Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Jeffrey Walton <noloader@gmail.com> Wed, 25 October 2017 17:27 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72EE13F43E for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 10:27:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6lq1GZW8Pvv for <tls@ietfa.amsl.com>; Wed, 25 Oct 2017 10:27:44 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C21513F439 for <tls@ietf.org>; Wed, 25 Oct 2017 10:27:44 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id v9so1271312oif.13 for <tls@ietf.org>; Wed, 25 Oct 2017 10:27:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=skUJ0pz7enntknDQCnHEB3M2XlU4TL6SCFB4orzI7gc=; b=aDecblKzyrOfq7N/e8kHeIIoKcTcUz9iNRZDWmwQzSuvSycQgyaSngKsY7u1KHgJnk B0XPjR2mDQdICrvN0l2611Xoo9jaF8G5FfhienPJJWw0O+4uzNnHyPni8qUbZ2vG6eot ZTYRrxustPpRa+++R9b0Nr/gY4pftPlQMBixnJYdBU/7y/wurL6gQ9Rd/2FbJyNqxxml Kth5xB6ZA1/QoIPJEJ7hEr7sgTYgUYM8BQ9EjW/yCFwKKAwU0+NUj1E8524KHIvt0r9P tJ3A9JOB5v+xymSDocCsREjQNhZv9IMDDPg0WOHjaezBqPEfedRzZ6EZuEPA8+cu6QZx oV0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=skUJ0pz7enntknDQCnHEB3M2XlU4TL6SCFB4orzI7gc=; b=ipexcjhjIDal/l1RLS/YMUiGCZGXGkBohJFsL9yfVBrc8R0wpAx/MvMtaAxDT4ZIA1 RRo0jHq1oVoV4uZ6e2NVeoWSD2CixK9nWCMN80nldk6LJwW3S3MR0DAI6HmctOENS6o2 qfSLAQlGU7wwdTkNtAFTnZ1CkPArakUYb4ihdKDlE7i4C9oQaXLnAbz0FgIenfHWk6Uq QRNVkRwpGTjSBWZh1b48XimO8xX3biwbAZwubXk0fy0mZBNck531gErGfzc+t+LZMfdP KPRnTX5hXafjXCpPUKQwItTx+pVYLNnx+bO3UtV6k9V2xkkdUSvQhfKqUhKQDZBE4y7m ClPA==
X-Gm-Message-State: AMCzsaWQJET4+nLJE2AOBgL0nfSWAYVJfKlPd1lNqYB7OUHHpgqNn3i1 DpA0YrA4FxVohuczTCQTYHD/C+Jc02I1Fn/TJe2QUw==
X-Google-Smtp-Source: ABhQp+Ql2AcjS2djd+FLw8lsUlYlGxCDcmLh5ByHPN874i/49ehdGsmR7rXTilDXh3AMArw3XiTYl5+UAhV+nxxxZ0E=
X-Received: by 10.157.12.174 with SMTP id b43mr1459487otb.229.1508952463473; Wed, 25 Oct 2017 10:27:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.19.87 with HTTP; Wed, 25 Oct 2017 10:27:42 -0700 (PDT)
Reply-To: noloader@gmail.com
In-Reply-To: <0c39a8cb-3fc9-e91b-9230-ccc3d6afe999@zinks.de>
References: <cde0e322-797c-56e8-8c8d-655248ed7974@nist.gov> <FB95CAC8-C967-4724-90FB-B7E609DADF45@akamai.com> <8A5E441B-90B7-4DF4-BD45-7A33C165691B@gmail.com> <3BA34D7B-BB04-4A1F-B18A-B0AC25402C4B@gmail.com> <0f9073f5-271b-a741-1a1e-f20ebc506d61@nist.gov> <9E26AFA9-2E72-4E8C-B304-553A2C851DC4@gmail.com> <2d45c53b-cef3-7e86-3d6f-3d486b1342b8@nist.gov> <74265928-8252-4CA1-B6A4-45296F74637B@akamai.com> <5fd2adb6-ed9c-2368-34de-db0597727e68@nist.gov> <2419b509-c1a5-d867-92c9-f4713804af91@cs.tcd.ie> <003ff6b5-1e1b-17cf-8b45-3bdd8562b902@nist.gov> <49EFAAD0-8457-4775-AE21-1D270872CD56@akamai.com> <f741b067-e7af-5231-4bb1-a0c2d151e6bf@nist.gov> <E775B188-59A0-4D87-A70F-638A2AD4C307@akamai.com> <4f1b6a8d-688b-a286-6d0e-46f7f6a3cdd6@nist.gov> <EE940D69-7137-4957-8118-42DAFB173500@akamai.com> <0c39a8cb-3fc9-e91b-9230-ccc3d6afe999@zinks.de>
From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 25 Oct 2017 13:27:42 -0400
Message-ID: <CAH8yC8kQPxzU0+fz39RdQy4=zVGiXN0uGkE==aJfvmk2Ah0AXg@mail.gmail.com>
To: Roland Zink <roland@zinks.de>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/p33-nfMFp4nwl17Di4m8OEuqXGE>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 17:27:46 -0000

On Wed, Oct 25, 2017 at 12:21 PM, Roland Zink <roland@zinks.de> wrote:
> It could but RFC 7469 section 2.6
> (https://tools.ietf.org/html/rfc7469#section-2.6) says:
>
> "  It is acceptable to allow Pin
>    Validation to be disabled for some Hosts according to local policy.
>    For example, a UA may disable Pin Validation for Pinned Hosts whose
>    validated certificate chain terminates at a user-defined trust
>    anchor, rather than a trust anchor built-in to the UA (or underlying
>    platform)."
>
> and most browsers seem to follow this mitm exception.

The browsers are also complicit in the coverup. Reporting the broken
pinset to the user or site is a  "should not", even though
organizational policies and regulations may require it.

Jeff