Re: [websec] New draft of HTTP header-based public key pinning
Chris Palmer <palmer@google.com> Wed, 09 November 2011 21:28 UTC
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7169721F869E for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 13:28:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.577
X-Spam-Level:
X-Spam-Status: No, score=-103.577 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDpXEb3VwAHm for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 13:28:34 -0800 (PST)
Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by ietfa.amsl.com (Postfix) with ESMTP id AB4E921F85A4 for <websec@ietf.org>; Wed, 9 Nov 2011 13:28:33 -0800 (PST)
Received: by wwf22 with SMTP id 22so8387333wwf.1 for <websec@ietf.org>; Wed, 09 Nov 2011 13:28:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=jv5jQTrpXQtGTl+7PTSiA7181UgOMQedm3waAp6F3Hw=; b=w/ZykRZmeXQ81Ofdb6yiqazojdBX8S62kWRqcB3YpqBXgeLwokBAuaDhoy6TBAIgE3 KsOkbAMmyouyVAdopn0Q==
Received: by 10.216.138.29 with SMTP id z29mr126266wei.4.1320874112788; Wed, 09 Nov 2011 13:28:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.138.29 with SMTP id z29mr126261wei.4.1320874112686; Wed, 09 Nov 2011 13:28:32 -0800 (PST)
Received: by 10.216.216.205 with HTTP; Wed, 9 Nov 2011 13:28:32 -0800 (PST)
In-Reply-To: <4EBAE198.3020406@gmx.de>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <4EBA3B24.5060602@gmx.de> <CAOuvq20NEUAwPzStBa-kRVh4rUCFU6Ece1gN-kEb0FeFsweHGw@mail.gmail.com> <4EBAE198.3020406@gmx.de>
Date: Wed, 09 Nov 2011 13:28:32 -0800
Message-ID: <CAOuvq20GYnrbwMQE9KZkNTFqETxJ4utKKzFNZ3ThQLnKbL299Q@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 21:28:34 -0000
>From what I can gather, there is a thing called "header field recombination", in which a proxy or something collapses two or more headers of the same type into one, and joins their values with a ",". Therefore, I should not list multiple pins separated with a "," in the PKP header. OK. (This is new to me. Are there MITMs that really do this? Why?) (FWIW, the only relevant hit in the first page of Google results for [ header field recombination ] is http://svn.tools.ietf.org/wg/httpbis/trac/ticket/231.) > Public-Key-Pins: max-age=31536000; > pins-sha1=4n972HfV354KP560yw4uqe/baXc=; > pins-sha256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ= OK. I suppose now we might as well get rid of the "pins-" too. > Finally, allow quoted-string notation, > > Public-Key-Pins: max-age=31536000; > pins-sha1="4n972HfV354KP560yw4uqe/baXc="; > pins-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=" > > so that characters not allowed (such as "/") in HTTP tokens work. But if "/" is not allowed in HTTP tokens, we have to require quoted-string notation, and not merely allow it. Right? Could anyone propose exact ABNF grammar that is acceptable given the above constraints? Currently, I have it as: Public-Key-Pins = "Public-Key-Pins" ":" LWS directives directives = max-age LWS ";" LWS pins / pins LWS ";" LWS max-age max-age = "max-age" LWS "=" LWS delta-seconds pins = "pins" LWS "=" LWS fingerprints fingerprints = fingerprint / fingerprint "," fingerprints fingerprint = fp-type "-" base64-digits fp-type = "sha1" / "sha256" Thanks!
- [websec] New draft of HTTP header-based public ke… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Tom Ritter
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
- Re: [websec] New draft of HTTP header-based publi… Chris Evans
- Re: [websec] New draft of HTTP header-based publi… Yoav Nir
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Paul Hoffman
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Ryan Sleevi
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer