Re: [websec] Issue 53 - Key pinning should clarify status of pin validation with private trust anchors

Tom Ritter <tom@ritter.vg> Wed, 06 March 2013 02:55 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABBE921F8609 for <websec@ietfa.amsl.com>; Tue, 5 Mar 2013 18:55:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6RAcyrjsC3T for <websec@ietfa.amsl.com>; Tue, 5 Mar 2013 18:55:21 -0800 (PST)
Received: from mail-vc0-f177.google.com (mail-vc0-f177.google.com [209.85.220.177]) by ietfa.amsl.com (Postfix) with ESMTP id F40A221F8501 for <websec@ietf.org>; Tue, 5 Mar 2013 18:55:20 -0800 (PST)
Received: by mail-vc0-f177.google.com with SMTP id m18so4529783vcm.22 for <websec@ietf.org>; Tue, 05 Mar 2013 18:55:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=/UceY41udfLo9Sm2pVDdb7lMJSRR93duCcNhg2WPlsY=; b=L9Agu+GkqBDG0y663ol2QmZ/l1QJgdgePC2kp89w11mNRv9JJq+Te2LrIWQvUPwUqK DXkwYjUARZV8/KnYAxrCvA26Z+ryYuJMBYGwhvBKtYG4kBjpmqhvE1lEhWWVWmvP3yL4 7mFGS+qC/7XxqkVBQfXpb6LbCAzScLEO71JxI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=/UceY41udfLo9Sm2pVDdb7lMJSRR93duCcNhg2WPlsY=; b=oYEWLRBuA0WawpicPz7Gxcnpiz7yz8qzFQzjiWhmfNNXzLbldrYU+lC5fUhy7x5wO9 yJ9JOCRKhk1EGTotSx4LEgxgYRal7tmFJli7Qszohqd1d7S7+5k0hI/Guixv+5RSQCFK OCsFQ9YWM3wercQxm2C3nO/cuKLc+Yz2Bz1m6gOpXEbP9T+kv+ie/U+E+5p7PzGVFOzq B76Fxc+TFiXV+Nf2gAr6ZL+Xw95yGakmHRbRvoQJ3OOqoGoun3fiIVc43E1FKuazgEPb X2PieKwHFuGCnL7qRUlKxknxWq+jnCV0Lolrlx92Hhge0svD+BltGaY4RCrwhShUIxEL nBMA==
X-Received: by 10.52.91.212 with SMTP id cg20mr9494911vdb.63.1362538520196; Tue, 05 Mar 2013 18:55:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.182.169 with HTTP; Tue, 5 Mar 2013 18:54:58 -0800 (PST)
In-Reply-To: <77ade868e5042a347751a9d025b84b19.squirrel@webmail.dreamhost.com>
References: <77ade868e5042a347751a9d025b84b19.squirrel@webmail.dreamhost.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 5 Mar 2013 21:54:58 -0500
Message-ID: <CA+cU71myjqPKbSqy=5kQJO6gKjF62UXdL18qzXQEOmmubmz-bw@mail.gmail.com>
To: ryan-ietfhasmat@sleevi.com
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmfopKDFMrPeNnnkoX1e074LnSBb0xvMCNFZn7Co0MLQpBR+OZl9QL3maqG1KU3erlPKNmR
Cc: websec@ietf.org
Subject: Re: [websec] Issue 53 - Key pinning should clarify status of pin validation with private trust anchors
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2013 02:55:21 -0000

On 4 March 2013 19:57, Ryan Sleevi <ryan-ietfhasmat@sleevi.com> wrote:
> While there is an open question as to whether or not such user-agent
> behaviour is appropriate to specify here, does the group feel the proposed
> text sufficiently addresses the issue as originally raised?

I think it does, although I'm very curious about two points:

 - will implementations respect 'strict'?
 - who if any of the sites that have led the way on HSTS/pinning
(Google, Twitter) will enable strict

I guess we'll have to wait and see.

-tom