Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 214821A02DA
 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 17:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001,
 RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id UyX9oSZH6Nhj for <websec@ietfa.amsl.com>;
 Tue, 26 Aug 2014 17:53:28 -0700 (PDT)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com
 [IPv6:2607:f8b0:4002:c07::22a])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 8C05D1A02CF
 for <websec@ietf.org>; Tue, 26 Aug 2014 17:53:28 -0700 (PDT)
Received: by mail-yk0-f170.google.com with SMTP id 9so12302467ykp.29
 for <websec@ietf.org>; Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=MKVrjk6lGXs0srtGoQe9rBY0XjmNhABmSyBbK0yqWGk=;
 b=mZXsWJEKe0P9IVKv2rj9ie+Lb5K3xlVd0jvzfRgI9Hbp64oaH7UD4n65CngALaikgL
 6TVS1Q6DMzG9z0fNe6E/f6hxuBuE9qYTRKcIdVAk4pEL5yHLHLw4m5jyKuZdCa1/Wumy
 UVV+yUJDKQmGrpj5wXEa1zPOY+5Bd9rMwUIZtG9ls2YxQBkgUuAAngyV9jnJ2FgKweE5
 OSXyT3o4j0ji7f+ZjN1NvFaC7fE4yX0sIp/RcvlCNdtZ6/JQVgZPYpg2HY01x2kdnn3v
 voLcp2/2qp7cWIesFBuCA0dULoTL/pOMqI+W7SqdBXRlkJhv6h+Uz722x7iH8WUxB7v+
 ZuLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=MKVrjk6lGXs0srtGoQe9rBY0XjmNhABmSyBbK0yqWGk=;
 b=TeC8Ujr51ZzvFh1tpg3yXUFm34xcAepLCz7dcZIpgm2ikbHKzzqWNDKqB2DJ1XVHWk
 lqIywHE4WE/D3m/LG7YZ1veSlQ8ybfCWRCchY1Bjisy/dfZyau6q/7T+Yg3KvzD53lL9
 mEJHulp9ahDIw/ZC9D/omO42IwzoeEswc2stdbJezf+ZwCvwzmCMK8aVfgnR5r48g7rn
 VZMkXEwiVadAaUZLmj2K7nxAqRsvjyxRPr5zvIldmoRfEp7fcAmil6ZrpcLDfpkCo5Fk
 aUFAiQ5Twh90t7nr25GvTf+RjGw4r7FeCYC0xO7mlBG3nFz9jwF5PI1Ijcd5Y9HTLJ/9
 Emmg==
X-Gm-Message-State: ALoCoQleuqfGd0piYk9fJUHPN6NkEIieGI8K9v+dk+0SVI2/SS/MxV+l4LXSjmRe6wwXviUDalFE
MIME-Version: 1.0
X-Received: by 10.220.168.210 with SMTP id v18mr26315953vcy.3.1409100807697;
 Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
In-Reply-To: <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl>
 <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com>
 <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl>
 <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com>
 <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com>
 <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com>
 <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com>
 <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl>
 <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com>
 <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com>
 <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com>
 <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com>
 <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com>
 <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com>
 <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com>
Date: Tue, 26 Aug 2014 17:53:27 -0700
Message-ID: <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary=001a11c247e4189044050191d979
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/BenW7Whw2vEB2bpuML7jmTKljhM
X-Mailman-Approved-At: Wed, 27 Aug 2014 03:31:47 -0700
Cc: "<websec@ietf.org>" <websec@ietf.org>,
 Eric Lawrence <ericlaw1979@hotmail.com>,
 draft-ietf-websec-key-pinning@tools.ietf.org
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport
 <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>,
 <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>,
 <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 00:53:30 -0000

--001a11c247e4189044050191d979
Content-Type: text/plain; charset=UTF-8

This seems like it would meaningfully necessitate changes to the security
and privacy considerations. In these cases, in specs and in code, my
feeling is that less is more desirable, and I agree with Joe's remarks
about whether or not PKP-RO meets the goals.

Chairs, can you provide feedback on how to progress  with such significant
changes based on post-WGLC feedback: either the removal of or the changing
definition of PKP-RO.
On Aug 26, 2014 5:46 PM, "Trevor Perrin" <trevp@trevp.net> wrote:

> On Tue, Aug 26, 2014 at 5:15 PM, Joseph Bonneau <jbonneau@gmail.com>
> wrote:
> >>
> >> I'd like PKP-RO to be cached like PKP and applied the same way, absent
> >> the connection termination (preference). After I realized the
> >> includeSubdomains issue (concern), I want it even more for testing a
> >> deployment than I want it for my prior attack detection arguments
> >> (preference).
> >
> >
> > My email wasn't very clear but I would also prefer this policy
>
> I'd prefer this as well.  To be even clearer, I think the browser
> should treat PKP and PKP-RO headers independently.  I.e., the browser
> should maintain separate stores for PKP and PKP-RO data.  PKP headers
> only affect the PKP store, and PKP-RO headers only affect the PKP-RO
> store.
>
> (For example, PKP max-age=0 doesn't clear PKP-RO, and vice versa).
>
> A browser implementing this probably already has separate stores for
> HSTS and HPKP, so this is just adding a third for HPKP-RO, which seems
> reasonable to implement.
>
> Trevor
>

--001a11c247e4189044050191d979
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">This seems like it would meaningfully necessitate changes to=
 the security and privacy considerations. In these cases, in specs and in c=
ode, my feeling is that less is more desirable, and I agree with Joe&#39;s =
remarks about whether or not PKP-RO meets the goals.</p>

<p dir=3D"ltr">Chairs, can you provide feedback on how to progress=C2=A0 wi=
th such significant changes based on post-WGLC feedback: either the removal=
 of or the changing definition of PKP-RO.</p>
<div class=3D"gmail_quote">On Aug 26, 2014 5:46 PM, &quot;Trevor Perrin&quo=
t; &lt;<a href=3D"mailto:trevp@trevp.net">trevp@trevp.net</a>&gt; wrote:<br=
 type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0=
 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Aug 26, 2014 at 5:15 PM, Joseph Bonneau &lt;<a href=3D"mailto:jbonn=
eau@gmail.com">jbonneau@gmail.com</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; I&#39;d like PKP-RO to be cached like PKP and applied the same way=
, absent<br>
&gt;&gt; the connection termination (preference). After I realized the<br>
&gt;&gt; includeSubdomains issue (concern), I want it even more for testing=
 a<br>
&gt;&gt; deployment than I want it for my prior attack detection arguments<=
br>
&gt;&gt; (preference).<br>
&gt;<br>
&gt;<br>
&gt; My email wasn&#39;t very clear but I would also prefer this policy<br>
<br>
I&#39;d prefer this as well.=C2=A0 To be even clearer, I think the browser<=
br>
should treat PKP and PKP-RO headers independently.=C2=A0 I.e., the browser<=
br>
should maintain separate stores for PKP and PKP-RO data.=C2=A0 PKP headers<=
br>
only affect the PKP store, and PKP-RO headers only affect the PKP-RO<br>
store.<br>
<br>
(For example, PKP max-age=3D0 doesn&#39;t clear PKP-RO, and vice versa).<br=
>
<br>
A browser implementing this probably already has separate stores for<br>
HSTS and HPKP, so this is just adding a third for HPKP-RO, which seems<br>
reasonable to implement.<br>
<br>
Trevor<br>
</blockquote></div>

--001a11c247e4189044050191d979--