[websec] Re-litigating Key-Pinning

Yoav Nir <ynir.ietf@gmail.com> Wed, 27 August 2014 05:45 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 18E471A03FA for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 22:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id U1l4KsdE2tzz for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 22:45:03 -0700 (PDT)
Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 881811A03F9 for <websec@ietf.org>; Tue, 26 Aug 2014 22:45:03 -0700 (PDT)
Received: by mail-we0-f180.google.com with SMTP id w61so15591862wes.11 for <websec@ietf.org>; Tue, 26 Aug 2014 22:45:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :cc:to:mime-version; bh=SeO3c8B47IxhdrY7UQtIZUGb5XZLu8apxtH4K/1HEIA=; b=qxY4lTqCLTzHaYB8LbV25xBbYfA1kTxmHHk7uhbC3ddgEsczymOYucC71airWc/K7N FWSNcgyITGUTDR1ITDn+i1Eocj3naHiZ5Sju4NbSsFW73SZq5kNXWlC61dO84HupkoB9 Duc+wuI2xUyAIOVdl78H1lzZT5yVdYUQbIYmsVykgXDPg8T5YrDMYjeKH8FcqvyjkpaY DOJ7Xo+LwoAEJpTDHq9gQIBTcU8SF67sGBRhnwN0hxURklQzdKlZCyTb01gSkodP1D2N jZ/HcXbTNhVSX9cH5bf7nPmNnuzvA9uYVZOkvu6uRY8zG567usYvNTjfc77KuG+xTkfy FuaA==
X-Received: by with SMTP id v19mr20841085wjw.18.1409118301955; Tue, 26 Aug 2014 22:45:01 -0700 (PDT)
Received: from [] ([]) by mx.google.com with ESMTPSA id y5sm14036339wje.32.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 26 Aug 2014 22:45:01 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 27 Aug 2014 08:44:43 +0300
Message-Id: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
To: "<websec@ietf.org>" <websec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/3Fd2EzYTBAUQvoD8pZzJ4cIW0Vk
Cc: Barry Leiba <barryleiba@computer.org>
Subject: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 05:45:05 -0000

Hi folks

In the last few days, we’ve had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO.

This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC. 

The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document. 

Fixing editorial issues like Julians’ comments about references is fine, and could even be done *after* IESG review. However, making substantive changes like removing PKP-RO or changing the requirements for processing it cannot be done at this stage. Deciding to do this requires withdrawing the publication request and sending it back to the working group.  I do not think this is advisable.

The IETF occasionally publishes documents that are imperfect. Such imperfections can be fixed later via errata or -bis documents. For now, I think we should publish the document as it is with the changes agreed upon in discussions with ADs.


[with chair hat firmly on]