoyE2Hy26b5w=
From: Stefan Eissing <stefan.eissing@greenbytes.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Message-Id: <BA35C55E-E096-49DA-BBC5-D5A34756FC67@greenbytes.de>
Date: Fri, 10 May 2019 12:46:53 +0200
To: HTTP Working Group <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.3445.104.8)
Received-SPF: pass client-ip=217.91.35.233; envelope-from=stefan.eissing@greenbytes.de; helo=mail.greenbytes.de
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: AWL=-0.539, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1hP33c-00073g-7g b369b20491bd40c492b55388658627d6
X-Original-To: ietf-http-wg@w3.org
Subject: exposing certificate information (current + upcoming)
Archived-At: <https://www.w3.org/mid/BA35C55E-E096-49DA-BBC5-D5A34756FC67@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36628
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Christophe Brocas (@cbrocas), organizer of Pass-the-Salt security conference, tweeted 
about checking HTTP server certificates against CT logs to detect very early if someone
successfully highjacked one of your domains.

A renewed certificate is often not immediately used on a server but activated on the
next restart which can be several hours away. To check if a certificate mentioned in a
CT log, one would need to obtain information about upcoming certificates as well.

One approach is to expose this on a /.well-known resource of a domain. A JSON 
representation of current and upcoming certificate information. CN, serial,
fingerprint, alt-names, begins at, expires on. Maybe the hole certificate?

I would be interested in your opinion if this information can be exposed publicly or
should be considered sensitive? For the current cert, the client
obviously already has this at the connection, but is there any risk of exposing
an upcoming cert?

Feedback appreciated,

Stefan

v2.23.0 | Report a Bug | By Email