Re: [websec] Certificate Pinning via HSTS (.txt version)
Yoav Nir <ynir@checkpoint.com> Wed, 14 September 2011 06:15 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6FD21F8C9A for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 23:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.386
X-Spam-Level:
X-Spam-Status: No, score=-10.386 tagged_above=-999 required=5 tests=[AWL=0.213, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avyxFWmR8cCR for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 23:15:56 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB2821F8C12 for <websec@ietf.org>; Tue, 13 Sep 2011 23:15:56 -0700 (PDT)
X-CheckPoint: {4E705440-22-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p8E6HvMT032332; Wed, 14 Sep 2011 09:17:58 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 14 Sep 2011 09:17:57 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: SM <sm@resistor.net>
Date: Wed, 14 Sep 2011 09:17:57 +0300
Thread-Topic: [websec] Certificate Pinning via HSTS (.txt version)
Thread-Index: AcxypgtRp9M0lsEJRVKxt1ce4bvg8Q==
Message-ID: <05C4445E-96F3-4CB6-979A-E0C576C35DE2@checkpoint.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com> <6.2.5.6.2.20110913153237.0851f630@resistor.net>
In-Reply-To: <6.2.5.6.2.20110913153237.0851f630@resistor.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 06:15:57 -0000
On Sep 14, 2011, at 2:06 AM, SM wrote: > Hi Yoav, > At 11:41 13-09-2011, Yoav Nir wrote: >> Six months ago we would not have thought that Comodo or DigiNotar >> were easy to hack. In the latter case, the customers of DigiNotar >> were left out in the cold. Without > > "The DigiNotar partnership has laid down its security policy in > action protocols > and technical protocols. For safety reasons, these documents are > not publicly > available, which means that they are unavailable for inspection." > > "A regular audit is performed by an independent external auditor to > assess Comodo's compliance with the AICPA/CICA WebTrust program for > Certification Authorities." > > People get sloppy. Businesses get complacent. At the end of the > day, it is a business decision. > It's all legalese to me. I can read 180 such statements (for the 180 root CAs in Microsoft's store) and not get a sense of which one is safe enough for me. I don't think the average site administrator (or whoever it is who buys certificates in your organization) has better information. Besides, they tend not to put too much thought into such a small expenditure.
- Re: [websec] Certificate Pinning via HSTS (.txt v… =JeffH
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Peter Saint-Andre
- Re: [websec] Certificate Pinning via HSTS (.txt v… =JeffH
- Re: [websec] Certificate Pinning via HSTS (.txt v… Yoav Nir
- Re: [websec] Certificate Pinning via HSTS (.txt v… Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Gervase Markham
- Re: [websec] Certificate Pinning via HSTS (.txt v… Steingruebl, Andy
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS (.txt v… davidillsley
- Re: [websec] Certificate Pinning via HSTS (.txt v… Marsh Ray
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS (.txt v… davidillsley
- Re: [websec] Certificate Pinning via HSTS (.txt v… SM
- Re: [websec] Certificate Pinning via HSTS (.txt v… Chris Palmer
- Re: [websec] Certificate Pinning via HSTS (.txt v… Yoav Nir
- Re: [websec] Certificate Pinning via HSTS (.txt v… Phillip Hallam-Baker