IETF Logo Mail Archive

Re: [Uta] Certificate pinning?

Trevor Perrin <trevp@trevp.net> Tue, 11 March 2014 22:24 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2183E1A085D for <uta@ietfa.amsl.com>; Tue, 11 Mar 2014 15:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rT0v1TUDBs8r for <uta@ietfa.amsl.com>; Tue, 11 Mar 2014 15:24:22 -0700 (PDT)
Received: from mail-we0-f176.google.com (mail-we0-f176.google.com [74.125.82.176]) by ietfa.amsl.com (Postfix) with ESMTP id 51EE81A086D for <uta@ietf.org>; Tue, 11 Mar 2014 15:24:22 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id x48so10711232wes.35 for <uta@ietf.org>; Tue, 11 Mar 2014 15:24:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=h9Tphj+LdkAA5Kt19U5rmF/e98F6twSXGRRXsJ0f6vY=; b=mCCbqirRLBgB5DL53CXFiwlYarhjQfkQX8e+VVoJTQoidPsMsFtBZRS4phE99PvsF+ 8DvXNfUpCW3gfgfAIccVlkWOrEHdeL9QIUhEG8iHNeO9ghn0hhAbttigy02sddYsv6Ix edlsw0ErYbmpPRzpdmmuI4xp+shzseLKS8uRkG2jTk2Os41I2Cpp8K5VegUzyinLqaKj +gxfoQVrUjgAPYKzdj9nEY/7WtMt+ucmEmb5YTgUfzAsg9N+IwOIz9gvVKcJO+OyfT/Z j/aSW1cT+3qrnZkitOh4Sj0qNgePFi4hF5qEhoHhzO8bScqU2UwS/Dn+Bw/HBUNaMfnz R4/Q==
X-Gm-Message-State: ALoCoQlcpmHJdvgJ+BnPPOdvx1czZMQf4rfVA3G3JoQY7OyRuIdIOUM5XOyCmxa9mf6EMHTa6f1u
MIME-Version: 1.0
X-Received: by 10.180.187.237 with SMTP id fv13mr4828849wic.26.1394576655886; Tue, 11 Mar 2014 15:24:15 -0700 (PDT)
Received: by 10.216.45.146 with HTTP; Tue, 11 Mar 2014 15:24:15 -0700 (PDT)
X-Originating-IP: [184.23.29.222]
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711FC6D545C@USMBX1.msg.corp.akamai.com>
References: <5472A050F724AB161474A2E7@caldav.corp.apple.com> <CA+cU71mTPKjb7NqkPgtyqx=+nfmWFSvw5512Owy_Tg__=8XDHg@mail.gmail.com> <CAGZ8ZG2WC_+sLYvgjgjwL1SSOrZN1ddMMvsA2Gpnka55b2fexA@mail.gmail.com> <78aa46ac06424a378e760cc4b0f8eea8@BL2PR03MB290.namprd03.prod.outlook.com> <531F6E1E.8090207@network-heretics.com> <11402BF741C718017A2F138E@caldav.corp.apple.com> <2A0EFB9C05D0164E98F19BB0AF3708C711FC6D545C@USMBX1.msg.corp.akamai.com>
Date: Tue, 11 Mar 2014 15:24:15 -0700
Message-ID: <CAGZ8ZG2OhAcKAsFYLHvpnyvmnTmq_XKaLXkoX2QCuN+ts590bA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="001a11c25a9c2fc64504f45c2efa"
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/wiJNz0WZp6_C1wdIQ18h4IBR8og
Cc: Cyrus Daboo <cyrus@daboo.name>, "uta@ietf.org" <uta@ietf.org>, Keith Moore <moore@network-heretics.com>
Subject: Re: [Uta] Certificate pinning?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 22:24:25 -0000

On Tue, Mar 11, 2014 at 1:37 PM, Salz, Rich <rsalz@akamai.com> wrote:

> > I think one of the key goals for the websec work was to prevent attacks
> in which a root certificate authority is compromised, potentially allowing
> an attacker to create certificates that trick the client into thinking it
> is talking to the real server when in fact it is being MITM'd.
>
> Did they come up with any thoughts on how to do this?


Yes, the idea behind HPKP and TACK is for servers to assert that their key
should be "pinned" for some period of time:

http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
https://tools.ietf.org/html/draft-perrin-tls-tack-02

This generalizes the hard-coded ("preloaded") pinning which Google has
deployed in Chrome in the last few years, and which has detected several CA
failures.



>  So far, our best hope in this area is certificate transparency, which is
> in its infancy.
>

Maybe.  But pinning is a good idea too.  And it deserves more attention,
IMO, since it doesn't have the readymade constituency of PKI or DNSSEC
solutions, and Google's not pushing it like they're pushing CT.

Note also that CT is particularly suited to https.

For a protocol like MTA-to-MTA SMTP, MTAs aren't already expected to have
certs (or valid certs), so *some* sort of pinning or policy assertion from
a server about how it should be authenticated seems necessary.

Also, browsers are reluctant to perform online lookups to verify servers
(due to latency / reliability).  This is why CT needs central log
authorities, trusted by all browsers, issuing signed statements.  But MTAs
are probably more willing to do online lookups, so trust-agile solutions
become possible.  This is where self-asserted pinning shines, since a
site's assertion of a TACK or HPKP pin could be observed by various
monitors (think Converge/Perspectives/Vantages/etc), then queried by
relying parties, without a centralized infrastructure like CT.


Trevor

v2.23.0 | Report a Bug | By Email