Re: [websec] #57: Re-add an upper limit to max-age
Trevor Perrin <trevp@trevp.net> Fri, 05 April 2013 07:03 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8130121F9473 for <websec@ietfa.amsl.com>; Fri, 5 Apr 2013 00:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.479
X-Spam-Level:
X-Spam-Status: No, score=0.479 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RCVD_IN_PBL=0.905, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G5CYb8gtwghk for <websec@ietfa.amsl.com>; Fri, 5 Apr 2013 00:03:12 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id C950F21F942C for <websec@ietf.org>; Fri, 5 Apr 2013 00:03:11 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id c10so264675wiw.2 for <websec@ietf.org>; Fri, 05 Apr 2013 00:03:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=4BRk/pBCPpRLVn/wYDRD4cd3s128roCDiWfpxwQ/DYM=; b=ZMdVHb9tLIePwCzi0845os0Gze42N6qXJWRl8NhmDzSD9rl1Xn2kwd4tILXyMLrvaT bnJngPe69ppNtntLgKvNmi6bzoktWbqoAvBvx5QNPxuQ4ZF3gqLM9r4th7tF/Hn9rnDK wM1Nr6HQS9WiDiTsIFn6h0EO5zGgve6paMKDnDVBX9FBvkd9KJCZ66WWzaTFvt0E+hXM LN6aB1jx30R/HCdV3BXlvFGOE0H3r1CpPiZwoGXM6FIkmnE+FYSnw5DsA8eM49iW9tGm Mhz6khrCx2WQfeCsTb5PpxyX+556k7vKyHrnL73A0aV7hSCWB/06x1+NWjpuBX3nDdkf XqRA==
MIME-Version: 1.0
X-Received: by 10.180.87.170 with SMTP id az10mr2001807wib.3.1365145390807; Fri, 05 Apr 2013 00:03:10 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Fri, 5 Apr 2013 00:03:10 -0700 (PDT)
X-Originating-IP: [166.137.187.20]
In-Reply-To: <77D0BAFD-9345-4F92-A8A3-641DADA771AA@checkpoint.com>
References: <058.4066f40ba1a0e0b17085c25af1721605@trac.tools.ietf.org> <073.92e203ac2ffbca6a9b6ecd285f8d0e00@trac.tools.ietf.org> <CAGZ8ZG1HsW_SgB4OFRDPZT_3rUwsB8yvYxtE+fSpwLfoyrtHyg@mail.gmail.com> <CAOe4Ui=1ADLZsHrHpFofQW48DpERfAENH0a5zUFta81PejCNUA@mail.gmail.com> <C9FEEDC3-3178-4641-B9D2-6319183AD956@checkpoint.com> <CAOuvq21ZjAD3W7RmSLO0OtrE0SZ35nfw_+o+RiaOkxGS6ay0mQ@mail.gmail.com> <CAOe4UikHTm=NnDQbB-W3APrGn+MVwQLdf=j3FNsDEDNvna9yng@mail.gmail.com> <5B9868F5-6DF8-4D9E-BCE4-248063103A65@checkpoint.com> <CAOe4UikGpuy_m000z+9_yGVo=SXZ7k29y-2Vp2Cc7UXd223cKw@mail.gmail.com> <CACvaWvYA1XiY12xrQA68n7Xca6OHxgN0FwOoLuggMvM8fEbYjQ@mail.gmail.com> <77D0BAFD-9345-4F92-A8A3-641DADA771AA@checkpoint.com>
Date: Fri, 05 Apr 2013 00:03:10 -0700
Message-ID: <CAGZ8ZG1VXCZ53R=ErSh4cNk4QtPtKP0jhYsSgiK7x6GJHbt=Lw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmlQouryXzeZBycxmvHDT/SQQSGP46AGDwy4wbZ6gEPMLtW8obAiLotdxCt86F9WHQPKbmi
Cc: "<websec@ietf.org>" <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>, websec issue tracker <trac+websec@grenache.tools.ietf.org>
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 07:03:12 -0000
On Fri, Mar 29, 2013 at 7:05 PM, Yoav Nir <ynir@checkpoint.com> wrote: > > Getting back to the subject of the thread, I still don't see the difference for a site operator between being bricked for 60 days and being bricked for a year. For an only retailer it's catastrophe either way. Hi Yoav, There are other things to consider when thinking about pin lifetimes: - Suppose a site foolishly sets a year-long pin to keys that will be expired in 6 months. A client who receives this pin and then visits the site 6 months later will perceive that the site is bricked for the next 6 months. - Suppose a site has a year-long pin to a set of end-entity keys. Suppose these keys are compromised by a hacker. For the next year, the site will be unable to change keys to re-establish security without a risk of "bricking" the site for clients with the old pin. - Suppose you purchase a domain name. The previous owner may have set long-term pins, meaning the name is not fully usable until these expire. So this isn't just a question of "how long might a site outage last". Longer pin lifetimes increase the *possibility* of a site outage, because there will be more old pins out there you have to stay consistent with. I do agree that a 30 or 60 day limit will be cold comfort if you brick your site for that long. Certainly, pinning will need other safeguards. One safeguard could be some sort of "pin activation", where new or changed pins are not accepted immediately, but must be observed for some period of time before they "activate". I know this WG considered a mechanism similar to TACK. TACK's exact mechanism doesn't translate well to HPKP, but perhaps there is something else to be done. It may be worth more thought. Trevor
- [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Tobias Gondrom
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Chris Palmer
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Joseph Bonneau
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Ryan Sleevi
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age Yoav Nir
- Re: [websec] #57: Re-add an upper limit to max-age Trevor Perrin
- Re: [websec] #57: Re-add an upper limit to max-age websec issue tracker