IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Gervase Markham <gerv@mozilla.org> Thu, 15 August 2013 08:30 UTC

Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD30E11E80EA for <websec@ietfa.amsl.com>; Thu, 15 Aug 2013 01:30:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Goyzc8LEd4XK for <websec@ietfa.amsl.com>; Thu, 15 Aug 2013 01:30:47 -0700 (PDT)
Received: from smtp.mozilla.org (mx1.corp.phx1.mozilla.com [63.245.216.69]) by ietfa.amsl.com (Postfix) with ESMTP id BAC0611E8127 for <websec@ietf.org>; Thu, 15 Aug 2013 01:30:47 -0700 (PDT)
Received: from [192.168.0.101] (93.243.187.81.in-addr.arpa [81.187.243.93]) (Authenticated sender: gerv@mozilla.org) by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 77C73F22FA; Thu, 15 Aug 2013 01:30:45 -0700 (PDT)
Message-ID: <520C91B3.20402@mozilla.org>
Date: Thu, 15 Aug 2013 09:30:43 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com> <52091598.7000306@mozilla.org> <faac23b0797219a618f8ffee1932f7e2.squirrel@webmail.dreamhost.com> <CAGZ8ZG1zRJ3fWsK7+Zd_CWjZKTms_YjAxFWzQ+=yrn_VTW+s4g@mail.gmail.com> <5209FF9D.1080208@mozilla.org> <CAGZ8ZG3-WgKuRCWSsB8U_Y72J9TYU83tsmY-QZ8=-8bOoxkj+A@mail.gmail.com> <520C166E.7000202@mozilla.org> <CAGZ8ZG0SHHFWkx-uQGAzCXXBijZw_PnsChfQ0zbmx5AWg6T2Vg@mail.gmail.com>
In-Reply-To: <CAGZ8ZG0SHHFWkx-uQGAzCXXBijZw_PnsChfQ0zbmx5AWg6T2Vg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 08:30:53 -0000

On 15/08/13 09:20, Trevor Perrin wrote:
> So you're expecting sites to edit their HPKP header on every cert
> change?

No; it's quite possible that the advice on renew would be "keep the same
pins".

And I'd expect the CA to talk about the trade-offs with the customer
before offering their best advice for the customer's situation.

>  * Add their next end-entity key to the HPKP header
>  * Wait for time T (where T is sufficient for all older pins to expire)
>  * Switch to certificates with the new key
>  * Once the switch is complete, delete the old key from the HPKP header
> 
> Sound right?

Pinning to an end-entity key is indeed more work. I suspect that for
most sites, the best trade-off will be pinning to two or three roots,
one from each of two or three different CAs, where the CA has told them
"yes, we issue certs from this root for sites like you, and will
continue to do so for the forseeable future".

>> No matter what happens to the CA's business, as
>> long as the root and intermediate you are using are still valid (and,
>> absent a CA breach, they will be - no CA sells certs which use roots and
>> intermediates which expire before the cert finishes its lifetime), you
>> don't have to worry. When you get a new cert (renewal), you'll get
>> updated pinning advice.
> 
> In a strict sense I don't think this is true.  You're assuming every
> end-entity cert "uses" a single root, which is constant for the
> lifetime of the cert absent a CA breach.
> 
> But HPKP pins are checked against the browser-constructed cert path,
> which might contain intermediates and roots different from what the
> website sent, or thinks its "using".

That is true; however, a CA should be aware of the possible different
constructible paths, and provide pinning advice which takes them into
account.

> Example:  You pin what you think is the root cert of your current
> certificate.  3 months later the intermediate is upgraded to a root in
> the browser's trust store, or becomes cross-certified by a different
> root.  Your pin fails, as the browser no longer constructs paths that
> use the pinned root.

In this scenario, you seem to have failed to consult your CA for advice
on how best to pin to their chain :-)

> My point was not that it's impossible for websites to track CA key
> lists, just that it would be more user-friendly if they didn't have
> to.

In the sense you are discussing, I agree an alias is less precise, and
therefore more user-friendly. As I said previously, aliases are not
_all_ bad.

Gerv

v2.23.0 | Report a Bug | By Email