[websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)

The IESG <iesg-secretary@ietf.org> Mon, 13 October 2014 15:13 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 654021A0349; Mon, 13 Oct 2014 08:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id e3Uv_J3khdsn; Mon, 13 Oct 2014 08:13:12 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 298F31A035C; Mon, 13 Oct 2014 08:13:02 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.3.p4
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20141013151302.18153.31235.idtracker@ietfa.amsl.com>
Date: Mon, 13 Oct 2014 08:13:02 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/-pDJjSjbR8k_vmw_HWeb5HXarU8
Cc: websec mailing list <websec@ietf.org>, websec chair <websec-chairs@tools.ietf.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: [websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 15:13:15 -0000

The IESG has approved the following document:
- 'Public Key Pinning Extension for HTTP'
  (draft-ietf-websec-key-pinning-21.txt) as Proposed Standard

This document is the product of the Web Security Working Group.

The IESG contact persons are Barry Leiba and Pete Resnick.

A URL of this Internet Draft is:

Technical Summary

This spec describes an extension to the HTTP protocol allowing web
host operators to instruct user agents to remember ("pin") the hosts'
cryptographic identities for a given period of time.  During that
time, UAs will require that the host present a certificate chain
including at least one Subject Public Key Info structure whose
fingerprint matches one of the pinned fingerprints for that host.  By
effectively reducing the number of authorities who can authenticate
the domain during the lifetime of the pin, pinning may reduce the
incidence of man-in-the-middle attacks due to compromised
Certification Authorities.

Review and Consensus

Previous versions of this document received useful reviews on the 
mailing list. Many changes were introduced due to working group 
consensus, including to pin format, an includeSubdomains directive,
and interaction with private trust anchors. 

Some changes were proposed and rejected by the working group,
most notably named pins, a "strict" directive, and hard limits on the 
max-age directive. The consensus on these involved a long and hard 
discussion, but as chairs, Tobias and I believe that it is a regular
rather than rough consensus.

Two issues that were left for last were the interaction of pre-loaded
pins with noted pins, and the processing of report-only pins. There 
was a lot of controversy and a lot of back-and-forth about these 
issues. We believe that the current drafts represents the working
group's consensus, although at least one participant would have 
preferred a different outcome.


Yoav Nir is the document shepherd. Barry Leiba is the responsible
Area Director.