IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Trevor Perrin <trevp@trevp.net> Thu, 15 August 2013 08:20 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6497D11E80C5 for <websec@ietfa.amsl.com>; Thu, 15 Aug 2013 01:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVrX2I7x8Wzv for <websec@ietfa.amsl.com>; Thu, 15 Aug 2013 01:20:23 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) by ietfa.amsl.com (Postfix) with ESMTP id DEA6321E811A for <websec@ietf.org>; Thu, 15 Aug 2013 01:20:19 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id hi8so261085wib.3 for <websec@ietf.org>; Thu, 15 Aug 2013 01:20:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=nS+ovhtXEJ5JZsR4TG0sH/PtxXMfwIXLkqTvXlQL9m8=; b=conNe/1xFl/TBPisXhSN9FXWaSwhd/ubH4402JGYEgqXMT8Ox83cW4kJB1n19Jlykl ez4tJx5hIKEcpcMBuCuTe6idEwHePoQRxvDbhA0PcKVeUM1l8eRFwcLWMDMg9Gv4Wji+ XMJywRgoIa8qP1UH850vS27M8v4YbzAnhPDCiBdCj46uNS8stK5LyZ8lg0miPkZGxhjP jVu2dBkoBc4v8+VNug/2HBMvlDD9EZGRmB3SP6/wVd/TGtx995klNhbaGAl6fJUeHOD7 lFmyY9/y3ikDVfWNjQ67+vk3OMWMfoYMOI6SupKIJ8roderUSHWI0BW6m5PR1y+YWz8T 1edQ==
X-Gm-Message-State: ALoCoQkxyyGkapzEVc/DFOk9QIbUvY2HWDmAESrXTjxVyU0FoWPeYIUFxW9/ZAU0MGGqLYqj+TCb
MIME-Version: 1.0
X-Received: by 10.180.205.236 with SMTP id lj12mr1120430wic.22.1376554818489; Thu, 15 Aug 2013 01:20:18 -0700 (PDT)
Received: by 10.216.212.9 with HTTP; Thu, 15 Aug 2013 01:20:18 -0700 (PDT)
X-Originating-IP: [166.137.187.36]
In-Reply-To: <520C166E.7000202@mozilla.org>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com> <52091598.7000306@mozilla.org> <faac23b0797219a618f8ffee1932f7e2.squirrel@webmail.dreamhost.com> <CAGZ8ZG1zRJ3fWsK7+Zd_CWjZKTms_YjAxFWzQ+=yrn_VTW+s4g@mail.gmail.com> <5209FF9D.1080208@mozilla.org> <CAGZ8ZG3-WgKuRCWSsB8U_Y72J9TYU83tsmY-QZ8=-8bOoxkj+A@mail.gmail.com> <520C166E.7000202@mozilla.org>
Date: Thu, 15 Aug 2013 01:20:18 -0700
Message-ID: <CAGZ8ZG0SHHFWkx-uQGAzCXXBijZw_PnsChfQ0zbmx5AWg6T2Vg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Gervase Markham <gerv@mozilla.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 08:20:29 -0000

On Wed, Aug 14, 2013 at 4:44 PM, Gervase Markham <gerv@mozilla.org> wrote:
> On 14/08/13 18:20, Trevor Perrin wrote:
>> My point is that changes like CAs issuing new intermediates or
>> deprecating old roots MUST get incorporated into website pins somehow.
>
> Perhaps this is the point of disagreement.
>
> I would expect CAs to offer appropriate pinning advice with
> certificates, probably in the form of "paste this into your HPKP
> header". Once a cert is in use and pinned, no further changes to those
> pins need to be made.

So you're expecting sites to edit their HPKP header on every cert
change?  In that case I'd expect them to pin their end-entity key (see
reasons below).  I believe they'd have to edit the HPKP header twice:
 * Add their next end-entity key to the HPKP header
 * Wait for time T (where T is sufficient for all older pins to expire)
 * Switch to certificates with the new key
 * Once the switch is complete, delete the old key from the HPKP header

Sound right?


> No matter what happens to the CA's business, as
> long as the root and intermediate you are using are still valid (and,
> absent a CA breach, they will be - no CA sells certs which use roots and
> intermediates which expire before the cert finishes its lifetime), you
> don't have to worry. When you get a new cert (renewal), you'll get
> updated pinning advice.

In a strict sense I don't think this is true.  You're assuming every
end-entity cert "uses" a single root, which is constant for the
lifetime of the cert absent a CA breach.

But HPKP pins are checked against the browser-constructed cert path,
which might contain intermediates and roots different from what the
website sent, or thinks its "using".

Example:  You pin what you think is the root cert of your current
certificate.  3 months later the intermediate is upgraded to a root in
the browser's trust store, or becomes cross-certified by a different
root.  Your pin fails, as the browser no longer constructs paths that
use the pinned root.

See Ryan's explanation of AIA chasing for more on this [1].

While pinning the end-entity's immediate-parent intermediate doesn't
have this problem, I don't see that it has any advantage over pinning
the end-entity key directly.


> If you have pinned a backup provider, you will no doubt have sought
> similar pinning advice from them. There is more of a risk that this
> advice will need to change at a different time from you changing your
> cert, but that's OK, because you can change this stuff as much as you
> like and all you have to do is wait for caches to empty (30 days?).

Well, you *can* change your HPKP header as much as you like, but do
you want to?  If you pin several CAs, and find yourself having to edit
the HPKP header multiple times a year, isn't that kind of a hassle?

My point was not that it's impossible for websites to track CA key
lists, just that it would be more user-friendly if they didn't have
to.


Trevor


[1] http://www.ietf.org/mail-archive/web/websec/current/msg01425.html

v2.23.0 | Report a Bug | By Email