IETF Logo Mail Archive

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Trevor Perrin <trevp@trevp.net> Mon, 24 June 2013 01:13 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8645911E80E4 for <websec@ietfa.amsl.com>; Sun, 23 Jun 2013 18:13:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.425
X-Spam-Level:
X-Spam-Status: No, score=-0.425 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rVkCMxHV1jb4 for <websec@ietfa.amsl.com>; Sun, 23 Jun 2013 18:13:25 -0700 (PDT)
Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id DB49411E80F6 for <websec@ietf.org>; Sun, 23 Jun 2013 18:13:24 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id n57so7853831wev.28 for <websec@ietf.org>; Sun, 23 Jun 2013 18:13:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=Y1rSfbRb5YJB1MWOA3eJ/qw6aHaeJY/VppU2I0yV6oI=; b=mHvLSvKiKYEmjddT/wF5wPlokwGGxc31EPnOiBzFGzc7Nki5wmtlWujAFvOsc6kzdR L0KlHll/tPTRNxG2YjvACAoMu0lhhu89mKYmNEbVGP1bGwT6UK5PjF4SzgdvIN6DSNoC z8248h5jPUhl936oPcbjBzbz012sywLyO5KNX5tb0uQKyl1tuy3hqi5M8sqyHPGmu4ta i3irLB/qJBx3h+R4bktM/3mE5SaprnF9m7Jqwejd5Ra+HKxQGW+lT8naKBUlO6z0rC9T f5zEMtTymbDdeYmBUgI76UQKBzjpvJvTle1yO1ozgJDXjVlH3uAYSL91SsJ1YmdAm+hQ JlZQ==
MIME-Version: 1.0
X-Received: by 10.194.24.40 with SMTP id r8mr7481244wjf.7.1372036402643; Sun, 23 Jun 2013 18:13:22 -0700 (PDT)
Received: by 10.216.212.9 with HTTP; Sun, 23 Jun 2013 18:13:22 -0700 (PDT)
X-Originating-IP: [173.11.70.186]
In-Reply-To: <6F2FE5F2-D02C-4B09-A6CA-7C3B63722E34@checkpoint.com>
References: <8c03997da80b4e8da7100491011b8c12@BN1PR03MB039.namprd03.prod.outlook.com> <6F2FE5F2-D02C-4B09-A6CA-7C3B63722E34@checkpoint.com>
Date: Sun, 23 Jun 2013 18:13:22 -0700
Message-ID: <CAGZ8ZG32cRRU3rQ31cN0ZB78_Oxn7E4LpyTpYi0bT59jhzNuiw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: multipart/alternative; boundary="047d7b5d352866161004dfdc1e84"
X-Gm-Message-State: ALoCoQndUJkwlDAtj9LyULQWWASnTwTHBJ/JlUq08H8VidWUc17AV/AmnzBb+a2srAjTXEs8ShMG
Cc: David Matson <dmatson@microsoft.com>, "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning-06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2013 01:13:30 -0000

On Sun, Jun 23, 2013 at 12:25 AM, Yoav Nir <ynir@checkpoint.com> wrote:

>  Hi David
>
>  As far as I know, this idea was not discussed before. If we were to do
> this, the proper URI for this would be some kind of RFC 5785 URI like
> "/.well-known/pins" or "/.well-known/hpkp".
>
>  Looking at the examples in the key-pinning draft, an HPKP header using
> SHA-1 takes just under 120 bytes.
>

Depends on the number of pinned keys.  Chrome's existing preloads [1] have
9, 5, 19, 36, 2, and 2 keys.  That's a mean of 12, which would be >500
bytes with SHA256.



>  Compared to some of the stuff that gets sent in HTTP headers (I'm looking
> at you, user-agent) this is pretty tame. Moreover, the key-pinning header
> does not have to be sent in every response - it's enough to send it once
> per full TLS handshake.
>

I thought so too, but draft-04 and later say:

"If the Pinned Host does not include the PKP header field, and if the
connection passed Pin Validation, UAs MUST treat the host as if it had set
its max-age to 0 (see Section 2.3.1)."

So apparently it *does* need to be sent on every response, to maintain the
pin?


Still, I can see several merits in your proposal:
>  - clients that don't support key pinning need not get a header they're
> not going to process
>  - Inserting a header only in the first response requires information from
> the TLS layer, so it's easier to just insert the header in every response.
>  - HTTP/2 is not yet here, let alone wide-spread.
>

Agreed it has merit, particularly if there's any possibility of future
pinning policies growing larger with other types of data (e.g. policies for
error-handling and reporting, or "pinning" to other things like CT, DNSSEC,
TACK, etc...)


Trevor

v2.23.0 | Report a Bug | By Email