Re: [websec] Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
Ryan Sleevi <sleevi@google.com> Tue, 05 August 2014 21:41 UTC
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E66F1A0314 for <websec@ietfa.amsl.com>; Tue, 5 Aug 2014 14:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkK9T_FTWjG4 for <websec@ietfa.amsl.com>; Tue, 5 Aug 2014 14:41:12 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E1F1A0317 for <websec@ietf.org>; Tue, 5 Aug 2014 14:41:12 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id id10so2659114vcb.21 for <websec@ietf.org>; Tue, 05 Aug 2014 14:41:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Yz/dQsUATToVNi8n+BmSab5lBSKAYtLpdej94VnjqDA=; b=XVMQLdz/cy6qyQpLPUOcmpelLRQ5+YK08G/m6O6srFo+aiVlLdUQrn7/EXwr4kyCNy 24jp8Xay2U60AjXpAOLBmf27uHq9QJBUwpuX2kkC6z9Lfs3diUm3B8dW/vuJADPdCAuQ dVuXdRJvAaYWuMcYzWUJeoo81DuL5RB5Vm5GcfX8L5deDXLkjRlWVykZCgBr4UzC+yZO NMOJ5GTgQGWyVpjwiIUiFjKa24pqQ0CggcdaBXxdU1/kZPqST8eyXsq21AELY8sefJms XQbrxqMjyQTF+M80b0t4Sr8wuXF1Deugw6v32MTisEIh2ilVq4PTvHzGbcHe0aUorg7W UnRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Yz/dQsUATToVNi8n+BmSab5lBSKAYtLpdej94VnjqDA=; b=bnTYxVuzpXX8uZJEgxvvBStUStRnjUWZpDrKxsfaDP1kBs1N7Va24Uj7j30m++O1Fv 2TjBxd9Rxkw8Yy2HMH4f6PK9FZBXl/ftjsmt7CwYUSfYfmh59DZQ03GVV9+HOoUjQ6d7 txZiv4snaVPjZ7NmVZDKXJArONVmzux85ZwH6/8qbuFVcFAyW8eNlB1iyIZF0GiLuvZu BH/HpceH3nXrlB5IrO6oHkQfpUngJCS8Nq8KZ06ynxFyjDzYaAj7T2scm2U9mggeVM9n IRAEdi5YraKbDV6tBTExpHsTi0UAHbJshi7Pk9vhuQGgLjsBT50Y6rmcwYx3sx8YomLm uZJg==
X-Gm-Message-State: ALoCoQkn4WHOKujexcWdZQHYnqhqt87vvaFAmUMHtJ+iRs9PY1zjhrts+R6/jFYq0uv39wDJNwbV
MIME-Version: 1.0
X-Received: by 10.220.74.195 with SMTP id v3mr6932285vcj.23.1407274871192; Tue, 05 Aug 2014 14:41:11 -0700 (PDT)
Received: by 10.52.139.78 with HTTP; Tue, 5 Aug 2014 14:41:11 -0700 (PDT)
In-Reply-To: <20140805212736.4347.37060.idtracker@ietfa.amsl.com>
References: <20140805212736.4347.37060.idtracker@ietfa.amsl.com>
Date: Tue, 05 Aug 2014 14:41:11 -0700
Message-ID: <CACvaWvYLx4NBeg9JN6gFH57uDgB_szJvr=eq+Vdv1PihviQ1rA@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Alissa Cooper <alissa@cooperw.in>
Content-Type: multipart/alternative; boundary="089e01634bf0cc9fb304ffe8b673"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/7aX7OxlMA-mvmTIDAVPPuuK93kg
X-Mailman-Approved-At: Tue, 05 Aug 2014 14:44:20 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:41:14 -0000
On Tue, Aug 5, 2014 at 2:27 PM, Alissa Cooper <alissa@cooperw.in> wrote: > Alissa Cooper has entered the following ballot position for > draft-ietf-websec-key-pinning-19: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I agree with Pete's comment about the first sentence. > > It would be nice if in Section 5 or 7 some suggestion could be made for > UAs to consider the relationship between the functionality they provide > to clear pins/pinned hosts and the functionality they provide to clear > (or prevent the storage of) other UA state. E.g., upon clearing one's > browsing history or entering private browsing mode, it seems like having > the option to clear pins/pinned hosts or not pin would make sense. This > is alluded to in Section 7 but not really tied to the threat described in > Section 5. > Just to confirm, you're looking to see an illustrative (non-normative) example/discussion of UI controls in Section 5, correct? > > I'm also curious about whether there is any reason to retain expired > pins? (Other than the fact that flushing them requires the UA to actively > check which ones are expired.) > I am having a bit of trouble parsing this question. The draft right now doesn't normatively say one way or the other how to treat expired pins post expiration. That is, pins are noted, they expire, but there are no post-expiration steps, since the behaviour is indistinguishable from an unpinned host. One reason to avoid proactively erasing pins would be situations of temporary clock skew, which is, anecdotally, a depressingly common occurrence. A user who temporarily experienced clock skew would not be protected from sites they visited during the skew (as pins would be expired), but could note new pins (following the pinning logic). If the clock skew was resolved (either manually or through a delayed reconcilliation, as many modern OSes now go through), the user's original pins would become viable again (within the expiration window). This is a client misconfiguration that can't readily be accomodated or predicted on the server, and it's a complex one, so it seems non-ideal to document. The observable behaviour, from a server, is that if Client X attempts to access the Site Y with an expired pin, it's no different than if they had no Pin. That invariant is retained regardless of which behaviour the UA implements.
- [websec] Alissa Cooper's Yes on draft-ietf-websec… Alissa Cooper
- Re: [websec] Alissa Cooper's Yes on draft-ietf-we… Ryan Sleevi
- Re: [websec] Alissa Cooper's Yes on draft-ietf-we… Alissa Cooper