Re: [websec] #55: Clarify that the newest pinning information takes precedence

Tom Ritter <tom@ritter.vg> Thu, 28 March 2013 02:54 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEE6821F9434 for <websec@ietfa.amsl.com>; Wed, 27 Mar 2013 19:54:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhZQKU9+ONIh for <websec@ietfa.amsl.com>; Wed, 27 Mar 2013 19:54:21 -0700 (PDT)
Received: from mail-pd0-f179.google.com (mail-pd0-f179.google.com [209.85.192.179]) by ietfa.amsl.com (Postfix) with ESMTP id 2F2DE21F9433 for <websec@ietf.org>; Wed, 27 Mar 2013 19:54:21 -0700 (PDT)
Received: by mail-pd0-f179.google.com with SMTP id x11so935513pdj.38 for <websec@ietf.org>; Wed, 27 Mar 2013 19:54:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=6SCRvHGUBjecg+07qUelraA4exxuDAqic69qchmo/sM=; b=vSw9x19YNykJDjR04e9B7HtlF6zXksn8ZS8PgudoZNwgBs+PYhqRJTnezw11luRmT+ Bai29bi/l2+NjQMshw3X8j0h0oWcrUQVy85GdTjSIAiuCjJ8ky0e1cI1FpfYMEgWYdnU NkoT80g6D9PYhdPeuX5CZdnQBYukueQaegHoA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=6SCRvHGUBjecg+07qUelraA4exxuDAqic69qchmo/sM=; b=oGgLOZITadZYsJrkAhFUvAOa7E64d5J7Ds5rM6zo0rfBHfmsNh6DkF6dT514Y6OCjd A8MhluqxfICorb+GFvQniXHx+J9rb9wVOrTEHVFKrEJrF8ren6pS1nd8+Dc2mEzzpAxh D8TDD9JI5jt0WhfoyqxbUu+Bow2FN6jPEtS4YOEpRLc+pmd8b7w5po2ZdLacaIciQBia 4y0D87BLJI2IYZWZehrV8apliA+/wVrqB0PPE8lirYJMKmQR8x1i6mHxueyZ7kwldREu 6Htz4y13bc3hGAjdB8PE8XFy5lhw/p822Uml+yZu8hOnI0ySsyxPQ03mNnZ9pYj24bfJ oE5Q==
X-Received: by 10.66.197.228 with SMTP id ix4mr33225539pac.91.1364439260915; Wed, 27 Mar 2013 19:54:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.189.72 with HTTP; Wed, 27 Mar 2013 19:54:00 -0700 (PDT)
In-Reply-To: <073.ec94ba2e71513562888c29f0af0b3306@trac.tools.ietf.org>
References: <058.106749b7ec8d8775c9a7c03ff71b6de4@trac.tools.ietf.org> <073.ec94ba2e71513562888c29f0af0b3306@trac.tools.ietf.org>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 27 Mar 2013 22:54:00 -0400
Message-ID: <CA+cU71n_8b7R8KRwWi-V0kmuwPqBwpAzy6W6MXeC=AYSwc5TMw@mail.gmail.com>
To: websec issue tracker <trac+websec@trac.tools.ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQm2TvE0oua7quw2Ul/hjY/P2JQh5VZVJ6jHPvlsiZmi5X4G7A6o1le9Ztyw2Bnt9WpiDAtr
Cc: websec@ietf.org
Subject: Re: [websec] #55: Clarify that the newest pinning information takes precedence
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 02:54:21 -0000

" The UA MUST evict all expired Known Pinned Hosts if at any time, an
expired Known Pinned Host exists in the cache"

I use rrdtool to keep 5 years of statistics for my server.  Once, I
accidentally set the date forward, to 2038, wiping out my statistics -
there was no way to recover, because rrdtool dutifully wiped all this
expired data.

Using the word 'evict' seems particularly dangerous, for both active
ntp attacks, and accidental wiping.

-tom