Re: [saag] Pinning
Ben Laurie <ben@links.org> Thu, 07 June 2012 10:22 UTC
Return-Path: <benlaurie@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCFCF21F86CE for <saag@ietfa.amsl.com>; Thu, 7 Jun 2012 03:22:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Ai5YE6aBSXb for <saag@ietfa.amsl.com>; Thu, 7 Jun 2012 03:22:47 -0700 (PDT)
Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by ietfa.amsl.com (Postfix) with ESMTP id BFF5521F86C8 for <saag@ietf.org>; Thu, 7 Jun 2012 03:22:46 -0700 (PDT)
Received: by vbmv11 with SMTP id v11so383175vbm.27 for <saag@ietf.org>; Thu, 07 Jun 2012 03:22:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=o2qBUVuUwtbkoKIM3umTN3wxIB9KdCs5i7kotnb0mao=; b=QVztxfBTXZVi0z1AhGnhtT9I+DHdx9sRIIxYnokx0qIR0s4UkSWj1OZ1qgx+iU3FpX 6TB9Hqh6Kv4rPOxHcY1EvlMAJRNBn8jCwCLTA98CYZY+CTqmBDwwnx5YhYzFhl5m81T4 AG2+RP45iIBx8RHk8bOj46s5gjRY+2aQF1+k8G1aKnbq6sg1NC0dkex0cOW9QhCrPymj WrEZpAJL8hZEcngKIrORDdJx8nBCEEd4n899sJKfSuFI/XVKRfgr7nki7JjBwyr+3bOj EMJNqtbRVz/Ln95Ec2sIMnraPJYmitipZ6AydH0fs3O/6Wy2ZW4avclEgYyPcJpFQXKi gIQw==
MIME-Version: 1.0
Received: by 10.52.23.144 with SMTP id m16mr1253042vdf.77.1339064566193; Thu, 07 Jun 2012 03:22:46 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.52.36.226 with HTTP; Thu, 7 Jun 2012 03:22:46 -0700 (PDT)
In-Reply-To: <4FCE6431.6050808@ieca.com>
References: <4FCE6431.6050808@ieca.com>
Date: Thu, 07 Jun 2012 11:22:46 +0100
X-Google-Sender-Auth: U5gbiWWy66CKfqwrIBBbm5iqApc
Message-ID: <CAG5KPzxO5xvQCe24NsciV78i8+ErzhLb0OCgT_duf2wrBW7i3w@mail.gmail.com>
From: Ben Laurie <ben@links.org>
To: Sean Turner <turners@ieca.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: saag@ietf.org
Subject: Re: [saag] Pinning
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 10:22:48 -0000
On Tue, Jun 5, 2012 at 8:55 PM, Sean Turner <turners@ieca.com> wrote: > All, > > There are many proposals for how to say which key or certificate or trust > anchor should be used by the client in a TLS session that it is about to > open. These proposals include making that decision in the DNS > (https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/), in the > application after TLS has happened once, to be remembered in the future > (https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/), and in > the TLS handshake (https://datatracker.ietf.org/doc/draft-perrin tls-tack/). > If more than one of these protocols are deployed, operational mistakes could > lead to a client getting conflicting information. You forgot Certificate Transparency :-) http://www.links.org/files/CertificateAuthorityTransparencyandAuditability.pdf > Similarly, there are also proposals on how to say whether or not a client > should expect to see a particular service running under TLS. These proposals > include making that indication in the DNS (draft hoffman-server-has-tls, > expired but might be revived) and in the application after TLS has happened > once, to be remembered in the future > (https://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport sec/). > If more than one of these protocols are deployed, operational mistakes could > lead to a client getting conflicting information. > > Is a standards-track operations statement needed to describe the choices > that a TLS server administrator has, and to deal with conflicts between the > proposals? > > spt > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [saag] Pinning Sean Turner
- Re: [saag] Pinning Henry B. Hotz
- [saag] Fwd: [websec] Pinning Yoav Nir
- Re: [saag] [websec] Pinning Paul Hoffman
- Re: [saag] Pinning Steven Bellovin
- Re: [saag] [TLS] Fwd: Pinning Nikos Mavrogiannopoulos
- Re: [saag] [websec] Pinning Tobias Gondrom
- Re: [saag] Pinning Ben Laurie
- Re: [saag] [websec] Pinning Chris Palmer
- Re: [saag] [websec] Pinning Paul Hoffman
- Re: [saag] [websec] Pinning Trevor Perrin
- Re: [saag] [websec] Pinning Jeffrey Hutzelman
- Re: [saag] [websec] Pinning Tony Finch
- Re: [saag] [websec] Pinning Alexey Melnikov
- Re: [saag] [websec] Pinning Tobias Gondrom