Re: [websec] #58: Should we pin only SPKI, or also names

Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 08 August 2013 20:18 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF10611E821D for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:18:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7P0GqlXwX6+5 for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:18:26 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id DA42011E8200 for <websec@ietf.org>; Thu, 8 Aug 2013 13:18:25 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=YFMJW+Z/x+DISKgVM57+sEZbU4L6L/g2303E8xIMssx/aBep2EQjDIHsC4AQ+DAiXqHQSTJcq4ZhdbAN8sJy31EWEsvAHm/ei9BG2hu2OCPpQVlR6cg+ehZWNE6eo9TI; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 13323 invoked from network); 8 Aug 2013 22:18:23 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 8 Aug 2013 22:18:23 +0200
Message-ID: <5203FD0E.40506@gondrom.org>
Date: Thu, 08 Aug 2013 21:18:22 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: websec@ietf.org
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <CB91CFAD-5C75-42C1-9A04-89D55E5E669C@checkpoint.com> <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com>
In-Reply-To: <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 20:18:30 -0000

Hi,

<no hats>

On 08/08/13 04:38, Trevor Perrin wrote:
> On Wed, Aug 7, 2013 at 8:53 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>> On Aug 7, 2013, at 1:14 PM, Trevor Perrin <trevp@trevp.net> wrote:
>>> Only CAs which had "opted-in" and provided the requisite info to
>>> browsers would be in the table.
>> I'm only wondering where I get a copy of that table and who maintains it.
> CAs and Browsers would have to work that out.  I don't know what their
> preferred coordination method would be.
>

Hm, I did expect we could do the name pinning - if we want to do it -
without additional coordination at all for this. If you pin to the name
in the cert, this would only allow certs from this CA to be trusted for
this specific domain. As in the repository of the browsers as it is
today already. What did I miss here?

And I would strongly advise against any additional coordination
exercises as this makes the adoption more complicated and less likely.

Best regards, Tobias


> Trevor
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec