Re: [websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)

"Hodges, Jeff" <jeff.hodges@paypal.com> Fri, 17 October 2014 00:23 UTC

Return-Path: <jeff.hodges@paypal.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD6B61A9072 for <websec@ietfa.amsl.com>; Thu, 16 Oct 2014 17:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.501
X-Spam-Level:
X-Spam-Status: No, score=-22.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3sheyXaMD8Xk for <websec@ietfa.amsl.com>; Thu, 16 Oct 2014 17:23:57 -0700 (PDT)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com [216.113.175.153]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201021A7013 for <websec@ietf.org>; Thu, 16 Oct 2014 17:23:57 -0700 (PDT)
DomainKey-Signature: s=paypalcorp; d=paypal.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:Received: From:To:Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:user-agent: x-originating-ip:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:Return-Path: X-CFilter-Loop; b=mevNYe2r5Se7KJyVruoYJa1M7bi82Wb1hXTDihr2gyi8goaIj/+UVNpr +uS4TkTIfkt8VSCLIWKQrwT5zMAR1iVHb0EpwH2KC2u8TyF4O0r6YRxRa m25TXxHeFkDJ2uBL2JVvQgY36Lb+jd9Oc65dPlakJQ7fNV7VwBH2B9Vy6 M=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal.com; i=@paypal.com; q=dns/txt; s=paypalcorp; t=1413505437; x=1445041437; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=9n+hz9TP84fHTPHApqYiZwX2V+LZv4UpE3DQjgsMV+U=; b=f0DDVkH7zVc9aWfHGVac/PXUpbQqB8eS1pYTAvvVn7m2592ED28vRLbz cib99TYOnbmslT3s0fIoZT4pneJToD3u53+6kkjL1ri9bEHy3ym/ODAXS uLyJzB7/gPJouykAcFd/3MbhxbddiFDxO8Glyb0kRDu3050/d+OhspPWI M=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="5.04,735,1406617200"; d="scan'208";a="73415424"
Received: from den-vteml-004.corp.ebay.com (HELO DEN-EXMHT-001.corp.ebay.com) ([10.101.112.120]) by den-mipot-002.corp.ebay.com with ESMTP; 16 Oct 2014 17:23:57 -0700
Received: from DEN-EXMHT-011.corp.ebay.com (10.241.52.136) by DEN-EXMHT-001.corp.ebay.com (10.241.17.148) with Microsoft SMTP Server (TLS) id 14.3.195.1; Thu, 16 Oct 2014 18:23:56 -0600
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-011.corp.ebay.com ([10.241.52.136]) with mapi id 14.03.0195.001; Thu, 16 Oct 2014 18:23:56 -0600
From: "Hodges, Jeff" <jeff.hodges@paypal.com>
To: websec mailing list <websec@ietf.org>
Thread-Topic: [websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)
Thread-Index: AQHP5vg6hMXUwww250Wr23cuaxm8xpwzYx8A
Date: Fri, 17 Oct 2014 00:23:56 +0000
Message-ID: <D065AFF1.25476%jeff.hodges@paypal.com>
References: <20141013151302.18153.31235.idtracker@ietfa.amsl.com>
In-Reply-To: <20141013151302.18153.31235.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.2.140509
x-originating-ip: [24.5.2.144]
Content-Type: text/plain; charset="utf-8"
Content-ID: <5464E149D9683A45833188D6C083B1B4@corp.ebay.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/-pjzW_IF3TGJlnP4rw9D6FF2dWg
X-Mailman-Approved-At: Thu, 16 Oct 2014 18:47:48 -0700
Subject: Re: [websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 01:27:48 -0000

Congats!!


On 10/13/14, 8:13 AM, "The IESG" <iesg-secretary@ietf.org>; wrote:

>The IESG has approved the following document:
>- 'Public Key Pinning Extension for HTTP'
>  (draft-ietf-websec-key-pinning-21.txt) as Proposed Standard
>
>This document is the product of the Web Security Working Group.
>
>The IESG contact persons are Barry Leiba and Pete Resnick.
>
>A URL of this Internet Draft is:
>http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>
>
>
>
>
>Technical Summary
>
>This spec describes an extension to the HTTP protocol allowing web
>host operators to instruct user agents to remember ("pin") the hosts'
>cryptographic identities for a given period of time.  During that
>time, UAs will require that the host present a certificate chain
>including at least one Subject Public Key Info structure whose
>fingerprint matches one of the pinned fingerprints for that host.  By
>effectively reducing the number of authorities who can authenticate
>the domain during the lifetime of the pin, pinning may reduce the
>incidence of man-in-the-middle attacks due to compromised
>Certification Authorities.
>
>Review and Consensus
>
>Previous versions of this document received useful reviews on the
>mailing list. Many changes were introduced due to working group
>consensus, including to pin format, an includeSubdomains directive,
>and interaction with private trust anchors.
>
>Some changes were proposed and rejected by the working group,
>most notably named pins, a "strict" directive, and hard limits on the
>max-age directive. The consensus on these involved a long and hard
>discussion, but as chairs, Tobias and I believe that it is a regular
>rather than rough consensus.
>
>Two issues that were left for last were the interaction of pre-loaded
>pins with noted pins, and the processing of report-only pins. There
>was a lot of controversy and a lot of back-and-forth about these
>issues. We believe that the current drafts represents the working
>group's consensus, although at least one participant would have
>preferred a different outcome.
>
>Personnel
>
>Yoav Nir is the document shepherd. Barry Leiba is the responsible
>Area Director.
>
>_______________________________________________
>websec mailing list
>websec@ietf.org
>https://www.ietf.org/mailman/listinfo/websec
>