Re: [websec] PKP-RO (was Re: I-D Action: draft-ietf-websec-key-pinning-12.txt)
Chris Palmer <palmer@google.com> Mon, 16 June 2014 23:13 UTC
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E95931A02BD for <websec@ietfa.amsl.com>; Mon, 16 Jun 2014 16:13:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzoCXGnl0J7M for <websec@ietfa.amsl.com>; Mon, 16 Jun 2014 16:13:17 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E28851A02BE for <websec@ietf.org>; Mon, 16 Jun 2014 16:13:16 -0700 (PDT)
Received: by mail-ig0-f176.google.com with SMTP id a13so3534371igq.3 for <websec@ietf.org>; Mon, 16 Jun 2014 16:13:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=o0CLP6SNfvi11+b32E9kRGqnteUHXyBBqMuzTBRI9Cs=; b=CexUY9cQu2i7IKX0NINaqRbZ1mPnUyMnOJVOCk1QzfR1PsTtHzhy9TxWI2NOMxEIh5 gw3ykjRQdWDVBvWitijuHz4h2BeY9LMhgWXa0eRzweB+cpT9HVKg98Npc4F6HEzAcPiN vLRqDMneWbRBo42Rc9Im/ylYi1yFFlhIpS1ldC1jdS0ut2yTYgBoTx3qe1febboDKoWv lXvRczUq18UBWUFzHCVhwBXXpAyVUeh0sI9BVI6JV1W6vow2QWEwFoiopSNEmV7vTZXb uH4cBOVSEaL7ReKg02Zh0TJ4l4i7FluM7uYMhnOg30POERUMVCpU0hjKYs/V0//mBvrl aJuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=o0CLP6SNfvi11+b32E9kRGqnteUHXyBBqMuzTBRI9Cs=; b=airFn5xRZg9WD9bvyeyKZIXVG2pUWZBmvspE95BFn85+4o/RtocqrIWu7wYjjLfjr6 N3ol0nOAr5K3ahWVp6OiMdtqtB/7/+CCK75Vs/t6KrB77Xr1kW14QR0Uy+S+OGGJPLew Emen8hb3QgWFc52a3q2EYoLcwk/eNr/76udOLZu3HRRWYhJoc+w2IcL5HJ87CHqCK5vv vdu//gIQ1e4urqUigXUUTc/b8DHsUUxMxLR++uC7pRBxe1t+bfSiN/6cJDpzuf8yh9hE Z1PJ1BSrdAxSRIBO22aYLusCJWuUqGd4rm+e9Cv+uPXFIHyjz75Cil8Kh0BP2w+/pTgc NwMA==
X-Gm-Message-State: ALoCoQlGHixZekCQqRkVhD6bUzynM6wWfjqylgbOp6fsQe8cJH6sCyQXReacQmQWYiYmz08XaQUG
MIME-Version: 1.0
X-Received: by 10.50.6.36 with SMTP id x4mr29337926igx.13.1402960396248; Mon, 16 Jun 2014 16:13:16 -0700 (PDT)
Received: by 10.64.137.40 with HTTP; Mon, 16 Jun 2014 16:13:16 -0700 (PDT)
In-Reply-To: <CAGZ8ZG1L3nKKv41=GLW62pUA+MeFXvhWn28d=rOXtJmxydG7wQ@mail.gmail.com>
References: <CAGZ8ZG1L3nKKv41=GLW62pUA+MeFXvhWn28d=rOXtJmxydG7wQ@mail.gmail.com>
Date: Mon, 16 Jun 2014 16:13:16 -0700
Message-ID: <CAOuvq21nrT+OB5iqG0hcfJMxExdGNBMAj9GkRAf9-bf8q0hnQA@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/02uYiy-VINpRTGz9dIFS0SB_jJc
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] PKP-RO (was Re: I-D Action: draft-ietf-websec-key-pinning-12.txt)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jun 2014 23:13:19 -0000
Sorry it took me a while. See the other thread; I think it's handled reasonably well now? On Wed, Jun 4, 2014 at 5:48 PM, Trevor Perrin <trevp@trevp.net> wrote: > Anyone have comments on below? Is there agreement on what PKP-RO should do yet? > > > On Mon, May 19, 2014 at 11:28 PM, Trevor Perrin <trevp@trevp.net> wrote: >> On Tue, May 13, 2014 at 2:09 PM, Chris Palmer <palmer@google.com> wrote: >>> >>> PKP vs. PKP-RO: >>> https://code.google.com/p/key-pinning-draft/source/detail?r=994a00dc31bf2cca6f3edea29871a6a4f18090f9 >> >> The new text about PKP-RO in 2.5 (quoted below) seems to say that a >> PKP-RO header is only evaluated against the current connection, not >> stored as a pin. I thought we decided the opposite (which is what I >> think 2.3.2 is saying): >> >> 2.3.2 (existing text): >> If a Host sets both the Public-Key-Pins header and the Public-Key- >> Pins-Report-Only header, the UA MUST note and enforce Pin Validation >> as specified by the Public-Key-Pins header, and SHOULD note the Pins >> and directives given in the Public-Key-Pins-Report-Only header. >> >> 2.5 (new text): >> The UA SHOULD NOT note any pins or other policy expressed in the PKP- >> RO response header field. > > > Trevor
- [websec] PKP-RO (was Re: I-D Action: draft-ietf-w… Trevor Perrin
- Re: [websec] PKP-RO (was Re: I-D Action: draft-ie… Chris Palmer