IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Yoav Nir <ynir@checkpoint.com> Thu, 08 August 2013 20:42 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF86321F99F4 for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.516
X-Spam-Level:
X-Spam-Status: No, score=-10.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VpFvpixnEqkc for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:42:10 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 9058F21F9AA2 for <websec@ietf.org>; Thu, 8 Aug 2013 13:42:06 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r78Kg3is032673; Thu, 8 Aug 2013 23:42:03 +0300
X-CheckPoint: {5204029B-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Thu, 8 Aug 2013 23:42:02 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Thread-Topic: [websec] #58: Should we pin only SPKI, or also names
Thread-Index: AQHOjHagv3/BmvZ4wU6WrbkIw+Bd/ZmAXZOAgAADk4CAAHu6gIAIRDGAgAA0tQCAAAIEgIAAAsgAgAACowCAAAVKAIAAXsaAgADFHACAARdCAIAABpsA
Date: Thu, 08 Aug 2013 20:42:01 +0000
Message-ID: <2B676EE1-AF70-4905-B184-0CABEFCB7C71@checkpoint.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <CB91CFAD-5C75-42C1-9A04-89D55E5E669C@checkpoint.com> <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com> <5203FD0E.40506@gondrom.org>
In-Reply-To: <5203FD0E.40506@gondrom.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.237]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 110bf6728cbfd39ba743272322996ff0fd7e6b8ec1
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3E036B943E024843A5105535BE59323A@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 20:42:15 -0000

On Aug 8, 2013, at 11:18 PM, Tobias Gondrom <tobias.gondrom@gondrom.org>
 wrote:

> Hi,
> 
> <no hats>
> 
> On 08/08/13 04:38, Trevor Perrin wrote:
>> On Wed, Aug 7, 2013 at 8:53 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>>> On Aug 7, 2013, at 1:14 PM, Trevor Perrin <trevp@trevp.net> wrote:
>>>> Only CAs which had "opted-in" and provided the requisite info to
>>>> browsers would be in the table.
>>> I'm only wondering where I get a copy of that table and who maintains it.
>> CAs and Browsers would have to work that out.  I don't know what their
>> preferred coordination method would be.
>> 
> 
> Hm, I did expect we could do the name pinning - if we want to do it -
> without additional coordination at all for this. If you pin to the name
> in the cert, this would only allow certs from this CA to be trusted for
> this specific domain. As in the repository of the browsers as it is
> today already. What did I miss here?

If you go to https://www.iana.org, you get the following certificate chain:
 - *.iana.org
 - Go Daddy Secure Certification Authority
 - Go Daddy Class 2 Certification Authority

So without any registry, you can pin to "Go Daddy Class 2 Certification Authority". But the next time IANA needs to get a certificate (August 2016), even if they get it from Go Daddy, they might get it from the other root CA ("Go Daddy Root Certificate Authority - G2"), which signs with SHA-256, and who knows, by then they might have a new one, perhaps with ECDSA. As a customer, you talk to a vendor. Most customers don't know which TA is actually going to be used. In some cases (Symantec) there are very many of them.

Someone needs to map "Symantec" to a list of pins, and IMO that someone is neither the IETF nor IANA.

Yoav

v2.23.0 | Report a Bug | By Email