IETF Logo Mail Archive

Re: [saag] On PKI vs. Pinning (SAAG 108 preview)

Eric Rescorla <ekr@rtfm.com> Tue, 28 July 2020 22:01 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 937303A0AA0 for <saag@ietfa.amsl.com>; Tue, 28 Jul 2020 15:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9bPQ5FdzgYky for <saag@ietfa.amsl.com>; Tue, 28 Jul 2020 15:01:51 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A90F23A09C7 for <saag@ietf.org>; Tue, 28 Jul 2020 15:01:39 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id f5so22844728ljj.10 for <saag@ietf.org>; Tue, 28 Jul 2020 15:01:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FwMNyTDAQlerMLc2cM/mZEm64zMUBg4X4gbfF74JnFY=; b=q+OdWfikwpfHI7MQUyGFHVaFxEh9s/Xpd6836k+9g4i0uvsJX8j1TwIc5PxmVkNWqh Zy1Jb/l0LTmc4u54y3wOiJK1eEZkCqrHcHdzdEWFk3t+fwKkiBEfsRYZJThkc7JmaqfB eUDTJMvZI0pGasfLvOgjT+1xdVtDQWZMlHZ9giC/IzNQ5PLYmqXMsD43XzZSIHw0ZLy6 JPGkhDzGlK4zU91Qvh20iF9puilBLFWWGrVh62L4AoNvvuBAL1LLhg7aHZiOU3i7WTgk Ym1TAHymV1ESRhSBQAO23oppMXupP4uyc/yHKDTZsyOSzwZcjX961gxedxUZigINCxlj pV4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FwMNyTDAQlerMLc2cM/mZEm64zMUBg4X4gbfF74JnFY=; b=ratup4WiLLkWAmyAra/sJqXQk+okHS9ibxbHCWunuFBD1sAEPJhhTrMf+kt4qWtz2Q bSLaaGSMD2I5yaNFkRl1ij8Igympcfi9FYi9ZknkaDK4fpH0SGl7KCkfDBgKbP5TU7dl ihu7DvGc6uq7iBkYE9icAWuEsU2JhWHOXEa408XGIqiFsXYbWneky11egYR0FkG7pzif aGC8K/54V9OGBQj0vkUfFfrQ3b7OAYfiiBLaGnEpGz86gbAROcS2zypr2ysvQyWQBogL YTzVdsNZP+GZr02DtPCsqwtcEUh/Udksj9pPbgMi6pN5whJyIEWT/TItcYHW0Q+qG4ZD vmPQ==
X-Gm-Message-State: AOAM5313AoI0JLmdWxaK7F9z5CfOWXGXfRKxItWvI/+UoMMz5fZuc5Dg sTwNFSzqILyVTdiES6thXzoAHMHm5HJ99OsV3D67ag==
X-Google-Smtp-Source: ABdhPJwDQ60Kp+zAJ98pD/7KqQ3gStI/1TzXKHy3pAQG+TPa5YklDhJIHQWPfoA9RTjXU8VYOjcubzhoYeKLl0JzIIk=
X-Received: by 2002:a2e:9f08:: with SMTP id u8mr7194030ljk.265.1595973697744; Tue, 28 Jul 2020 15:01:37 -0700 (PDT)
MIME-Version: 1.0
References: <20200728191331.GV41010@kduck.mit.edu>
In-Reply-To: <20200728191331.GV41010@kduck.mit.edu>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 28 Jul 2020 15:01:01 -0700
Message-ID: <CABcZeBMX6nn7vocZ66F9i3Tdap_uzxzWCJbPRKfCeUF1KNkRaA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005369cf05ab87954a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/LoAE0HA2Ut22fuEj98IAS05Jrv4>
Subject: Re: [saag] On PKI vs. Pinning (SAAG 108 preview)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 22:02:00 -0000

It might be helpful to nail down our terminology here.

Traditionally, we have three main approaches to public-key based key
management:

- Manual configuration and/or TOFU (a la SSH)
- DNSSEC with something like TLSA
- Deferring to some set of CAs (PKI) [0]

As a practical matter, PKIs currently come in two flavors:

- Publicly verifiable certificates which are rooted in one of a set
  of commonly trusted CAs (generally WebPKI).
- Non-publicly verifiable certificates which are rooted in some other
  set of CAs (e.g., enterprise CAs).

If you want to be able to talk to any machine on the Internet and
you're using PKI [again, you could use DNSSEC/TLSA] then you need to
have publicly verifiable certificates. However, there are a large
number of such CAs and any of them can issue for a given name. This is
where pinning comes in, as a technique for restricting the CAs (or EE
keys) which can be used to authenticate a given name. Importantly,
pinning only *restricts* the set of keys which can be used with a
given domain; it doesn't expand it. IOW, you still need a valid PKI
cert. If you're just configuring a key and not using the PKI,
that's not pinning.

Pinning on the Web [RFC 7469] is now more than five years old and in
the intervening period, opinion has shifted, with people increasingly
believing that pinning was too brittle a feature to deploy safely.
For this reason, Firefox and Chrome have both deprecated pinning (I
believe that Safari and IE never had it). So, to the extent to which
there is a consensus, its that pinning is not a best practice.

I think there's a separate question of what one ought to do when
one does not need to connect to any machine on the Internet [1]. In
those cases, whether manual configuration or a private CA is most
appropriate seems to be a judgement call depending on how complicated
the deployment is. I don't know the RPC-over-TLS setting enough
to know what is best here.

-Ekr


[0] One can argue that DNSSEC is a form of PKI, but I've broken
it out for convenience here.

[1] You call out the special case where an app is talking back to
its own site:

   A banking mobile app
   surely should pin the bank's known CA, rather than leaving an enterprise
CA
   free to MITM a user's session, whereas something that wants to be part of
   the Web is largely forced to adopt the Web PKI.

I would make two points about this. As a practical matter, it's not
uncommmon for this kind of captive app to just use a generic WebPKI
certificate, so this isn't really that different from serving up
an HPKP header to a generic Web browser. Second, prior to HPKP being
deprecated, it was standard practice to exempt locally installed
CAs from pin checks because otherwise users would experience failures
on networks which had MITM proxies. It seems like a similar set
of considerations would apply in this case.















On Tue, Jul 28, 2020 at 12:13 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> Hi all,
>
> One of the agenda items for Thursday's SAAG session at IETF 108 is
> "Discussion on PKI vs. Pinning Applicability".  This is intended to be
> Security Area Advisory Group in its core meaning -- I want to get the sense
> of the IETF security community.  There are some draft slides for SAAG at
>
> https://www.ietf.org/proceedings/108/slides/slides-108-saag-chair-slides-pkipinning-bcp-72-00
> (starting at slide 33; note to self: change template to include slide
> numbers), and in true IETF spirit I'm hoping we can get a lot of it covered
> on the list in advance.
>
> As a lead-in, this topic came to mind due to a thread on the NFSv4 list,
> discussing the RPC-over-TLS work that's in IESG Evaluation.  A participant
> made the claim (see thread at
> https://mailarchive.ietf.org/arch/msg/nfsv4/SLTNqWbjE-H8JshLk0HwlwxArrI/)
> that certificate pinning is needed for RPC-TLS, and I did not have the
> impression that this was the consensus position of the IETF security
> community ... but I also don't have any data to support that impression
> (yet?).
>
> It's clear that there are benefits and drawbacks of both approaches,
> relating to scalability, ease of (minimal) deployment, key rotation, need
> for maintaining highly secure infrastructure to protect high-value secrets,
> how revocation is handled, whether or not having an enterprise CA is seen
> as a bug or feature, etc.  Similarly, there seem to be some use cases that
> naturally lean towards one strategy or the other.  A banking mobile app
> surely should pin the bank's known CA, rather than leaving an enterprise CA
> free to MITM a user's session, whereas something that wants to be part of
> the Web is largely forced to adopt the Web PKI.
>
> This leads to some questions that may be worth discussing (both here on the
> list and in-person on Thursday):
>
> Can we make a classification of what types of protocols are naturally
> suited for PKI scenarios and what types of protocols are naturally suited
> for pinning?
>
> If you're going to pin, how does it matter if you pin a (raw) public key, a
> self-signed non-CA cert, an arbitrary cert, an intermediate CA, a root CA,
> etc?
>
> Is there benefit in arranging for a description of the system where the
> ability to pin is just a degenerate case of a PKI, with a single trust
> anchor and no real hierarchy?
>
> Do we want all protocols that specify one to be usable with the other (and
> document it that way)?
>
> Is there utility in writing a document to cover any of the above topics?
>
> Thanks in advance for a lively discussion,
>
> Ben
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email