Re: [websec] Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)

Alissa Cooper <alissa@cooperw.in> Tue, 05 August 2014 22:57 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB73D1B2C2C for <websec@ietfa.amsl.com>; Tue, 5 Aug 2014 15:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHajCD_a251S for <websec@ietfa.amsl.com>; Tue, 5 Aug 2014 15:57:30 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BE8F1B280A for <websec@ietf.org>; Tue, 5 Aug 2014 15:57:29 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by gateway1.nyi.internal (Postfix) with ESMTP id 51F8922CD1 for <websec@ietf.org>; Tue, 5 Aug 2014 18:57:25 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Tue, 05 Aug 2014 18:57:25 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=date :subject:from:to:cc:message-id:references:in-reply-to :mime-version:content-type; s=mesmtp; bh=qdoTqdkmtWbn0xSkniiir0g 5KTo=; b=jrIfE+KO0/UWAJF8g5IoipxGFWV6klAR+PrHhqSNnFIyO23qlhltdK5 +IwGO5a35IOabhRr8v+/nn4QjOBx4vZLoBvvxa1yIAs+Ytie0H22ED4siTutPrN7 JZS6uQzq7deYFftB7vo0A69voITeW16tL4FwmXhfW7fHCokNg34Y=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=date:subject:from:to:cc:message-id :references:in-reply-to:mime-version:content-type; s=smtpout; bh=qdoTqdkmtWbn0xSkniiir0g5KTo=; b=cSlP4Gwv8kv3bGo/4nP0rx7mzEjF ChDYb2FzhXVW1PVmbopoKlJmMNjjAF0tAXGXENuAf0RpT71X1znAWopXVUYMwyRA qA09uoRaZxBW65gONRNhVj6CBIu1E0tDp6J+sOWNMOCp+o2PgCpWOqqJiC/V7UQ3 rL7+dVCUORFfWZY=
X-Sasl-enc: bLlTk9uY8/4g+ZByLdc0sCf/7B4uYRXUzIclb9BPXjX7 1407279444
Received: from [171.68.18.50] (unknown [171.68.18.50]) by mail.messagingengine.com (Postfix) with ESMTPA id 17DBE680142; Tue, 5 Aug 2014 18:57:21 -0400 (EDT)
User-Agent: Microsoft-MacOutlook/14.3.9.131030
Date: Tue, 05 Aug 2014 15:57:16 -0700
From: Alissa Cooper <alissa@cooperw.in>
To: Ryan Sleevi <sleevi@google.com>
Message-ID: <D006A98B.4D254%alissa@cooperw.in>
Thread-Topic: Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
References: <20140805212736.4347.37060.idtracker@ietfa.amsl.com> <CACvaWvYLx4NBeg9JN6gFH57uDgB_szJvr=eq+Vdv1PihviQ1rA@mail.gmail.com>
In-Reply-To: <CACvaWvYLx4NBeg9JN6gFH57uDgB_szJvr=eq+Vdv1PihviQ1rA@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3490099043_63119988"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/G0H6fjn6J6Qt3ZV6C-AhjS_k_Ks
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 22:57:34 -0000

Hi Ryan,

On 8/5/14, 2:41 PM, "Ryan Sleevi" <sleevi@google.com> wrote:

> 
> 
> 
> On Tue, Aug 5, 2014 at 2:27 PM, Alissa Cooper <alissa@cooperw.in> wrote:
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-websec-key-pinning-19: Yes
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> I agree with Pete's comment about the first sentence.
>> 
>> It would be nice if in Section 5 or 7 some suggestion could be made for
>> UAs to consider the relationship between the functionality they provide
>> to clear pins/pinned hosts and the functionality they provide to clear
>> (or prevent the storage of) other UA state. E.g., upon clearing one's
>> browsing history or entering private browsing mode, it seems like having
>> the option to clear pins/pinned hosts or not pin would make sense. This
>> is alluded to in Section 7 but not really tied to the threat described in
>> Section 5.
> 
> Just to confirm, you're looking to see an illustrative (non-normative)
> example/discussion of UI controls in Section 5, correct?

Yes, roughly — a non-normative discussion of the fact that UAs may want to
consider the relationship between pin-clearing and other forms of state
clearing (the same level of detail you already have in Section 7 would be
appropriate I think).

>  
>> 
>> I'm also curious about whether there is any reason to retain expired
>> pins? (Other than the fact that flushing them requires the UA to actively
>> check which ones are expired.)
> 
> I am having a bit of trouble parsing this question. The draft right now
> doesn't normatively say one way or the other how to treat expired pins post
> expiration. That is, pins are noted, they expire, but there are no
> post-expiration steps, since the behaviour is indistinguishable from an
> unpinned host.

Yes, I noted that, which is why I was asking about it. Deleting pins upon
expiry would reduce the amount of state the UA retains about the user’s
browsing history. In practice this might not mean much if the UA retains a
full browsing history anyway. But it could be a small privacy improvement
for a UA that doesn’t otherwise offer a way to clear pins. Then again, I’m
not sure that the situation where a UA doesn’t offer pin clearing but does
check for expired pins and delete them is realistic (what do you think?).
And the case you describe below seems quite compelling, so I’m not sure
there is anything to document here.

Alissa

> 
> 
> One reason to avoid proactively erasing pins would be situations of temporary
> clock skew, which is, anecdotally, a depressingly common occurrence. A user
> who temporarily experienced clock skew would not be protected from sites they
> visited during the skew (as pins would be expired), but could note new pins
> (following the pinning logic). If the clock skew was resolved (either manually
> or through a delayed reconcilliation, as many modern OSes now go through), the
> user's original pins would become viable again (within the expiration window).
> 
> This is a client misconfiguration that can't readily be accomodated or
> predicted on the server, and it's a complex one, so it seems non-ideal to
> document. The observable behaviour, from a server, is that if Client X
> attempts to access the Site Y with an expired pin, it's no different than if
> they had no Pin. That invariant is retained regardless of which behaviour the
> UA implements.
>