Re: [websec] [saag] Pinning

Alexey Melnikov <> Fri, 17 August 2012 12:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1A3F021F8526; Fri, 17 Aug 2012 05:56:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.169
X-Spam-Status: No, score=-102.169 tagged_above=-999 required=5 tests=[AWL=-0.966, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JzMNmdyHCEOn; Fri, 17 Aug 2012 05:56:29 -0700 (PDT)
Received: from ( [IPv6:2a00:14f0:e000:7c::2]) by (Postfix) with ESMTP id 353FE21F84E7; Fri, 17 Aug 2012 05:56:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1345208186;; s=selector;; bh=q0YkPYMyJMbVRxe6UWeu7zCc0nwH40hINGExehkp3gk=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=qybYs4diXlLIaBBgHpghJBhsbci6qsT/NLSnMqkMmEra5uggRhGL6quoKs8GeuVN+4ryZn BCyip6nJbScI/MJ8mm5OCpQYXg2lCltjuxx5w2EkYZrSYIhHO0NecwYqmXtCMTG76say9n jUVyiSM0Bsh1xSy2OSj1n3xFPD4ynkw=;
Received: from [] ( []) by (submission channel) via TCP with ESMTPA id <>; Fri, 17 Aug 2012 13:56:26 +0100
Message-ID: <>
Date: Fri, 17 Aug 2012 13:58:03 +0100
From: Alexey Melnikov <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
To: Chris Palmer <>
References: <> <> <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-transfer-encoding: quoted-printable
Cc: Chris Evans <>,,,, Moxie Marlinspike <>
Subject: Re: [websec] [saag] Pinning
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Aug 2012 12:56:30 -0000

On 10/08/2012 23:20, Chris Palmer wrote:
> Hi all,
> Resurrecting this ancient thread, and explicitly including Moxie and
> Trevor in case they aren't already on any of the relevant mailing
> lists.
> So ultimately I do think we should decide on either HPKP or TACK, but
> that we should make that decision after there has been some real-world
> deployment experience with both (or, sadly, real-world non-deployment
> of one or both).
> Additionally, HPKP and TACK might converge, more or less. I have plans
> to publish a new HPKP I-D that borrows some of TACK's pin activation
> and expiration ideas, for example.
> Additionally, one of the main criticisms of HPKP is that it is tied to
> HTTP. I currently don't consider that a huge problem — even though I
> consider TACK's TLS-generic-ness a nice benefit — for several reasons:
> * HTTPS is the big, important application that we need to secure right now.
> * IMAPS and POPS are surely on the list too, right after HTTPS; but
> specifying "IPKP" and "PPKP" is likely to be relatively
> straightforward once we get HPKP working.
I am surely hoping there would be no IMAP, POP or SMTP extensions to 
address this. IMHO, judging from past experiences of any new 
functionality being adopted by IMAP/POP/SMTP, chances of such extensions 
being deployed in any reasonable number of email clients any time soon 
are close to 0. I think some more generic facility (like a TLS 
extension) has much better chance of success.

Having said that, I think it is Ok if an HTTP facility is deployed now 
before the TLS extension is finalized.
> * It's not clear that SMTP over TLS is very beneficial, because you
> can't stop delivery due to pin validation failure (or really even
> regular old X.509 failure). You could use certificate errors as
> soft-fail spam signals, but you can in principle do that now, too,
> without explicit pinning. I don't know how much benefit you'd get from
> using pin validation failure as a spam signal.