IETF Logo Mail Archive

Re: [websec] #60: Well Known URIs vs Response Headers

Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 31 July 2013 18:18 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6799A11E81A6 for <websec@ietfa.amsl.com>; Wed, 31 Jul 2013 11:18:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.314
X-Spam-Level:
X-Spam-Status: No, score=-96.314 tagged_above=-999 required=5 tests=[AWL=-0.952, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHfqxOQxp9Cs for <websec@ietfa.amsl.com>; Wed, 31 Jul 2013 11:18:13 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 6017211E81A5 for <websec@ietf.org>; Wed, 31 Jul 2013 11:18:11 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=GqSugWbiF/ifi1WHyIfs1a7iW4fxGWUCqlygiEqbx4iZdFErSWVtKlhrxXfxxYPWwDZHmF3kIOtlTQSHeinYhbLzQTA9nMI5aKKr7Vzlp7Qxi4uWc9dI0zjvLkp9PVXS; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 26339 invoked from network); 31 Jul 2013 20:18:07 +0200
Received: from dhcp-411f.meeting.ietf.org (HELO ?130.129.65.31?) (130.129.65.31) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 31 Jul 2013 20:18:07 +0200
Message-ID: <51F954DE.4090907@gondrom.org>
Date: Wed, 31 Jul 2013 20:18:06 +0200
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: trevp@trevp.net
References: <060.e0f8fef9b2d28177be54bca787fadd87@trac.tools.ietf.org> <CAGZ8ZG1NCRtKQP4hJXgHbmpMP+bwgoPB=tFKD7KgoDc5i2h6ug@mail.gmail.com>
In-Reply-To: <CAGZ8ZG1NCRtKQP4hJXgHbmpMP+bwgoPB=tFKD7KgoDc5i2h6ug@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, trac+websec@trac.tools.ietf.org, websec@ietf.org
Subject: Re: [websec] #60: Well Known URIs vs Response Headers
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2013 18:18:17 -0000

<no hats>

On 30/07/13 21:17, Trevor Perrin wrote:
> On Mon, Jul 29, 2013 at 1:38 PM, websec issue tracker
> <trac+websec@trac.tools.ietf.org> wrote:
>> #60: Well Known URIs vs Response Headers
>>
>>  This is about a suggestion to replace the HPKP header with an RFC 5785
>>  well-known URI.  This would allow lower bandwidth, as this resource would
>>  be read at most once per connection, rather than with each request.
> To me this seems related to a couple other issues:
>  - can a client pin CAs by name, or will the client have to list
> potentially dozens of hashes in the header?
>  - is the header sent on every response from the pinned host, or is it
> only returned infrequently or to a client who asks for it?
>
> If CAs can be pinned by name, or if response headers are only returned
> to a client who asks for them, then large headers don't matter much.
>
> But the current draft seems inefficient / inelegant, since an HPKP
> header may contain dozens of hashes.  The header must be sent on
> *every* response from a pinned site (draft-08, section 2.2.1), so the
> client must process the header on every response.

actually the client does not have to process the hash for every
response. A simple compare with the previous cached hash(es) is
sufficient. So less processing effort.

Best regards, Tobias


>
>>  However, the same is true for HSTS, CSP, and any other policy-conveying
>>  header.
> It's not exactly the same - HSTS does not interpret an absent response
> header as max-age=0, so the headers doesn't need to be sent on every
> response.  HSTS headers are also smaller.
>
>
> Trevor
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

v2.23.0 | Report a Bug | By Email