IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

"Richard L. Barnes" <rbarnes@bbn.com> Tue, 13 September 2011 01:43 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96B0921F8C9C for <websec@ietfa.amsl.com>; Mon, 12 Sep 2011 18:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.603
X-Spam-Level:
X-Spam-Status: No, score=-106.603 tagged_above=-999 required=5 tests=[AWL=-0.004, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nABiBVrXHmS for <websec@ietfa.amsl.com>; Mon, 12 Sep 2011 18:43:22 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 0576321F8C9B for <websec@ietf.org>; Mon, 12 Sep 2011 18:43:21 -0700 (PDT)
Received: from [128.89.253.131] (port=49199 helo=[192.168.1.3]) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1R3I3y-000IpS-9c; Mon, 12 Sep 2011 21:45:26 -0400
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <4E6EB513.1070704@KingsMountain.com>
Date: Mon, 12 Sep 2011 21:45:24 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <39F6F4BC-F908-498A-A8EB-172393C80EDA@bbn.com>
References: <4E6EB513.1070704@KingsMountain.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
X-Mailer: Apple Mail (2.1084)
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 01:43:22 -0000

> > Is there any particular reason you're using key fingerprints instead of cert
> > fingerprints?  It seems like the latter might be slightly easier to
> > implement, since you don't have to parse the cert.
> 
> I assume it's because the certificates public keys are embedded within, in practice, can change without the key pairs themselves changing.
> 
> The rationale ought to of course be noted in the spec.

Public keys can change too, of course.  And it's often the cases where keys need to change that are the most important!  

In general, it seems like these "pinning" strategies do need some sort of provision for rollover.

--Richard

v2.23.0 | Report a Bug | By Email