IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Chris Palmer <palmer@google.com> Thu, 08 August 2013 20:57 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DEC321F9CC0 for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:57:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.969
X-Spam-Level:
X-Spam-Status: No, score=-1.969 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ms7yBdYLBf77 for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:57:48 -0700 (PDT)
Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 54AB021F99F3 for <websec@ietf.org>; Thu, 8 Aug 2013 13:57:48 -0700 (PDT)
Received: by mail-ie0-f169.google.com with SMTP id qd12so2779842ieb.14 for <websec@ietf.org>; Thu, 08 Aug 2013 13:57:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=2ewwkhbqS/scETtZ26ZpmTK8s0lPT1dPeqbfYbavAu4=; b=kW8jj9U6i9uQz+DxmZPbuYl/xmkqTD9c7k2dFkzHW1mvVaBkWApxCpNHdfwOswpYrF ba7cwTUh97qo3c0XQBLacGVoydk5t3/+pqVP3oJcOwANajS93m0Li/znX1kWeAT4RbTB HrH85kt+pkpTaTF5jBMNrDpl+1Q4KIKVq/FDW5rKrSDdaoRuJZjUOVurWRJjcBk14OpT /86mDyfM7cwoEJy/CJIs9k5R8QtdKRQZcjc3+2ao02ohmHkq6uB1sKlob+XgZHiUwz9N Lruo9UP00Dv7DUS4Fj1vq0vw3t2Fd3De7z/u2b4FumqQbrDotyPG7vUY7gx9qtmA2vOZ UvWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=2ewwkhbqS/scETtZ26ZpmTK8s0lPT1dPeqbfYbavAu4=; b=dErCC2aszGT3uR0cD8jcelO2Qu72VqSTgSQInHaUxlA+lTEQF0XvJdMel59j1c02PJ 5Vzzfwn8hbXXyJTAkvb7GakFLuWXblw8Sl48vpjanQ44eBs0giuREHJkEMgPo5nvqyFz j3sZVxEbGYnaMtEr0G34o/RxsTWUldflCslNEIbtlB/T+MMdQyTadWGC1s4XPEPDW7K/ wDEzlNeTvfVZX8qYmFsjLuzXADybfqYjbmZVlkLG5Txmnkt3Ku7d3t94OaiAjiSjTIv0 d2fk8b25pDZu97v7sEwAlROC6zZJam1Kv2QpQorLkg7j+HyvPVeSK2H6Jw96YWwu2UB1 6s5Q==
X-Gm-Message-State: ALoCoQmgyH4JfxKjAqKU2nzwh2DFEPUqbTLqdDw6PwrHw6wP5+X7p7ypUuMOmJNyZYiUwxWLmZrK9prMud8Z9aCJiNZ5q3QXBE6NbXNJhEZHIlxFMmWkbhG/AQ5N+8wDqF1fDVara87gx3XE1AvA63WGooP8kFBJfanRrmTI8ZEwu3RCy2LEsfpDf0lRhjRKoJkPAcuKOyS7
MIME-Version: 1.0
X-Received: by 10.50.101.16 with SMTP id fc16mr438140igb.49.1375995467613; Thu, 08 Aug 2013 13:57:47 -0700 (PDT)
Received: by 10.64.240.71 with HTTP; Thu, 8 Aug 2013 13:57:47 -0700 (PDT)
In-Reply-To: <2B676EE1-AF70-4905-B184-0CABEFCB7C71@checkpoint.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <CB91CFAD-5C75-42C1-9A04-89D55E5E669C@checkpoint.com> <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com> <5203FD0E.40506@gondrom.org> <2B676EE1-AF70-4905-B184-0CABEFCB7C71@checkpoint.com>
Date: Thu, 08 Aug 2013 13:57:47 -0700
Message-ID: <CAOuvq205dUTiduLC8bNM95qB+Tnv5-Xeg4xZVn80+1DLWoVROA@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 20:57:49 -0000

On Thu, Aug 8, 2013 at 1:42 PM, Yoav Nir <ynir@checkpoint.com> wrote:

> If you go to https://www.iana.org, you get the following certificate chain:
>  - *.iana.org
>  - Go Daddy Secure Certification Authority
>  - Go Daddy Class 2 Certification Authority
>
> So without any registry, you can pin to "Go Daddy Class 2 Certification Authority". But the next time IANA needs to get a certificate (August 2016), even if they get it from Go Daddy, they might get it from the other root CA ("Go Daddy Root Certificate Authority - G2"), which signs with SHA-256, and who knows, by then they might have a new one, perhaps with ECDSA. As a customer, you talk to a vendor. Most customers don't know which TA is actually going to be used. In some cases (Symantec) there are very many of them.
>
> Someone needs to map "Symantec" to a list of pins, and IMO that someone is neither the IETF nor IANA.

Insane idea (yes, I know it is insane): What if we chose not to have a
registry, and let people use substrings of issuer certificate
CNs/OUs/whatevers as trust anchor set names?

Obvious problems:

* character set encoding in the HTTP header vs. in the X.509
certificate: Welcome To Fun-Land, Where Fun Is Not Very Fun(TM)
* silly substrings, like "Go" matching both "...Go Daddy..." and
"...Google Internet Authority..." and "...Evil Bad People (Goats)..."
* substitution characters: should "Securite" match "...Sécurité Réseau..." ?

I'm sure we can all think of more problems...

v2.23.0 | Report a Bug | By Email