IETF Logo Mail Archive

Re: [websec] New draft of HTTP header-based public key pinning

Julian Reschke <julian.reschke@gmx.de> Wed, 09 November 2011 20:25 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49FED1F0C77 for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 12:25:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.424
X-Spam-Level:
X-Spam-Status: No, score=-104.424 tagged_above=-999 required=5 tests=[AWL=-1.825, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E12+aADo1V5u for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 12:25:02 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 2E9F21F0C53 for <websec@ietf.org>; Wed, 9 Nov 2011 12:25:01 -0800 (PST)
Received: (qmail invoked by alias); 09 Nov 2011 20:25:00 -0000
Received: from p5DCC32E8.dip.t-dialin.net (EHLO [192.168.178.36]) [93.204.50.232] by mail.gmx.net (mp066) with SMTP; 09 Nov 2011 21:25:00 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX18AyHsPKzsAuHu9Y0DIvVUacWXx26zvz4S1C9pBoO 3EYtaqBLttRxuY
Message-ID: <4EBAE198.3020406@gmx.de>
Date: Wed, 09 Nov 2011 21:24:56 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Chris Palmer <palmer@google.com>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <4EBA3B24.5060602@gmx.de> <CAOuvq20NEUAwPzStBa-kRVh4rUCFU6Ece1gN-kEb0FeFsweHGw@mail.gmail.com>
In-Reply-To: <CAOuvq20NEUAwPzStBa-kRVh4rUCFU6Ece1gN-kEb0FeFsweHGw@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 20:25:03 -0000

On 2011-11-09 21:09, Chris Palmer wrote:
> On Wed, Nov 9, 2011 at 12:34 AM, Julian Reschke<julian.reschke@gmx.de>  wrote:
>
>> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-17.html#rfc.section.3.1>
>>
>> So decide whether you want to allow multiple header fields (in which case
>> you should use the ABNF list notation used in 2616/HTTPbis), *or* define the
>> syntax so that a "," introduced by header field recombination can be
>> detected by recipients.
>
> I'm sorry, I don't know what you mean by "a ',' introduced by header
> field recombination".

<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.2.p.5>

> What grammar do you prefer?

I would recommend a syntax that uses a single delimiter. If you use ";", 
you'd be able to detect the case mentioned above. If you use ",", you 
could support multiple header fields (if this is desired).

By using both however, you gain nothing (IHMO), and create potential 
problems.

Let's assume it's ";". In that case I would write:

directives      = max-age LWS *( ";" LWS [ fingerprint ] )

thus require max-age to be always first (your grammar allows it at the 
beginning and at the end, but not inbetween; this is likely to cause 
confusion.

Then make fingerprint a proper name/value pair, as in other HTTP 
parameters, and put the name of the hash into the parameter name. So 
instead of

    Public-Key-Pins: max-age=31536000;
        pins=sha1-4n972HfV354KP560yw4uqe/baXc=,
        sha256-LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=

you'd have

    Public-Key-Pins: max-age=31536000;
        pins-sha1=4n972HfV354KP560yw4uqe/baXc=;
        pins-sha256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=

Finally, allow quoted-string notation,

    Public-Key-Pins: max-age=31536000;
        pins-sha1="4n972HfV354KP560yw4uqe/baXc=";
        pins-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="

so that characters not allowed (such as "/") in HTTP tokens work.

Best regards, Julian


Best regards, Julian

v2.23.0 | Report a Bug | By Email