[websec] separate pinning header (was: Pinning and beyond...)
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 14 October 2011 22:05 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8839621F8D16 for <websec@ietfa.amsl.com>; Fri, 14 Oct 2011 15:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.523
X-Spam-Level:
X-Spam-Status: No, score=-99.523 tagged_above=-999 required=5 tests=[AWL=0.372, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_48=0.6, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4t94QrlGHpGC for <websec@ietfa.amsl.com>; Fri, 14 Oct 2011 15:05:14 -0700 (PDT)
Received: from oproxy3-pub.bluehost.com (oproxy3.bluehost.com [IPv6:2605:dc00:100:2::a3]) by ietfa.amsl.com (Postfix) with SMTP id 054D121F8CE1 for <websec@ietf.org>; Fri, 14 Oct 2011 15:05:13 -0700 (PDT)
Received: (qmail 22837 invoked by uid 0); 14 Oct 2011 22:05:13 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy3.bluehost.com with SMTP; 14 Oct 2011 22:05:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=ftMU2iN0ZqMWD9qrAJQFSb47cIE0i7k8YAkKMdxChbc=; b=wlB8P2qM7hetvVgk/SyAWSIen+rJnruTbDpw5MZszpAhh2qjx/ADnPSRUAcknHkvIioXpDB5ULuQ6qQ1bc8jp1y+ecfbDiQXv0FgpquXP5e1vh7Ti97OVccWCqzpNw67;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.89]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1REpsP-00030c-5p for websec@ietf.org; Fri, 14 Oct 2011 16:05:13 -0600
Message-ID: <4E98B219.2050609@KingsMountain.com>
Date: Fri, 14 Oct 2011 15:05:13 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [websec] separate pinning header (was: Pinning and beyond...)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2011 22:05:14 -0000
from <https://tools.ietf.org/html/draft-evans-palmer-hsts-pinning-00> : > 6.5. Pinning Without Requiring HTTPS > > Some host operators would like to take advantage of certificate > pinning without requiring HTTPS, but having clients require pins in > the event that they do connect to the host with HTTPS. As specified > above, the current HSTS-based mechanism does not allow for this: > clients that receive the pins directive via HSTS will also therefore > require HTTPS -- that is the purpose of HSTS after all. To have an > additional directive, e.g. mode=optional, would not work because > older clients that support HSTS but not the mode extension would > effectively require HTTPS. > > Alternatives include (a) putting the pins directive in a new header > instead of extending HSTS; and (b) some kind of hack like setting > maxAge=0 and having an additional directive to keep the pins alive > (e.g. pinMaxAge). These alternatives seem ugly to us and we welcome > suggestions for a better way to support this deployment scenario. In this thread.. Re: [websec] Pinning and beyond Was: Next rev of HSTS certificate pinning draft (Tobias Gondrom) https://www.ietf.org/mail-archive/web/websec/current/msg00593.html ..several folks make the argument for option (a) putting the pins directive in a new header instead of extending HSTS, which I'm tending to agree with. It seems to be the cleanest approach overall. If we had a header that looks like.. PINS: max-age=n; pin=...; pin=...; ... ..and assuming we're not using the pin-break-verifier-and-code mechanism (as discussed in another thread ("breaking pins")), then a UA could manage pins using these steps: If UA connects (over TLS and without TLS errors/warnings) to previously-unpinned TLS host, and receives correct PIN header with max-age > 0, then UA notes host as Known Pinned Host. If UA validly connects to Known Pinned Host (over TLS) and any info in returned PIN header differs from noted info, and header's max-age > 0, it notes the newer info. This means that if a formerly asserted pin fingerprint no longer appears, the UA removes that unmentioned pin fingerprint from the Known Pinned Host's metadata. If a new one appears, it adds it. If UA validly connects to Known Pinned Host (over TLS) and the received PIN header's max-age = 0, it unnotes (i.e. forgets) the host as a Pinned Host. Thoughts? =JeffH
- [websec] separate pinning header (was: Pinning an… =JeffH
- Re: [websec] separate pinning header (was: Pinnin… Tom Ritter
- Re: [websec] separate pinning header (was: Pinnin… Phillip Hallam-Baker
- Re: [websec] separate pinning header (was: Pinnin… Chris Palmer