Re: [websec] I-D Action: draft-ietf-websec-key-pinning-02.txt

Stephen Farrell <> Mon, 04 June 2012 20:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D1DA11E807F for <>; Mon, 4 Jun 2012 13:56:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.58
X-Spam-Status: No, score=-103.58 tagged_above=-999 required=5 tests=[AWL=-0.980, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LYjAYuJak1ov for <>; Mon, 4 Jun 2012 13:56:48 -0700 (PDT)
Received: from ( [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by (Postfix) with ESMTP id 367F221F867A for <>; Mon, 4 Jun 2012 13:56:48 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id A76F01714E0 for <>; Mon, 4 Jun 2012 21:56:45 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1338843404; bh=xVXRwDFkL8+9ak frZfDq/Ai23sZPU0wpb8/KpAoWXt0=; b=WCoQvnYbZ0WFQIgEp68+GoWaaJhOD/ M2+2Tsbc1un9nwe8Mf8ZpTRSCRWLq7J+Hw1oowM54orWJEdyM5tvYkNbrIKa8Ufm FXY5mu5Fs4efWDxvAIi0zZnyU4CL6U/atoBfiM3xJcNeeGEDq7S9OwIoJ7mgOn9y CCfW3jpxq97HF1KYuHkcf5mmvL3McIvYr7IZziGZoDBgwDAIjSy06i4jnNxlD0s6 Fk3nxghKG/hUTDSviI1lHaSU2leczNNP1R0CvYa5XLXYax1tyZpu/3TGddSxh0n4 r49Aen0oiJJ3Dh81GB4pubg6B/VpdIB+Ys+GUxyokrRLFZE8+69EjPyw==
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10027) with ESMTP id h59dMSiLEdyb for <>; Mon, 4 Jun 2012 21:56:44 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id D63C71714DC for <>; Mon, 4 Jun 2012 21:56:44 +0100 (IST)
Message-ID: <>
Date: Mon, 04 Jun 2012 21:56:44 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] I-D Action: draft-ietf-websec-key-pinning-02.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Jun 2012 20:56:49 -0000

I asked this before back in December but got no takers. Now
that our naming things I-D is in IETF LC, I thought I'd ask
again, just in case, and then shut up:-)

draft-farrell-decade-ni-07 [1] defines ways to name things with
hashes that could be used here.

I don't see a mega-benefit, but perhaps some small ones, e.g
not having to define IANA processes for algorithm agility
for this draft (needed, but not yet defined). It also seems
odd to be defining loads of ways to hash public keys with
trivial differences.

If you did choose to adopt our thing then instead of:


you'd perhaps use:


There'd maybe be a few other tweaks, e.g. we use base64url (but also
over the SPKI). Not sure what else.

So: any interest in that?

If there is but it'd need changes to [1] then we're open to
chatting about that. (And happy to get any other comments on
our draft as well of course.)



On 06/04/2012 07:35 PM, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF.
> 	Title           : Public Key Pinning Extension for HTTP
> 	Author(s)       : Chris Evans
>                           Chris Palmer
> 	Filename        : draft-ietf-websec-key-pinning-02.txt
> 	Pages           : 17
> 	Date            : 2012-06-04
>    This memo describes an extension to the HTTP protocol allowing web
>    host operators to instruct user agents (UAs) to remember ("pin") the
>    hosts' cryptographic identities for a given period of time.  During
>    that time, UAs will require that the host present a certificate chain
>    including at least one Subject Public Key Info structure whose
>    fingerprint matches one or more of the pinned fingerprints for that
>    host.  By effectively reducing the scope of authorities who can
>    authenticate the domain during the lifetime of the pin, pinning may
>    reduce the incidence of man-in-the-middle attacks due to compromised
>    Certification Authorities and other authentication errors and
>    attacks.
> A URL for this Internet-Draft is:
> Internet-Drafts are also available by anonymous FTP at:
> This Internet-Draft can be retrieved at:
> The IETF datatracker page for this Internet-Draft is:
> _______________________________________________
> websec mailing list