Re: [websec] #58: Should we pin only SPKI, or also names
Gervase Markham <gerv@mozilla.org> Mon, 12 August 2013 17:17 UTC
Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC7321F9E34 for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 10:17:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.51
X-Spam-Level:
X-Spam-Status: No, score=-2.51 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tayhZ1Q8MDWs for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 10:17:00 -0700 (PDT)
Received: from smtp.mozilla.org (mx1.corp.phx1.mozilla.com [63.245.216.69]) by ietfa.amsl.com (Postfix) with ESMTP id 4827521F90FD for <websec@ietf.org>; Mon, 12 Aug 2013 10:04:25 -0700 (PDT)
Received: from [192.168.0.101] (93.243.187.81.in-addr.arpa [81.187.243.93]) (Authenticated sender: gerv@mozilla.org) by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id BA82AF2092; Mon, 12 Aug 2013 10:04:23 -0700 (PDT)
Message-ID: <52091598.7000306@mozilla.org>
Date: Mon, 12 Aug 2013 18:04:24 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com>
In-Reply-To: <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 17:17:05 -0000
On 12/08/13 17:11, Trevor Perrin wrote: > If people hate this, someone should make a proposal for a registry: Or make a proposal to stick with the current spec, and not pin names :-) >> I think there will be problems with people not being protected who >> expect to be, if you allow this sort of pinning into the spec but leave >> entirely undefined the mechanisms for communicating what it actually >> should mean when someone pins to a name. > > Could you explain how these problems would arise? > > I'm proposing CAs would coordinate with browsers, then inform their > customers (websites) which name to use. A misbehaving CA could inform > its customers of a meaningless name, causing browsers to ignore the > pin. But a misbehaving CA could violate its customers' security in > other ways. They would arise via any of the obvious mechanisms this could go wrong, e.g.: * CA fails to communicate with (some subset of) browsers, perhaps the small ones, leading to divergent behaviour * Browser update is not universally accepted, leading to divergent behaviour Say Foo CA merges with Bar CA, and issues an edict that from now on the string "fooca.com" will include the already-deployed root, "Bar CA Super-Secure". Six months later, after gnashing their teeth at the delay that this process is introducing into their business, they start issuing certs from "Bar CA Super-Secure" to Foo CA customers. A site, naiveshop.com, is pinned to fooca.com, and buys one of these new certs. All naiveshop.com's customers whose browsers are older than 6 months get connection failures, and naiveshop.com can't easily detect that this is happening, or to how many people. Gerv
- [websec] #58: Should we pin only SPKI, or also na… websec issue tracker
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Rob Stradling
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… websec issue tracker