Re: [websec] Certificate Pinning via HSTS (.txt version)

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 13 September 2011 19:34 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAEE311E80AD for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 12:34:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzYn8tkVPDQo for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 12:34:23 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 369C511E80AB for <websec@ietf.org>; Tue, 13 Sep 2011 12:34:22 -0700 (PDT)
Received: from [192.168.13.75] (lair.fifthhorseman.net [216.254.116.241]) by che.mayfirst.org (Postfix) with ESMTPSA id 5201BF970; Tue, 13 Sep 2011 15:36:26 -0400 (EDT)
Message-ID: <4E6FB0E7.5050903@fifthhorseman.net>
Date: Tue, 13 Sep 2011 15:37:11 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110807 Icedove/5.0
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com>
In-Reply-To: <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com>
X-Enigmail-Version: 1.2.1
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig38F887CA26D937D42D1E8AB0"
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: websec@ietf.org
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 19:34:23 -0000

On 09/13/2011 02:41 PM, Yoav Nir wrote:

> the customers of DigiNotar were left 
> out in the cold. Without certificate pinning, they just need to spend 
> money on a new certificate and their site is working again. With it, 
> they are in trouble.

With *CA* pinning, DigiNotar customers are definitely in serious trouble
(which is why i asked earlier about the advantage of pinning any thing
but the EE cert).  But if they had pinned their EE certs,  they would
have been able to resist even if Diginotar had issued certs with their
same name.

So certificate pinning isn't bad in this case -- CA Certificate pinning
is bad.

	--dkg