Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

"Jeffrey A. Williams" <> Tue, 05 October 2010 17:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 689233A6FE3 for <>; Tue, 5 Oct 2010 10:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[AWL=0.938, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oWjpJW9NHD3g for <>; Tue, 5 Oct 2010 10:48:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3F9E43A7079 for <>; Tue, 5 Oct 2010 10:48:22 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327;; b=G0kNXgrhYiJ6k29OoB2nzu8/y1Ji72s9Cvy76gCS2ohsgUmgOfEkOs21P2x392vo; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [] ( by with esmtpa (Exim 4.67) (envelope-from <>) id 1P3Bdf-0004wp-Ou; Tue, 05 Oct 2010 13:49:19 -0400
Received: from by with HTTP; Tue, 5 Oct 2010 13:49:19 -0400
Message-ID: <>
Date: Tue, 5 Oct 2010 12:49:19 -0500 (GMT-05:00)
From: "Jeffrey A. Williams" <>
To: Ralph Holz <>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606889d15d047211d52525bc5cf0c0f317739350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Oct 2010 17:48:28 -0000

Ralph and all,

-----Original Message-----
>From: Ralph Holz <>
>Sent: Oct 5, 2010 11:48 AM
>Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
>>   I am guessing here that you are in favor of pinning certs?
>> If my guess is correct, can you tell us all why you are?
>I am not sure I am in favour. The practical argument for it would be
>that a changed certificate should be reason for a user to stop for a
>moment and think. OK for now, maybe. However, many certs have life-times
>of 1 year or 2. Given that one day we may visit many more https-secured
>sites, we would likely see more false alerts again soon, too - precisely
>the thing that Firefox has been criticised for when it introduced its
>new warning dialogue.
>On a more theoretical basis, I am also not sure if the 1:1 binding of
>"one entity/identity - one key" is desirable.

We agree here.
>Still, given the current PKI trust model and the current state of PKI as
>such, I would probably vote with those in favour of pinning for the moment.

Ok I understand your point I think.  The bigger problem is, or seems to
be the trust model itself, which I have concerns about and made those
very clear on more than one occasion.  
>> I am not as there are instances where a perfictly valid cert
>> is used but that the issuing CA has had their Cert database
>> hacked or corrupted and a secondary Cert becomes necessary
>> or at least preferrable as a temporary fix.  Of course such
>> a cert would need to be issued by a different CA.
>Well... listening to CAs and their EV statements, such things should not
>happen too often anyway. It should not be a argument against pinning.

Maybe not, but given the state of CA's and now Trust anchors to a degree,
I don't see how logically and positively one can pin any Cert without
some possibility of miss-pinning same depending on of course what the
method one is pinning the Cert too exactly for assurance reasons.  I
can think and/or know of a few Trust Anchors I would NEVER try to pin
any cert too, and I can also think of several issuing and USG certified
CA's I would not, and do not trust regardless of which Anchor they may be
accurately/effectively pinned too.
>Best regards,
>TLS mailing list

Jeffrey A. Williams
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
Phone: 214-244-4827