IETF Logo Mail Archive

Re: [Uta] dual meaning of "pinning" [was: Re: Proposed list of deliverables]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 20 January 2014 21:55 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA541A0254; Mon, 20 Jan 2014 13:55:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8ecgb2nmD1h; Mon, 20 Jan 2014 13:55:24 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 40FF31A024B; Mon, 20 Jan 2014 13:55:23 -0800 (PST)
Received: from [192.168.13.107] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 93311F984; Mon, 20 Jan 2014 16:55:20 -0500 (EST)
Message-ID: <52DD9B46.2090803@fifthhorseman.net>
Date: Mon, 20 Jan 2014 16:55:18 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Chris Palmer <palmer@google.com>
References: <0bc674da169f4772b0fb2173ed679115@BY2PR03MB300.namprd03.prod.outlook.com> <52DD0DC4.4010207@isode.com> <52DD4468.5010304@fifthhorseman.net> <CAOuvq21JQ2s3qBNA_za01XaHSpcXo3eRfx0PJehk6cY9=ZmO6w@mail.gmail.com>
In-Reply-To: <CAOuvq21JQ2s3qBNA_za01XaHSpcXo3eRfx0PJehk6cY9=ZmO6w@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="IwGj5cNxbFjxRx92KLlRcSgtDJKQbsxiX"
Cc: "Orit Levin (LCA)" <oritl@microsoft.com>, "uta@ietf.org" <uta@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>, Alexey Melnikov <alexey.melnikov@isode.com>, Barry Leiba <barryleiba@computer.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [Uta] dual meaning of "pinning" [was: Re: Proposed list of deliverables]
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2014 21:55:27 -0000

On 01/20/2014 01:57 PM, Chris Palmer wrote:
> On Mon, Jan 20, 2014 at 7:44 AM, Daniel Kahn Gillmor
> <dkg@fifthhorseman.net> wrote:
> 
>> In 6125 and the two e-mail drafts above, "pinning" is used to refer to
>> the activity that firefox describes as "adding a security exception" and
>> chrome calls "proceed anyway" -- where the user (or someone) overrides
> 
> (Note that Chrome does not remember your decision to Proceed Anyway,
> although we are working on that.)

ah, that's good to know, thanks for the heads-up.

>> At the very least, it seems like new drafts should make it clear that
>> their meaning of "pinning" does not mean the other well-known "pinning".
> 
> Perhaps "key pinning" vs. "exception pinning"? I wanted to call
> "exception pinning" "name pinning" at first, until I remembered DNS
> pinning (to defend against
> http://en.wikipedia.org/wiki/DNS_rebinding). So maybe we have 3
> pinnings. :) It's worth noting that 2 of the 3 (key pinning and DNS
> pinning) refer to *reducing* the number of trusted entities.

Hm, RFC 6125 pinning is also about certificates, not just public keys,
so maybe it's "certificate exception pinning" -- but really it seems
like a flavor of permissive TOFU (trust on first use) more than anything
else.

so we have:

 * DNS pinning: maintain DNS records in the browser (possibly past their
TTL) to avoid DNS rebinding attacks.

 * key pinning: binds public keys to domain names (at the request of the
origin server), forbids the use of certificates that do not include the
pinned public keys somewhere in the cert chain.

 * certificate pinning: associate an otherwise non-valid End Entity (EE)
certificate with a domain name (at the request of the user), permitting
that certificate to be used with the domain name, but *without*
forbidding any other certificate from use.

> Anyway, I consistently refer to the behavior described in the key
> pinning draft as "key pinning", if that helps. (Probably not.) 

I think it's a start, at least.

> I can add an explanatory note to our draft, if that would help.

I think a clarifying note in draft-ietf-websec-key-pinning is necessary
(i don't know that it is sufficient).  it could be just something to
indicate that the key pinning described in the draft  has entirely
distinct semantics and characteristics than "RFC 6125 certificate
exception pinning".

	--dkg

v2.23.0 | Report a Bug | By Email