IETF Logo Mail Archive

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Chris Palmer <palmer@google.com> Mon, 24 June 2013 21:29 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7E9911E818B for <websec@ietfa.amsl.com>; Mon, 24 Jun 2013 14:29:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3P6QiFFayJqb for <websec@ietfa.amsl.com>; Mon, 24 Jun 2013 14:29:40 -0700 (PDT)
Received: from mail-vb0-x22c.google.com (mail-vb0-x22c.google.com [IPv6:2607:f8b0:400c:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id ECBE111E818F for <websec@ietf.org>; Mon, 24 Jun 2013 14:29:36 -0700 (PDT)
Received: by mail-vb0-f44.google.com with SMTP id e15so8795432vbg.3 for <websec@ietf.org>; Mon, 24 Jun 2013 14:29:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=SEwP0HirmNb4Uw25sMF9x5OXyYybvahbeufiBZsUqu0=; b=H2UG0kVFtDmSE14fGbMwp5V4xb99kFVwe5HLHICDiY6k8AQKDMmiQQL8qllj3mnze+ ZCtyrnydWtVRPjE1zFtQweI4x0NoUtd+Ft0WMW6Vo3jACy/W7P/6sN7u2Us3YiA5MLaG DnaCTMpNmm64dFz1UdZIRI25v73IKvqN2hI2pGMSUo0Q1np0FYKGr7BuimYWpYq+Ir0P LNHuhk0PXLrnGwDDQmfgc1dYiqXWeuTNwsyI8v621//vISEazLwVA7fbf5/BybZvr+dX nOLhOtmQqxk3M0cf8B3w+MPsnKL6f8PSBFnzJI1lwR2UApS1WGRfrDc7hEj1UvNq2oR9 PW5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=SEwP0HirmNb4Uw25sMF9x5OXyYybvahbeufiBZsUqu0=; b=NSUVUieTmuOHO6dDHuvPyFVfK5zRTNzFmM33xg5RNT3kxOc/Lk3muNu2Cyz5MPB/cz luakcah3tfjbVAA7MRzPnYj9ahW64OXP4D/AcKjEZhyQK8C5XpCMlptTYbTtBKVMpjLn WwX62V0Ieg+pNPB1UHg1dbSa9pUp9dF2d/S6eMQfc1tw3+hMB8xFSaNN3HHdsxiESGPi N0jnm/cccY5sxgR3mUdEzUkZRuxBcmYu4I3HGmpcERhb2xrkWxG9XGENEEEl4D7Iu2Ts 8KBF8NaOoGhRWI2KwuKf9pIfPxw32ZGYMei+Z3fTkfW68P03eokItRDKCefI10ufg3xC VhDg==
MIME-Version: 1.0
X-Received: by 10.52.228.226 with SMTP id sl2mr10698745vdc.52.1372109376402; Mon, 24 Jun 2013 14:29:36 -0700 (PDT)
Received: by 10.220.3.73 with HTTP; Mon, 24 Jun 2013 14:29:36 -0700 (PDT)
In-Reply-To: <CAOuvq203V8LNjkimfd2m+aTX7-gKr=J62jmUqz-PDQEN6O9Lvg@mail.gmail.com>
References: <8c03997da80b4e8da7100491011b8c12@BN1PR03MB039.namprd03.prod.outlook.com> <6F2FE5F2-D02C-4B09-A6CA-7C3B63722E34@checkpoint.com> <CAOuvq203V8LNjkimfd2m+aTX7-gKr=J62jmUqz-PDQEN6O9Lvg@mail.gmail.com>
Date: Mon, 24 Jun 2013 14:29:36 -0700
Message-ID: <CAOuvq20_KZPcBWyPgpGj=K5gy=1BGGRv11Zuxmcw_wBmzBhgUA@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQneGm1q/WR54lwoRy37SDQh1F14zdvp45Eq8Ksx8kmhYZhVrabi8WeeqlfRxaSRJSe9Cq9ed7t81yO3+DG2YBmqfrssr1a/tnpzxY3ZuImFQFijOoXgJq6Pn8W8maMgxj3wxuFB/3GRfk2b/Eh5CL7A5YAy7/xuie1L0JdQguDz91/A4lq1qZToHYlnDpnhtT1MwB3d
Cc: David Matson <dmatson@microsoft.com>, "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning-06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2013 21:29:40 -0000

If you haven't already, I'd urge everyone to take pcaps of a web
session to their bank or to their web mail provider or whatever. I
think you'll quickly see that even a large HPKP header, say 500 bytes,
is not going to be the thing that makes web traffic bloated.
(Sometimes, the certificate chains themselves outweigh the pins — and
that traffic occurs before the crucial point of widening the TCP
window! Whereas HTTP headers most likely occur afterward.)

Also, at one point somebody raised an idea of saying you could pin to
a set of keys — say, Symantec or StartCom's issuing certs — with a
single directive. Something like:

    Public-Key-Pins: max-age=...; pin-set: symantec; includeSubDomains

There'd need to be some kind of registry for the names of sets, of
course, which is complicated. And how do UAs learn of updates to the
sets, and so on. It's a nice idea that would improve on-the-wire size
in bytes, and also enable web application providers to pin more
easily. If there is demand, perhaps we could create such an extension
to HPKP/TACK/et c. But I don't think it should be a blocker for this
I-D.

v2.30.2 | Report a Bug | By Email | System Status