IETF Logo Mail Archive

Re: [websec] AD review of draft-ietf-websec-key-pinning-17

Chris Palmer <palmer@google.com> Fri, 04 July 2014 03:52 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4434F1B2B50 for <websec@ietfa.amsl.com>; Thu, 3 Jul 2014 20:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1tqgUZtG_Z3 for <websec@ietfa.amsl.com>; Thu, 3 Jul 2014 20:52:29 -0700 (PDT)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA2E1B2A40 for <websec@ietf.org>; Thu, 3 Jul 2014 20:52:29 -0700 (PDT)
Received: by mail-qc0-f176.google.com with SMTP id w7so1069908qcr.35 for <websec@ietf.org>; Thu, 03 Jul 2014 20:52:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=bj4KRqp7tIBBgXmze21r87o6+faqOoBTFlRKNt0waNs=; b=SR7Ri9CAmsTitNPntJxPvve/8tpcEB9CqyPc0myDXas6MItUso2o0C5ju5exzZr2hO W0ASA4WWKVfK6E9e12VXBgoihZwoLJzOUuSwLgkcEXzZQLBuV1C9XxkE9QPJtMD+rIYa srS98h10IK42ZosKyHMS5+tTA9VTpXfz1xsqX/RtdMKCURCoh3JtMLi+obBS+eBrIJtK wYzic4GzoEUaIHeZ92tGDuogf/fIzthaDbvwuhgTNjEBAPJeMGQEDWfLBE+XCc/heDXF YTkOrhx8oQ2uLCCnsdL3q+wr3wos4t1aQjlJxXH0u0YYvn91RQusZX/wcYkdizAndPTw MrHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bj4KRqp7tIBBgXmze21r87o6+faqOoBTFlRKNt0waNs=; b=T6cWL3VYMZfImJGpt3dFobnA8JB8L5jaqgtI7buiATFSOiY76Zv21Ieu6FxO9LebiS HEQG3plyaxwyHJmoY3T2NAJpzsAc+zz2pDCKf5Lwg75y5AA7UtxHwWO2W6WPbOP2nqsw 7Cu+YWFbc/JH7I125Shl5RBS7igZvQ9i6KP5c6gHEEyZC+wFLyrfdlO2sEpkOeo+c0V7 q2Om6oDPjBIrcGoeaQxeDOSAukoo1kwhvT6S8bHsVpD998hz2Ra3UChwoQAjyDBx7YDc uZxlM3N3+R6EO7vwWaJ2ML9MLKnBcn1bDaM2PKlp2xb7OV0HoD9FdvKIiMK6gUeryEBX 97Ww==
X-Gm-Message-State: ALoCoQky8+yfErKuLTwASsFo4DNMFM9WGgNlq5daOpmhfl3IX9GnhVFCcribV4/OzLOcZ58gNUQz
MIME-Version: 1.0
X-Received: by 10.140.32.166 with SMTP id h35mr13437608qgh.114.1404445948237; Thu, 03 Jul 2014 20:52:28 -0700 (PDT)
Received: by 10.229.162.3 with HTTP; Thu, 3 Jul 2014 20:52:28 -0700 (PDT)
In-Reply-To: <CALaySJLWny1EBpre_v_A80XTX2n0tSs1s7tXdh7z_joTHGNU6w@mail.gmail.com>
References: <CALaySJLWny1EBpre_v_A80XTX2n0tSs1s7tXdh7z_joTHGNU6w@mail.gmail.com>
Date: Thu, 03 Jul 2014 20:52:28 -0700
Message-ID: <CAOuvq21C=N7pd4d6RC2BCyCL6Ka9M91FTEBVeDXVx2-h_KjtUA@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/FSG2yI4_peM-uDsy84Egp9wgOc0
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] AD review of draft-ietf-websec-key-pinning-17
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 03:52:32 -0000

Thanks Barry, for your many excellent contributions. I've incorporated
most everything you and Yoav suggested. Some additional discussion
below:

On Thu, Jun 26, 2014 at 4:00 AM, Barry Leiba <barryleiba@computer.org> wrote:

> NEW
>    When a connection passes Pin Validation using the UA's noted pins
>    for the Host at the time, the Host becomes a Known Pinned Host.
>
>    According to rule 5, above, the UA MUST ignore pin-directives with
>    tokens naming hash algorithms it does not recognize.  If the set of
>    remaining effective pin-directives is empty, and if the Host is a
>    Known Pinned Host, the UA MUST cease to consider the Host as a Known
>    Pinned Host (the UA should fail open).  The UA SHOULD indicate to
>    users that the Host is no longer a Known Pinned Host.
> END
>
> On the last sentence, though, I'm really unsure: are we really giving
> UI advice in a protocol document?  Is that a good idea?  Do w have any
> sense that my mother will have the first idea what you're talking
> about when you indicate this to her?

We feel that the minimal UI currently implemented in Chrome is
necessary for at least developers, operators, and organizational IT
staff to debug and generally cope with pinning. (In Chrome, visit
https://pinningtest.appspot.com/ and chrome://net-internals/#hsts.) By
"users" we mean not only non-technical people, but technical people
also. It is indeed likely to be the case that non-technical users will
never see any of this UI or care about pinning, but site operators
certainly will.

Additionally, we want to leave open the possibility that pinning
status could be exposed to users in some way. For example, we expose
Certificate Transparency status in Chrome: Click on the Lock icon to
bring up what we call the Page Info Bubble, then click the Connection
tab. The phrase "...does [not] have public audit records" is our CT
UI. Obviously, this is more "technical user-facing", but that such
indicators may be important for pinning as they are for CT.

That said, I am open to softening the language further.

> -- Section 2.1.3 --
> What does it mean to use POST on a URI that isn't http or https?  What
> do you do with a wss URI, for example?

I don't think we've considered that. Perhaps we should simply specify
HTTP or HTTPS.

>    The UA MUST ignore all
>    expired Known Pinned Hosts from its cache if, at any time, an expired
>    Known Pinned Host exists in the cache.
>
> Eh?  I don't understand what this is trying to say.  Do you mean "MUST
> *remove* them from its cache?  What's with the "at any time" bit?
> Please try rephrasing this -- I don't understand it well enough to
> try.

I gave it a bit of a rewrite, see what you think.

>    Although the UA has previously received Pins at the HTTP layer, it
>    can and MUST perform Pin Validation at the TLS layer, before
>    beginning an HTTP conversation over the TLS channel.  The TLS layer
>    thus evaluates TLS connections with pinning information the UA
>    received previously, regardless of mechanism: statically preloaded,
>    via HTTP header, or some other means (possibly in the TLS layer
>    itself).
>
> Can you re-word this?  It seems very strained, and I don't understand
> it.  There's no background for telling me what the UA has previously
> received.  I thought Pins *only* happened with TLS, so how can they
> have been received without it?  And please avoid phrasing such as "can
> and MUST"; it if MUST, it clearly can, or else the MUST is
> meaningless.

I also re-worded this a bit.

> -- Section 2.7 --
> In the first sentence, again, you're giving UI advice, and advice that
> I find questionable.  This is an option that will *only* be applicable
> to expert users, and that won't be understood, much less used, by
> 99.999% of UA users (certainly not by my mother).  I can't imagine how
> such advice, well intentioned though it may be, merits a SHOULD.

As above, this might mean something like "your company's IT staff set
up pre-loaded pins for your internal mail servers" or "your company's
IT staff doesn't want to use the pre-loaded pins that come with Foo
Browser." Only the IT people are likely to noodle around in an
interface as rudimentary as chrome://net-internals/#hsts, and that is
OK.

Control of policy should rest in the hands of the device owner, not
the UA vendor — hence the SHOULD.

>    Because having a backup key pair is so important to recovery, UAs
>    MUST require that hosts set a Backup Pin. (See Section 2.5.)
>
> Unless I misunderstand, this requirement means that if my server
> doesn't send a backup pin, my server doesn't benefit from key pinning
> (it's as though I never included the header in the first place).  If
> that's not true, then Section 2.5 needs to be fixed to make it clear
> that failure to include a backup pin constitutes a validation failure.
>
> If that is true, then you're trading off recovery for security, and I
> expect the Security ADs to question that.  To head that off, it might
> be good to acknowledge that here, and perhaps to say a few more words
> about it.

Correct. We discussed this at length during the drafting of the
specification, and I'm happy with where we ended up. We are trading
off availability vs. extra-bonus-strong authentication. For pinning to
be viable in the topsy-turvy world of the internet, we have to do
something to help site operators from inadvertantly DoSing themselves.
The Backup Pin requirement gives us that, and also serves as a way for
the UA (which knows very little) to make some minimal run-time
determination of site operator maturity.

Publishing the new version of the draft momentarily...

v2.29.0 | Report a Bug | By Email | System Status