[websec] Kathleen Moriarty's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)

["Kathleen Moriarty" <Kathleen.Moriarty.ietf@gmail.com>]

Kathleen Moriarty has entered the following ballot position for
draft-ietf-websec-key-pinning-19: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Overall the draft is very good, thank you for writing it.  I just wanted
to discuss some of the security/privacy considerations and see if we
could improve the language and make sure the set of concerns are clear.

The privacy consideration section reads more like possible attack
scenarios that would fit into the security considerations.  What privacy
related concerns result from these attacks?  Having that spelled out to
differentiate the risks as privacy only would be helpful (if appropriate)
or moving this into the security consideration section *IF* it is more
generically applicable.  If I am missing something and this is only
privacy related, it would be good to understand that in this discussion. 
 Adding some text on how these attacks could be used to expose privacy
related information would be helpful too.

For the first example, it seems it is the possibility that a report goes
outside out the intended scope is the concern.  The mitigation seems to
be provided in the last sentence of #4, but couldn't this be other
information leakage and not just privacy?  Let me know if I am missing
something that explains why this is privacy specific.

In #3 of the second example, the last sentence includes the following
clause:
          and giving some UAs no
          Valid Pinning Header for other subdomains (causing subsequent
          requests for m.fingerprint.example.com to succeed).

Does this mean that these subdomains are succeeding when they should
fail?  It might just be me, but that is not clear in the text (or if they
are supposed to succeed).  It sounds like they are not supposed to
succeed and this is the security issue.  How is this privacy specific? 
Again, this may just be me, but an explanation would be helpful.

In the last sentence of the privacy considerations section, what is meant
by the description "forensic attacker"?  I find this term confusing.  Was
this intended to mean that techniques used in forensic analysis could be
used by an attacker to discern information that could be of interest?  If
that's the case, I think it would be clearer to the reader if that were
stated instead.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I agree with Richard's comment that the document is well written and an
important document, thank you for writing it.  The style changed a little
toward the end and I had some trouble with long sentences in the security
& privacy considerations sections.  This should be easy enough to fix and
may be done with the RFC editor anyway.

To Richard's point on operational concerns versus security concerns, are
there explicit security attacks that could occur with the max-age
variations described?  

In 4.2, I can't see this being more than an operational concern since it
fails when overlapping pin sets are not used.  Are we missing a gap that
leads to a security concern?

4.3 makes sense to me as a security concern that drives operational
practices.