Re: [websec] Certificate Pinning via HSTS (.txt version)
Phillip Hallam-Baker <hallam@gmail.com> Tue, 13 September 2011 21:06 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE1CE21F84DD for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 14:06:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.466
X-Spam-Level:
X-Spam-Status: No, score=-3.466 tagged_above=-999 required=5 tests=[AWL=0.132, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Vd+wfLTmWMp for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 14:06:34 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id E871F21F84D1 for <websec@ietf.org>; Tue, 13 Sep 2011 14:06:33 -0700 (PDT)
Received: by yxt33 with SMTP id 33so938412yxt.31 for <websec@ietf.org>; Tue, 13 Sep 2011 14:08:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Q+gZVcFkxhH+9tv2gEEDgyHirD8q5liPsyBvYaPkrFM=; b=LfmE/QS4SZVLooaIlxHdhAV1J+DtJul1N6iRO8RgbXrDmSk87Ic+1xj9aBZLLVtINf s/ht6RJPlg49hnGzwtlKMKtEWC7Mb3fm/mofofTF72U+iY853vVZQqzUr3WF9fovvH91 vuIcTxmk/cVjGh2mezBsGP8Socv+xdXOorGGk=
MIME-Version: 1.0
Received: by 10.100.215.16 with SMTP id n16mr4155770ang.8.1315948120955; Tue, 13 Sep 2011 14:08:40 -0700 (PDT)
Received: by 10.100.120.20 with HTTP; Tue, 13 Sep 2011 14:08:40 -0700 (PDT)
In-Reply-To: <4E6FB0E7.5050903@fifthhorseman.net>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com> <4E6FB0E7.5050903@fifthhorseman.net>
Date: Tue, 13 Sep 2011 17:08:40 -0400
Message-ID: <CAMm+LwgOYRHtMfhi1hPMxTRH=fTwyHsS42BK2y6oU0Uv-J=g4w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: websec@ietf.org
Content-Type: multipart/alternative; boundary="0016368e20584adbac04acd90c6b"
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 21:06:35 -0000
That is a good point. But in the Diginotar case the CA root was revoked so that could be dealt with by saying that a client should unpin a cert when it has been revoked (or part of the chain has been revoked). Another tool that we could use here is to push out an 'unpin' statement in whatever mechanism we develop for data driven revocation. On Tue, Sep 13, 2011 at 3:37 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net>wrote: > On 09/13/2011 02:41 PM, Yoav Nir wrote: > > > the customers of DigiNotar were left > > out in the cold. Without certificate pinning, they just need to spend > > money on a new certificate and their site is working again. With it, > > they are in trouble. > > With *CA* pinning, DigiNotar customers are definitely in serious trouble > (which is why i asked earlier about the advantage of pinning any thing > but the EE cert). But if they had pinned their EE certs, they would > have been able to resist even if Diginotar had issued certs with their > same name. > > So certificate pinning isn't bad in this case -- CA Certificate pinning > is bad. > > --dkg > > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > -- Website: http://hallambaker.com/
- Re: [websec] Certificate Pinning via HSTS (.txt v… =JeffH
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Peter Saint-Andre
- Re: [websec] Certificate Pinning via HSTS (.txt v… =JeffH
- Re: [websec] Certificate Pinning via HSTS (.txt v… Yoav Nir
- Re: [websec] Certificate Pinning via HSTS (.txt v… Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Gervase Markham
- Re: [websec] Certificate Pinning via HSTS (.txt v… Steingruebl, Andy
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS (.txt v… davidillsley
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS (.txt v… davidillsley
- Re: [websec] Certificate Pinning via HSTS (.txt v… SM
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Yoav Nir
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker