[saag] Pinning
Sean Turner <turners@ieca.com> Tue, 05 June 2012 19:55 UTC
Return-Path: <turners@ieca.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EDF521F85B1 for <saag@ietfa.amsl.com>; Tue, 5 Jun 2012 12:55:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.077
X-Spam-Level:
X-Spam-Status: No, score=-102.077 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BwHaEhXnvn2e for <saag@ietfa.amsl.com>; Tue, 5 Jun 2012 12:55:31 -0700 (PDT)
Received: from gateway03.websitewelcome.com (gateway03.websitewelcome.com [69.93.38.21]) by ietfa.amsl.com (Postfix) with ESMTP id 502F921F85AF for <saag@ietf.org>; Tue, 5 Jun 2012 12:55:31 -0700 (PDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway03.websitewelcome.com (Postfix) with ESMTP id AF61B7B8C2E60 for <saag@ietf.org>; Tue, 5 Jun 2012 14:55:30 -0500 (CDT)
Received: from [71.191.2.244] (port=36493 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1Sbzqk-0003q7-GU for saag@ietf.org; Tue, 05 Jun 2012 14:55:30 -0500
Message-ID: <4FCE6431.6050808@ieca.com>
Date: Tue, 05 Jun 2012 15:55:29 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: saag@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [71.191.2.244]:36493
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 3
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: [saag] Pinning
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2012 19:55:32 -0000
All, There are many proposals for how to say which key or certificate or trust anchor should be used by the client in a TLS session that it is about to open. These proposals include making that decision in the DNS (https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/), in the application after TLS has happened once, to be remembered in the future (https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/), and in the TLS handshake (https://datatracker.ietf.org/doc/draft-perrin tls-tack/). If more than one of these protocols are deployed, operational mistakes could lead to a client getting conflicting information. Similarly, there are also proposals on how to say whether or not a client should expect to see a particular service running under TLS. These proposals include making that indication in the DNS (draft hoffman-server-has-tls, expired but might be revived) and in the application after TLS has happened once, to be remembered in the future (https://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport sec/). If more than one of these protocols are deployed, operational mistakes could lead to a client getting conflicting information. Is a standards-track operations statement needed to describe the choices that a TLS server administrator has, and to deal with conflicts between the proposals? spt
- [saag] Pinning Sean Turner
- Re: [saag] Pinning Henry B. Hotz
- [saag] Fwd: [websec] Pinning Yoav Nir
- Re: [saag] [websec] Pinning Paul Hoffman
- Re: [saag] Pinning Steven Bellovin
- Re: [saag] [TLS] Fwd: Pinning Nikos Mavrogiannopoulos
- Re: [saag] [websec] Pinning Tobias Gondrom
- Re: [saag] Pinning Ben Laurie
- Re: [saag] [websec] Pinning Chris Palmer
- Re: [saag] [websec] Pinning Paul Hoffman
- Re: [saag] [websec] Pinning Trevor Perrin
- Re: [saag] [websec] Pinning Jeffrey Hutzelman
- Re: [saag] [websec] Pinning Tony Finch
- Re: [saag] [websec] Pinning Alexey Melnikov
- Re: [saag] [websec] Pinning Tobias Gondrom