IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

Phillip Hallam-Baker <hallam@gmail.com> Wed, 14 September 2011 18:48 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB8821F8BEB for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 11:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.465
X-Spam-Level:
X-Spam-Status: No, score=-3.465 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVc-cIvTsN-7 for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 11:48:37 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id B850721F8C29 for <websec@ietf.org>; Wed, 14 Sep 2011 11:48:36 -0700 (PDT)
Received: by yxt33 with SMTP id 33so1873227yxt.31 for <websec@ietf.org>; Wed, 14 Sep 2011 11:50:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pRgL+lyfIVoELznZjkEqSpWyMCXDxLNcaYlnovizpZ8=; b=g+hxMt1gC/i7ng0WKmFqYRTuz2g+Ve0cR066gw6agHcRlYDl7CwVrr+LWjZk7nb+1l ICVisQYoz2GSVYVhIntvATbT1dkMecWFrR2lG+z8MOEDzRTbVEt3rFawFcIJlZoYhiPB lKrwhGWTZS69UPNlzRACPzccpapFa6lvwH4U4=
MIME-Version: 1.0
Received: by 10.101.63.5 with SMTP id q5mr156204ank.140.1316026246230; Wed, 14 Sep 2011 11:50:46 -0700 (PDT)
Received: by 10.100.120.20 with HTTP; Wed, 14 Sep 2011 11:50:46 -0700 (PDT)
In-Reply-To: <4E70E67A.5030409@fifthhorseman.net>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <4E6F5056.800@fifthhorseman.net> <CAOuvq22E-OvU_53gf_go8Nf_jXX_=wbTf7rn2XEa+GAWHTU+7w@mail.gmail.com> <4E70A8F8.80102@fifthhorseman.net> <CAMm+Lwj4LMjivR0nHWQ4eqkTz_WVTq8w5+QWGPSOat0KgvM3HA@mail.gmail.com> <4E70C4AB.7050206@fifthhorseman.net> <CAMm+LwgVvJ+ScrxGcdhckX9_E5OpEmThp+GWqbhCvmr9Qf7FDQ@mail.gmail.com> <4E70E67A.5030409@fifthhorseman.net>
Date: Wed, 14 Sep 2011 14:50:46 -0400
Message-ID: <CAMm+LwgLKboafM2FbYJ2784AmPHULQAcVFE6-RgsNEj86b2sCw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: multipart/alternative; boundary="001636eee26debf3a104aceb3c56"
Cc: Chris Evans <cevans@google.com>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 18:48:38 -0000

On Wed, Sep 14, 2011 at 1:38 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net>wrote:

>
> I personally like this approach and i use multiple keys for different
> hosts serving the same domain for at least one domain i administer
> myself.  i also note that it is diametrically opposed to your earlier
> stated goal of avoiding "major operational headache", particularly when
> using an external CA.  I was trying to offer a way to avoid major
> operational headache in my proposal.
>

Not really. Operating infrastructure on a large scale, the issue is not the
number of operations required but the number of interdependencies between
systems.

Having keys that never leave the machine eliminates a lot of the management
issues to do with equipment that is lost, stolen etc with the keys loaded.
If you have 10 machines it is pretty obvious that you have lost one. On a
large installation racks of equipment can be appearing/disappearing on a
bewildering basis. And it is not uncommon for theft to be an insider who is
selling off machinery that is being booked as destroyed.


The way I would ideally lock a key to a host is to have a permanent host key
that is unique to that device and only used for authenticating cert
requests. To instantiate an instance of some server the data center pushes
out the server image and a one time use authentication key that is used to
authenticate a cert request for that specific machine. The host generates a
new key per cert request.

That approach allows a system where all the data flows are unidirectional,
no three way synchronization etc.



> Of course, the other way to avoid the headache in this is to use an
> in-house CA, but of course that gets back to my "the only reasonable CA
> to pin is an in-house CA".


We can get to agreement on a 'house specific CA'.

Running it in-house is a pain and is going to get worse over time as the
criteria for public CAs are raised by the browser providers.

Where I think we might want to shoot for with this would be to look for dual
control points and a key splitting type approach.


> > Keys should be unique to the host and never move from the host.
> >
> > It is certainly not just citibank that has that scheme.
>
> Are these other organizations public?  I'm looking to compile a list of
> groups that do this to raise this concern with the
> Convergence/Perpsectives folks, since these always show up as bad under
> their model of analysis.  Feel free to mail the the list privately if
> you don't want to publish it, or if you feel it is off-topic for this list


I would think that would be proprietary and customer confidential and I
would have to ask a former employer.

It is easier to measure than make the request. Just look for companies that
have multiple A records and then see if they have the same cert or not.


>> if those intermediate authorities are not explicitly domain-restricted
> >> *in their own certificate*, then yes -- the risk is larger.  i don't
> >
> > Not if the signing keys are in the same hardware module as the
> intermediate
> > they are signed under.
>
> You're asking me to assume a whole stack of things about operational
> integrity, access control, system maintenance, and coding practice at
> various CAs.  I have no idea whether any of these things are true for
> any CA in particular.  All i know is that there is a CA that is
> nominally under the control of a separate organization.
>

No, it is not a CA, according to the defined terms, the CA performs the
validation and signature function. If there are 150 keys in one HSM they are
under control of one CA, not 150.

The fact that a CA issues some certs for a given customer off a different
intermediate to their other customers does not increase the number of
signing parties.

Such a customer might well have had a local RA capability, but that should
have been locked down so they could only issue for their roots. At this
point I very much doubt that there are any such RAs being operated as a true
RA without the CA performing full validation of the requests. Thank the
Iranian government for that change in practice.

There is a slight difference in the trust model in that such an intermediate
root can be and is frequently used to provide authorization data. This is
mostly used for client certs. But if the proposal being discussed here went
through there would be a real value to the key splitting approach outlined
above for servers.

I'd happy if someone could prove that these intermediate CAs are
> actually all locked down under very high security and properly limited
> in what kinds of certificates they can issue; but i'm not convinced such
> a proof is possible.
>

It is the job of the certificate policy requirements to make those demands
explicit and of the auditors to ensure that they are enforced.

One of the reasons that Comodo has been pushing to introduce baseline
requirements for all public CA issued certs is to get some controls into the
system that can be checked by auditors.

We have these requirements for EV certs, until recently we did not have the
requirements for DV certs.


> And given the recent events, i'd have no confidence in an unproved
> assertion of secure operations of these subordinate CAs.


It definitely needs to be audited. But we definitely need to have additional
controls that can be used when the auditors don't do their job.

The fact that the Diginotar root was revoked has woken up anyone who still
needed it.


> The draft as initially proposed included both explicit mechanism and
> several "best practice" recommendations (e.g. pin rollover and backup).
>  I think these recommendations were good ones, and contribute a lot
> toward making the draft clear and useful to the people who will have to
> deploy the mechanism.
>
> If this becomes an RFC, i'd hope these recommendations would persist in
> a "SECURITY CONSIDERATIONS" section or the equivalent.
>

That is fine.

I think we can write a set of security considerations that are pretty much
the advice you give and direct them at the smaller to medium sites that turn
SCs into operational policy.



> I'm proposing an additional recommendation: unless you control and
> operate your own CA, you probably only want to pin EEs.
>

How about we split the difference? We can leave in control. Just take out
'operate'.

My preference for the larger enterprise would be a split key approach. That
reduces my liability and risk.

By the time this is all through I think the number of people still willing
to operate CAs is going to be a much smaller set than in the past.


Regards,
>
>        --dkg
>
>


-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email