Re: [websec] #58: Should we pin only SPKI, or also names

[Gervase Markham <gerv@mozilla.org>]

On 12/08/13 17:11, Trevor Perrin wrote:
> If people hate this, someone should make a proposal for a registry:

Or make a proposal to stick with the current spec, and not pin names :-)

>> I think there will be problems with people not being protected who
>> expect to be, if you allow this sort of pinning into the spec but leave
>> entirely undefined the mechanisms for communicating what it actually
>> should mean when someone pins to a name.
> 
> Could you explain how these problems would arise?
> 
> I'm proposing CAs would coordinate with browsers, then inform their
> customers (websites) which name to use.  A misbehaving CA could inform
> its customers of a meaningless name, causing browsers to ignore the
> pin.  But a misbehaving CA could violate its customers' security in
> other ways.

They would arise via any of the obvious mechanisms this could go wrong,
e.g.:

* CA fails to communicate with (some subset of) browsers, perhaps the
small ones, leading to divergent behaviour

* Browser update is not universally accepted, leading to divergent behaviour

Say Foo CA merges with Bar CA, and issues an edict that from now on the
string "fooca.com" will include the already-deployed root, "Bar CA
Super-Secure". Six months later, after gnashing their teeth at the delay
that this process is introducing into their business, they start issuing
certs from "Bar CA Super-Secure" to Foo CA customers. A site,
naiveshop.com, is pinned to fooca.com, and buys one of these new certs.
All naiveshop.com's customers whose browsers are older than 6 months get
connection failures, and naiveshop.com can't easily detect that this is
happening, or to how many people.

Gerv