Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
Adam Langley <agl@google.com> Thu, 25 March 2010 17:58 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B82703A6B8C; Thu, 25 Mar 2010 10:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.988
X-Spam-Level:
X-Spam-Status: No, score=-102.988 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RVCHAURkW1f; Thu, 25 Mar 2010 10:58:17 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id BA6E63A6C1D; Thu, 25 Mar 2010 10:57:28 -0700 (PDT)
Received: from wpaz13.hot.corp.google.com (wpaz13.hot.corp.google.com [172.24.198.77]) by smtp-out.google.com with ESMTP id o2PHvnh5012932; Thu, 25 Mar 2010 10:57:49 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1269539870; bh=FwOPz6WbCbR6Xo7YG8epsvRhPvE=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=CJ3JYvCMRMXgUIsjCZb2TwJw4iHID8Nae2+tdym3jJZgewidyGGtzJx9A9jubAj/c yDmUVPBUHm2dcW6tduSMQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=LhnqiDSFlaP7NygiEF4WS9da5oSTv6fI3A9GAKlB8giP2YJoTpzNk1pzzMnwWzeFE NZwgQftqpa+2htQ5B5+GA==
Received: from iwn17 (iwn17.prod.google.com [10.241.68.81]) by wpaz13.hot.corp.google.com with ESMTP id o2PHvkNe026860; Thu, 25 Mar 2010 10:57:48 -0700
Received: by iwn17 with SMTP id 17so4134897iwn.19 for <multiple recipients>; Thu, 25 Mar 2010 10:57:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.167.208 with SMTP id r16mr503549iby.57.1269539867803; Thu, 25 Mar 2010 10:57:47 -0700 (PDT)
In-Reply-To: <74B921D9-660D-47DA-99E2-2FC08FC8C14A@checkpoint.com>
References: <E1Nuc4V-0007hL-KD@login01.fos.auckland.ac.nz> <74B921D9-660D-47DA-99E2-2FC08FC8C14A@checkpoint.com>
Date: Thu, 25 Mar 2010 13:57:47 -0400
Message-ID: <a84d7bc61003251057t349abf1x7ce7c377da631b82@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: "certid@ietf.org" <certid@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "Jeff.Hodges@KingsMountain.com" <Jeff.Hodges@kingsmountain.com>
Subject: Re: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2010 17:58:18 -0000
On Wed, Mar 24, 2010 at 10:22 PM, Yoav Nir <ynir@checkpoint.com> wrote: > http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html > or > http://en.wikipedia.org/wiki/Strict_Transport_Security I haven't mentioned this on the list yet, and it's not an answer to the problems in this papers, but we are actively welcoming entries on the Preloaded STS list. If you know someone who runs a major HTTPS site, please mention it. http://dev.chromium.org/sts: Preloaded STS sites There is still a window where a user who has a fresh install, or who wipes out their local state, is vulnerable. Because of that, we'll be starting a "Preloaded STS" list. These domains will be configured for STS out of the box. In the beginning, this will be hardcoded into the binary. As it (hopefully) grows, it can change into a list this is shared across browsers, like the safe-browsing database is today. If you own a site that you would like to see included in the preloaded STS list, contact agl@chromium.org. Current members of the preloaded STS list: * www.paypal.com AGL
- Re: [TLS] fyi: paper on compelled, certificate cr… Yoav Nir
- [TLS] fyi: paper on compelled, certificate creati… =JeffH
- Re: [TLS] fyi: paper on compelled, certificate cr… Yoav Nir
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD
- Re: [TLS] [certid] fyi: paper on compelled, certi… Marsh Ray
- Re: [TLS] fyi: paper on compelled, certificate cr… Adam Langley
- Re: [TLS] [certid] fyi: paper on compelled, certi… Daniel Kahn Gillmor
- Re: [TLS] [certid] fyi: paper on compelled, certi… Ben Laurie
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD
- Re: [TLS] [certid] fyi: paper on compelled, certi… Story Henry
- Re: [TLS] [certid] fyi: paper on compelled, certi… Story Henry
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD