IETF Logo Mail Archive

Re: [websec] draft-ietf-websec-key-pinning

Yoav Nir <ynir.ietf@gmail.com> Thu, 28 August 2014 14:59 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715E71A6FFA for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6M7mk_eaghEG for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:59:17 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A66BE1A7030 for <websec@ietf.org>; Thu, 28 Aug 2014 07:59:16 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id 10so1066171lbg.3 for <websec@ietf.org>; Thu, 28 Aug 2014 07:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=3kMVZU1sJjdsMe2C+yQQp2WPt0Uk3HeC7Uyz0ZgY0mc=; b=qZkHGi52RDFw9N1nudfjUSrV69s02yr22LkwmM8HDutUJT/ZXx8q1CaBlFszV0lI5k 6FmhYwWZp003y5EqVNsSz1qMXFazfnGCdcDeUqEv24BA7Ii93hAWrgm74dqjSjQAUNsv u8pBTgh/hPb9l3/sVScbppd8bOdZOa4mmu9itP8rbWTpIIlnb59NHOUx7POx5KCfmp82 5hvYdMCa5VHZsOS5lKmYiSSe84lujwT3DUNhqcprD9xSwNzEF1jMgw8s+FYPseF0qNED 4sxTR2fYOEwBDl20pBCPdYcV5nH5K8M29vcxBwgLjZ2fkVi1SwmXdzVp3uS2uXFdr5Ol 3qyw==
X-Received: by 10.152.18.166 with SMTP id x6mr4944239lad.1.1409237952328; Thu, 28 Aug 2014 07:59:12 -0700 (PDT)
Received: from [172.24.249.230] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id la9sm2532754lab.12.2014.08.28.07.59.10 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Aug 2014 07:59:11 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_6D101CC9-BD2B-4B07-AB53-DAC05AD4228E"
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3
In-Reply-To: <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl>
Date: Thu, 28 Aug 2014 17:59:07 +0300
Message-Id: <35F981DA-46C4-44D7-8582-25BF8BF1B31A@gmail.com>
References: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com> <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl>
To: Eric Lawrence <ericlaw1979@hotmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/3ovQFDTEgJ95UJ2VuU1aHmXexPs
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, websec@ietf.org, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 14:59:19 -0000

Hi Eric

Part of the issue is that PKP (and PKP-RO) follow the lead of other headers such as CSP that also have report-only alternatives, but PKP is inherently different.

CSP has directives that relate to the content delivered, so if CSP has a directive that says the resource cannot be displayed behind a transparent floating frame, the content will not be displayed. If it’s CSP-RO instead of CSP, the content is displayed, but a report is also sent. That makes sense, and if you see that the CSP-RO header causes reports, you can adjust it. Once you move to CSP, you’re fine as long as the content does not change, and even if it does change, you can test it first with a test server.

For PKP it’s different. The thing that changes is the certificate presented to the client. You can’t test the new certificate on a side server, at least not in a way that will fill you with confidence. And because of the way certificates are used, there is no such thing as a static structure to the site. You have to change the certificate (and usually the key) every year, so testing with PKP-RO may be fine before first deploying PKP, but it doesn’t help you where it’s dangerous - when it’s time to change certificates.

This leads some people around here to conclude that PKP-RO is not useful.

Yoav


On Aug 28, 2014, at 5:26 PM, Eric Lawrence <ericlaw1979@hotmail.com> wrote:

> I’ll take one last tilt at this, because I think this spec is quite important and folks aren’t actually very far apart on this.
>  
> To start, I want to reiterate that Draft #20 was the first time I got involved in PKP, so my perspective comes from that draft and not any other conversations, tribal knowledge, meetings, etc, that others in the group may have been a part of.
>  
> Here’s how I *thought* Draft #20 specified things to work:
>  
>   1> PKP and PKP-RO are equivalent in every way except that PKP mismatch triggers a Report *and* fails the connection, while PKP-RO mismatch only triggers a Report. That’s why PKP-RO is named “Public Key Pins Report Only” and not “Sorta Like Public Key Pins But Does Not Break Connections And Does Not Persist (SLPKPBDNBCADNP)”
>  
>   2> Site administrators should use PKP-RO to prototype a policy to be later deployed PKP. They use PKP-RO first to generate confidence that they will not be self-inflicting any broad denial-of-service when enabling PKP.
>  
>   3> When PKP and PKP-RO headers are initially encountered (pins not previously stored), a failure to match the specified policy triggers a Report. The mismatched policy is NOT stored, which blocks the DOS bomb attack Ryan mentions below.
>  
>   4> PKP and PKP-RO only exist as different headers because it allows a site to have one policy in force and also prototype proposed policy changes.
>  
> This design made perfect sense to me, and my feedback on the draft was primarily intended to clarify the language around this design.
>  
> Instead, it appears that PKP-RO works dramatically differently than PKP, in ways that I believe are entirely non-obvious to implementers who only read the draft. While I believe it would be possible to editorially change the language to make PKP-RO’s different behavior, to me, that approach only seems to be codifying a more confusing, less useful design, and would require more work on the part of the authors.
>  
> I don’t believe there are any privacy or security implications in allowing PKP-RO to behave like PKP except that it’s “Report Only.” Any privacy or security implications in PKP-RO are shared by PKP.
>  
> -Eric Lawrence

v2.23.0 | Report a Bug | By Email