Re: [websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)

"Hodges, Jeff" <> Fri, 17 October 2014 00:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AD6B61A9072 for <>; Thu, 16 Oct 2014 17:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -22.501
X-Spam-Status: No, score=-22.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3sheyXaMD8Xk for <>; Thu, 16 Oct 2014 17:23:57 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 201021A7013 for <>; Thu, 16 Oct 2014 17:23:57 -0700 (PDT)
DomainKey-Signature: s=paypalcorp;; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:Received: From:To:Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:user-agent: x-originating-ip:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:Return-Path: X-CFilter-Loop; b=mevNYe2r5Se7KJyVruoYJa1M7bi82Wb1hXTDihr2gyi8goaIj/+UVNpr +uS4TkTIfkt8VSCLIWKQrwT5zMAR1iVHb0EpwH2KC2u8TyF4O0r6YRxRa m25TXxHeFkDJ2uBL2JVvQgY36Lb+jd9Oc65dPlakJQ7fNV7VwBH2B9Vy6 M=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=paypalcorp; t=1413505437; x=1445041437; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=9n+hz9TP84fHTPHApqYiZwX2V+LZv4UpE3DQjgsMV+U=; b=f0DDVkH7zVc9aWfHGVac/PXUpbQqB8eS1pYTAvvVn7m2592ED28vRLbz cib99TYOnbmslT3s0fIoZT4pneJToD3u53+6kkjL1ri9bEHy3ym/ODAXS uLyJzB7/gPJouykAcFd/3MbhxbddiFDxO8Glyb0kRDu3050/d+OhspPWI M=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="5.04,735,1406617200"; d="scan'208";a="73415424"
Received: from (HELO ([]) by with ESMTP; 16 Oct 2014 17:23:57 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 16 Oct 2014 18:23:56 -0600
Received: from ([fe80::40c1:9cf7:d21e:46c]) by ([]) with mapi id 14.03.0195.001; Thu, 16 Oct 2014 18:23:56 -0600
From: "Hodges, Jeff" <>
To: websec mailing list <>
Thread-Topic: [websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)
Thread-Index: AQHP5vg6hMXUwww250Wr23cuaxm8xpwzYx8A
Date: Fri, 17 Oct 2014 00:23:56 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mailman-Approved-At: Thu, 16 Oct 2014 18:47:48 -0700
Subject: Re: [websec] Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Oct 2014 01:27:48 -0000


On 10/13/14, 8:13 AM, "The IESG" <> wrote:

>The IESG has approved the following document:
>- 'Public Key Pinning Extension for HTTP'
>  (draft-ietf-websec-key-pinning-21.txt) as Proposed Standard
>This document is the product of the Web Security Working Group.
>The IESG contact persons are Barry Leiba and Pete Resnick.
>A URL of this Internet Draft is:
>Technical Summary
>This spec describes an extension to the HTTP protocol allowing web
>host operators to instruct user agents to remember ("pin") the hosts'
>cryptographic identities for a given period of time.  During that
>time, UAs will require that the host present a certificate chain
>including at least one Subject Public Key Info structure whose
>fingerprint matches one of the pinned fingerprints for that host.  By
>effectively reducing the number of authorities who can authenticate
>the domain during the lifetime of the pin, pinning may reduce the
>incidence of man-in-the-middle attacks due to compromised
>Certification Authorities.
>Review and Consensus
>Previous versions of this document received useful reviews on the
>mailing list. Many changes were introduced due to working group
>consensus, including to pin format, an includeSubdomains directive,
>and interaction with private trust anchors.
>Some changes were proposed and rejected by the working group,
>most notably named pins, a "strict" directive, and hard limits on the
>max-age directive. The consensus on these involved a long and hard
>discussion, but as chairs, Tobias and I believe that it is a regular
>rather than rough consensus.
>Two issues that were left for last were the interaction of pre-loaded
>pins with noted pins, and the processing of report-only pins. There
>was a lot of controversy and a lot of back-and-forth about these
>issues. We believe that the current drafts represents the working
>group's consensus, although at least one participant would have
>preferred a different outcome.
>Yoav Nir is the document shepherd. Barry Leiba is the responsible
>Area Director.
>websec mailing list