IETF Logo Mail Archive

Re: [Uta] Certificate pinning?

"Orit Levin (LCA)" <oritl@microsoft.com> Tue, 11 March 2014 17:04 UTC

Return-Path: <oritl@microsoft.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 626D91A0747 for <uta@ietfa.amsl.com>; Tue, 11 Mar 2014 10:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvltZ4QqH4P9 for <uta@ietfa.amsl.com>; Tue, 11 Mar 2014 10:04:22 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) by ietfa.amsl.com (Postfix) with ESMTP id E511D1A048C for <uta@ietf.org>; Tue, 11 Mar 2014 10:04:21 -0700 (PDT)
Received: from BL2PR03MB290.namprd03.prod.outlook.com (10.141.68.19) by BN1PR03MB024.namprd03.prod.outlook.com (10.255.224.42) with Microsoft SMTP Server (TLS) id 15.0.898.11; Tue, 11 Mar 2014 17:04:14 +0000
Received: from BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) by BL2PR03MB290.namprd03.prod.outlook.com ([10.141.68.19]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 17:04:14 +0000
From: "Orit Levin (LCA)" <oritl@microsoft.com>
To: Trevor Perrin <trevp@trevp.net>, Tom Ritter <tom@ritter.vg>
Thread-Topic: [Uta] Certificate pinning?
Thread-Index: AQHPOhfDAnyhOFcrHkG66tWMerTHcprWLZOAgAJQOoCAA5cwQA==
Date: Tue, 11 Mar 2014 17:04:13 +0000
Message-ID: <78aa46ac06424a378e760cc4b0f8eea8@BL2PR03MB290.namprd03.prod.outlook.com>
References: <5472A050F724AB161474A2E7@caldav.corp.apple.com> <CA+cU71mTPKjb7NqkPgtyqx=+nfmWFSvw5512Owy_Tg__=8XDHg@mail.gmail.com> <CAGZ8ZG2WC_+sLYvgjgjwL1SSOrZN1ddMMvsA2Gpnka55b2fexA@mail.gmail.com>
In-Reply-To: <CAGZ8ZG2WC_+sLYvgjgjwL1SSOrZN1ddMMvsA2Gpnka55b2fexA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [98.247.123.117]
x-forefront-prvs: 0147E151B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(428001)(189002)(199002)(51704005)(377454003)(24454002)(2656002)(95666003)(92566001)(94316002)(31966008)(74662001)(81542001)(86612001)(15975445006)(81816001)(47446002)(97186001)(15395725003)(74876001)(16236675002)(63696002)(74502001)(87936001)(85306002)(19300405004)(95416001)(97336001)(94946001)(20776003)(79102001)(87266001)(74316001)(56816005)(47976001)(54316002)(90146001)(74366001)(74706001)(47736001)(83072002)(93516002)(66066001)(46102001)(65816001)(85852003)(93136001)(15202345003)(59766001)(77982001)(80022001)(83322001)(86362001)(81686001)(54356001)(53806001)(51856001)(69226001)(4396001)(19580395003)(81342001)(49866001)(80976001)(76576001)(76796001)(76786001)(76482001)(56776001)(19580405001)(50986001)(33646001)(24736002)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR03MB024; H:BL2PR03MB290.namprd03.prod.outlook.com; FPR:CC14C4DB.AF34AC9D.FFE171A7.8AE7D191.203DA; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
Content-Type: multipart/alternative; boundary="_000_78aa46ac06424a378e760cc4b0f8eea8BL2PR03MB290namprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/DYdWk3Ivli1hCMJuFseA_i2ZsIY
Cc: Cyrus Daboo <cyrus@daboo.name>, "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] Certificate pinning?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 17:04:25 -0000

In my view, it would be very useful, to include a high level description of these "emerging" techniques (e.g., pinning, latching, etc.) in UTA's generic "bcp" with the pointers to application-specific works (if exist).

Echoing Stephen Farrell's words, it is not important where in IETF the work is being done, as long as our readers can find and understand the issues.

It is natural that these techniques are being introduced bottom up. It would be interesting to know, though,  whether people are actually interested in defining truly "application independent" mechanisms for these ideas.

Orit.

From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Trevor Perrin
Sent: Sunday, March 09, 2014 1:22 AM
To: Tom Ritter
Cc: Cyrus Daboo; uta@ietf.org
Subject: Re: [Uta] Certificate pinning?


On Fri, Mar 7, 2014 at 2:02 PM, Tom Ritter <tom@ritter.vg<mailto:tom@ritter.vg>> wrote:
Quite so.  http://tack.io/ is a mechanism for pinning that operates at
the TLS layer, making it usable for a wide variety of protocols,
without needing to redefine it for every application later protocol.

-tom

On 7 March 2014 10:12, Cyrus Daboo <cyrus@daboo.name<mailto:cyrus@daboo.name>> wrote:
> Hi,
> Has any thought been given to generalizing the certificate pinning work
> being done by the websec WG
> (<http://tools.ietf.org/html/draft-ietf-websec-key-pinning-11>) to make it
> applicable to other protocols?
>
> And, vice versa, what about taking the concept of security latches from
> draft-newman-email-deep-01 and making those available in HTTP?


To echo Tom, TACK's approach to pinning is applicable to any TLS-using protocol (e.g. MUA protocols like POP, IMAP, or SMTP):

http://tools.ietf.org/html/draft-perrin-tls-tack-02


Cross-domain SMTP poses challenges for pinning due to MX indirection, one approach is here:

https://lists.riseup.net/www/arc/tack/2013-08/msg00000.html


DEEP's "latches" allow a server to pin itself so that:
 (a) the server must forever present a valid certificate from any CA in the Web PKI, or
 (b) the server must forever maintain a valid DANE record and DNSSEC chain.

There's no option for the server to pin itself to a 3rd-party of its own choosing, or to manage its keys itself.  The assumption is apparently that everyone wants to delegate the power to authenticate (and thus impersonate) their domain to one of these two systems.  That's a bad assumption.

I also question the wisdom of pinning permanently to *anything*.  Mistakes happen.  Domains change ownership.  TACK has a more conservative approach to pin lifetimes.


Trevor

v2.23.0 | Report a Bug | By Email