IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 08 August 2013 21:36 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A80A21F9D3B for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 14:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eo8MijC0fexi for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 14:36:07 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id C1FC811E822D for <websec@ietf.org>; Thu, 8 Aug 2013 14:36:06 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=uzcwM0VZGytokFsEnXrUYQSDyVTOz1/n5kNftwT6VEtxGLXDusPTbLmWa9oE5f6vHLu3g3I57lvxzEZGWxlo6wUPR+9aUiYp1JkrUcauYqSX0S6yfZTokak3wVscvmtc; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
Received: (qmail 13853 invoked from network); 8 Aug 2013 23:36:05 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 8 Aug 2013 23:36:05 +0200
Message-ID: <52040F44.3040606@gondrom.org>
Date: Thu, 08 Aug 2013 22:36:04 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: ynir@checkpoint.com
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <CB91CFAD-5C75-42C1-9A04-89D55E5E669C@checkpoint.com> <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com> <5203FD0E.40506@gondrom.org> <2B676EE1-AF70-4905-B184-0CABEFCB7C71@checkpoint.com> <CAOuvq205dUTiduLC8bNM95qB+Tnv5-Xeg4xZVn80+1DLWoVROA@mail.gmail.com> <C408BB52-7581-4A18-AEFA-45E38343A404@checkpoint.com>
In-Reply-To: <C408BB52-7581-4A18-AEFA-45E38343A404@checkpoint.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/alternative; boundary="------------070903010207070504090709"
Cc: websec@ietf.org
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 21:36:16 -0000

On 08/08/13 22:08, Yoav Nir wrote:
> On Aug 8, 2013, at 11:57 PM, Chris Palmer <palmer@google.com> wrote:
>
>> On Thu, Aug 8, 2013 at 1:42 PM, Yoav Nir <ynir@checkpoint.com> wrote:
>>
>>> If you go to https://www.iana.org, you get the following certificate chain:
>>> - *.iana.org
>>> - Go Daddy Secure Certification Authority
>>> - Go Daddy Class 2 Certification Authority
>>>
>>> So without any registry, you can pin to "Go Daddy Class 2 Certification Authority". But the next time IANA needs to get a certificate (August 2016), even if they get it from Go Daddy, they might get it from the other root CA ("Go Daddy Root Certificate Authority - G2"), which signs with SHA-256, and who knows, by then they might have a new one, perhaps with ECDSA. As a customer, you talk to a vendor. Most customers don't know which TA is actually going to be used. In some cases (Symantec) there are very many of them.
>>>
>>> Someone needs to map "Symantec" to a list of pins, and IMO that someone is neither the IETF nor IANA.
>> Insane idea (yes, I know it is insane): What if we chose not to have a
>> registry, and let people use substrings of issuer certificate
>> CNs/OUs/whatevers as trust anchor set names?
> Substring???  RegExp!!  :-)
>
>> Obvious problems:
>>
>> * character set encoding in the HTTP header vs. in the X.509
>> certificate: Welcome To Fun-Land, Where Fun Is Not Very Fun(TM)
>> * silly substrings, like "Go" matching both "...Go Daddy..." and
>> "...Google Internet Authority..." and "...Evil Bad People (Goats)..."
>> * substitution characters: should "Securite" match "...Sécurité Réseau..." ?
>>
>> I'm sure we can all think of more problems…
> Sure.
>
> Symantec has done a lot of mergers and acquisitions, including of Verisign, which also did its share of mergers and acquisitions. So that now, Symantec has root CAs with brand names Symantec, Verisign, Thawte, and probably several others that I have forgotten. The chances of misconfiguration and bricking yourself with a new certificate are rather high.
>
> Yoav
>

<no hats>

Actually, I think the chances of bricking yourself are reasonably low/ok.

1. Consider that the CA must have the responsibility to inform the
website about any name changes of its organisation.
2. the name change of the cert only hits you when you get a new cert
from the organisation, as the name in your existing cert is still the
old one (old signing CA).
3. Before adding a new individual cert you need to phase out the old, by
using the dual pin (or dual name).

So I think the technical requirements are reasonably low to make this
work. And if people don't feel they are capable to do so, they can stay
with the normal pin to individual certs.

Just my 5cents, Tobias

v2.23.0 | Report a Bug | By Email