IETF Logo Mail Archive

Re: [saag] On PKI vs. Pinning (SAAG 108 preview)

Richard Barnes <rlb@ipv.sx> Wed, 29 July 2020 15:33 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 681463A0C2D for <saag@ietfa.amsl.com>; Wed, 29 Jul 2020 08:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m5d7dqHYHtgf for <saag@ietfa.amsl.com>; Wed, 29 Jul 2020 08:33:50 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1B9B3A0B9D for <saag@ietf.org>; Wed, 29 Jul 2020 08:33:50 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id 11so22626075qkn.2 for <saag@ietf.org>; Wed, 29 Jul 2020 08:33:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nB3v4gXSfAMw8v2QCSrwU4zN9abf7h6Xtt44kwCcNE8=; b=oBCOldjl4srhMuwenbVfsEMnbx9kRd0SoKc8/j5bglFgA8Dx+OigdRkY2Za3PB3sFN ZjXRbN/0lmoIPFd2GASB811Podn0leD8d9dmYqk49DhZo33nsshs8FO5UQwgb9IV8h0V +H7ptdmJXHTpmAmN/WrRjKAnOEW8SKaMa7BXd/nq/Xfmo3jN/26Cu2/tqhHrb5kq2io2 vzoUUHeNZsaD97kuEzviULYdIHW9B210Q9RbmJQCKA8w4Pl6YCLWJMDMNJpumUhyRvEt n9OfUjAZsgE5NQrbTk1IQNTYFhla6KYlz2pizjf5HG70IZTyh7n31xSdfuePclOqArI1 /hJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nB3v4gXSfAMw8v2QCSrwU4zN9abf7h6Xtt44kwCcNE8=; b=ad0eRH6oNZguPtt3TG/jWYWEkulndmOREpsqHjbLH5YXSt41jQcBGo304E/Xz9KM0D xyhJJhlibs5c0lpLgfrDz0PnwO3Jbar70/U7cVBFr7pUPUNxsiv3r+LnbbbvUhz58n7n 8/PAPNZAeY15J56tlhXLIG+zUTK4Y6wLaQKNVaOgdxQpfZ8fNnCMGxhB81tEUyDtS73K Jn2dWnAmnufJBDWzJcA7rAEZI//WY2r2nryri5vnCB9izquyE/SjfsepBK9QVSa21nsc myz4WzA3hs0x7HgX2Q3L7CLuwsFaO60dcENA1yI/ynlD2oa0tNsceDNYYRrqmvr7OzJA pVeA==
X-Gm-Message-State: AOAM533lmYza0Xavw4HUqMAn6tqHBuQ9LUClEbK9S/7ZZO0uCZd4s3kz 6GBUXBAu7FjHTQAnkBsspqjvbxh0dmmebb/WKk44tA==
X-Google-Smtp-Source: ABdhPJzWA5h7pLw2/WmzF66KOsj8+DOjOaJlU27ZTqDxL/NT5JKubO7XqlAylREbocz2MQBjvVotPyfQAI7UEi0PnfE=
X-Received: by 2002:a05:620a:63a:: with SMTP id 26mr34495437qkv.490.1596036829416; Wed, 29 Jul 2020 08:33:49 -0700 (PDT)
MIME-Version: 1.0
References: <20200728191331.GV41010@kduck.mit.edu> <CABcZeBMX6nn7vocZ66F9i3Tdap_uzxzWCJbPRKfCeUF1KNkRaA@mail.gmail.com>
In-Reply-To: <CABcZeBMX6nn7vocZ66F9i3Tdap_uzxzWCJbPRKfCeUF1KNkRaA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 29 Jul 2020 11:33:17 -0400
Message-ID: <CAL02cgTJdKDTXru6s_0zO=F_G2RcCe2SUSDm=S+8PpJd1yg52g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000442c7605ab9648bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/lns2ke1CCIxL1M28XZVY6fmYQRI>
Subject: Re: [saag] On PKI vs. Pinning (SAAG 108 preview)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 15:33:58 -0000

As is often the case, I agree with EKR here.

The point I would emphasize is that all of these options have the same
protocol footprint.  Regardless of where you root trust or how you
constrain it, the protocol needs to carry credentials that allow PKI-style
chaining/delegation.

--Richard

On Tue, Jul 28, 2020 at 6:03 PM Eric Rescorla <ekr@rtfm.com> wrote:

> It might be helpful to nail down our terminology here.
>
> Traditionally, we have three main approaches to public-key based key
> management:
>
> - Manual configuration and/or TOFU (a la SSH)
> - DNSSEC with something like TLSA
> - Deferring to some set of CAs (PKI) [0]
>
> As a practical matter, PKIs currently come in two flavors:
>
> - Publicly verifiable certificates which are rooted in one of a set
>   of commonly trusted CAs (generally WebPKI).
> - Non-publicly verifiable certificates which are rooted in some other
>   set of CAs (e.g., enterprise CAs).
>
> If you want to be able to talk to any machine on the Internet and
> you're using PKI [again, you could use DNSSEC/TLSA] then you need to
> have publicly verifiable certificates. However, there are a large
> number of such CAs and any of them can issue for a given name. This is
> where pinning comes in, as a technique for restricting the CAs (or EE
> keys) which can be used to authenticate a given name. Importantly,
> pinning only *restricts* the set of keys which can be used with a
> given domain; it doesn't expand it. IOW, you still need a valid PKI
> cert. If you're just configuring a key and not using the PKI,
> that's not pinning.
>
> Pinning on the Web [RFC 7469] is now more than five years old and in
> the intervening period, opinion has shifted, with people increasingly
> believing that pinning was too brittle a feature to deploy safely.
> For this reason, Firefox and Chrome have both deprecated pinning (I
> believe that Safari and IE never had it). So, to the extent to which
> there is a consensus, its that pinning is not a best practice.
>
> I think there's a separate question of what one ought to do when
> one does not need to connect to any machine on the Internet [1]. In
> those cases, whether manual configuration or a private CA is most
> appropriate seems to be a judgement call depending on how complicated
> the deployment is. I don't know the RPC-over-TLS setting enough
> to know what is best here.
>
> -Ekr
>
>
> [0] One can argue that DNSSEC is a form of PKI, but I've broken
> it out for convenience here.
>
> [1] You call out the special case where an app is talking back to
> its own site:
>
>    A banking mobile app
>    surely should pin the bank's known CA, rather than leaving an
> enterprise CA
>    free to MITM a user's session, whereas something that wants to be part
> of
>    the Web is largely forced to adopt the Web PKI.
>
> I would make two points about this. As a practical matter, it's not
> uncommmon for this kind of captive app to just use a generic WebPKI
> certificate, so this isn't really that different from serving up
> an HPKP header to a generic Web browser. Second, prior to HPKP being
> deprecated, it was standard practice to exempt locally installed
> CAs from pin checks because otherwise users would experience failures
> on networks which had MITM proxies. It seems like a similar set
> of considerations would apply in this case.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tue, Jul 28, 2020 at 12:13 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
>> Hi all,
>>
>> One of the agenda items for Thursday's SAAG session at IETF 108 is
>> "Discussion on PKI vs. Pinning Applicability".  This is intended to be
>> Security Area Advisory Group in its core meaning -- I want to get the
>> sense
>> of the IETF security community.  There are some draft slides for SAAG at
>>
>> https://www.ietf.org/proceedings/108/slides/slides-108-saag-chair-slides-pkipinning-bcp-72-00
>> (starting at slide 33; note to self: change template to include slide
>> numbers), and in true IETF spirit I'm hoping we can get a lot of it
>> covered
>> on the list in advance.
>>
>> As a lead-in, this topic came to mind due to a thread on the NFSv4 list,
>> discussing the RPC-over-TLS work that's in IESG Evaluation.  A participant
>> made the claim (see thread at
>> https://mailarchive.ietf.org/arch/msg/nfsv4/SLTNqWbjE-H8JshLk0HwlwxArrI/)
>> that certificate pinning is needed for RPC-TLS, and I did not have the
>> impression that this was the consensus position of the IETF security
>> community ... but I also don't have any data to support that impression
>> (yet?).
>>
>> It's clear that there are benefits and drawbacks of both approaches,
>> relating to scalability, ease of (minimal) deployment, key rotation, need
>> for maintaining highly secure infrastructure to protect high-value
>> secrets,
>> how revocation is handled, whether or not having an enterprise CA is seen
>> as a bug or feature, etc.  Similarly, there seem to be some use cases that
>> naturally lean towards one strategy or the other.  A banking mobile app
>> surely should pin the bank's known CA, rather than leaving an enterprise
>> CA
>> free to MITM a user's session, whereas something that wants to be part of
>> the Web is largely forced to adopt the Web PKI.
>>
>> This leads to some questions that may be worth discussing (both here on
>> the
>> list and in-person on Thursday):
>>
>> Can we make a classification of what types of protocols are naturally
>> suited for PKI scenarios and what types of protocols are naturally suited
>> for pinning?
>>
>> If you're going to pin, how does it matter if you pin a (raw) public key,
>> a
>> self-signed non-CA cert, an arbitrary cert, an intermediate CA, a root CA,
>> etc?
>>
>> Is there benefit in arranging for a description of the system where the
>> ability to pin is just a degenerate case of a PKI, with a single trust
>> anchor and no real hierarchy?
>>
>> Do we want all protocols that specify one to be usable with the other (and
>> document it that way)?
>>
>> Is there utility in writing a document to cover any of the above topics?
>>
>> Thanks in advance for a lively discussion,
>>
>> Ben
>>
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email