Re: [saag] On PKI vs. Pinning (SAAG 108 preview)
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 17 August 2020 06:24 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAB8B3A09C9 for <saag@ietfa.amsl.com>; Sun, 16 Aug 2020 23:24:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nm2ljZaapRQW for <saag@ietfa.amsl.com>; Sun, 16 Aug 2020 23:24:11 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60B443A09C1 for <saag@ietf.org>; Sun, 16 Aug 2020 23:24:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 3F4B5389E4; Mon, 17 Aug 2020 02:03:20 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ByMkKdzCowud; Mon, 17 Aug 2020 02:03:19 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 04F69389E3; Mon, 17 Aug 2020 02:03:19 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 9319F675; Mon, 17 Aug 2020 02:24:08 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eric Rescorla <ekr@rtfm.com>, Benjamin Kaduk <kaduk@mit.edu>, IETF SAAG <saag@ietf.org>
In-Reply-To: <CABcZeBMX6nn7vocZ66F9i3Tdap_uzxzWCJbPRKfCeUF1KNkRaA@mail.gmail.com>
References: <20200728191331.GV41010@kduck.mit.edu> <CABcZeBMX6nn7vocZ66F9i3Tdap_uzxzWCJbPRKfCeUF1KNkRaA@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 17 Aug 2020 02:24:08 -0400
Message-ID: <14373.1597645448@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/9huQNNQ9I-ZO2AQkrGM70gnak0M>
Subject: Re: [saag] On PKI vs. Pinning (SAAG 108 preview)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 06:24:13 -0000
Eric Rescorla <ekr@rtfm.com> wrote: > Pinning on the Web [RFC 7469] is now more than five years old and in > the intervening period, opinion has shifted, with people increasingly > believing that pinning was too brittle a feature to deploy safely. > For this reason, Firefox and Chrome have both deprecated pinning (I > believe that Safari and IE never had it). So, to the extent to which > there is a consensus, its that pinning is not a best practice. Are there some reports, threads, or port-mortems that would allow people to understand the nature of the brittle-ness? Without attempting to disagree, I can see all sorts of things that could go wrong, but I'd like to understand what did go wrong. (If this conversation happened in an IETF list, then which one would probably be enough for me to track it down) -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [saag] height of PKI Russ Housley
- [saag] On PKI vs. Pinning (SAAG 108 preview) Benjamin Kaduk
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Benjamin Kaduk
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Ben Laurie
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Salz, Rich
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Carsten Bormann
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Ben Laurie
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Benjamin Kaduk
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Eric Rescorla
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Peter Gutmann
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Yaron Sheffer
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Richard Barnes
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Daniel Migault
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Martin Thomson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Christian Huitema
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Yaron Sheffer
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Yaron Sheffer
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Viktor Dukhovni
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Viktor Dukhovni
- [saag] height of PKI Michael Richardson
- Re: [saag] height of PKI Viktor Dukhovni
- Re: [saag] height of PKI Michael Richardson
- Re: [saag] height of PKI Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Eric Rescorla
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell