IETF Logo Mail Archive

Re: [websec] A few comments on draft-ietf-websec-key-pinning

Yoav Nir <ynir@checkpoint.com> Mon, 12 December 2011 18:54 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D67BF21F8A96 for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 10:54:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.574
X-Spam-Level:
X-Spam-Status: No, score=-10.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FeH9LoKS0IzT for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 10:54:55 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 207BA21F84A8 for <websec@ietf.org>; Mon, 12 Dec 2011 10:54:50 -0800 (PST)
X-CheckPoint: {4EE64CA2-0-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id pBCIsknt017306; Mon, 12 Dec 2011 20:54:46 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 12 Dec 2011 20:54:46 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Marsh Ray <marsh@extendedsubset.com>
Date: Mon, 12 Dec 2011 20:55:02 +0200
Thread-Topic: [websec] A few comments on draft-ietf-websec-key-pinning
Thread-Index: Acy4/4QdGupFAw5YRbCyw2bIQrQ2zw==
Message-ID: <601A5BD0-2ED5-4F97-9B1E-EF355D95B63E@checkpoint.com>
References: <7C746AD7-9448-4883-9A30-85A2E72C8AF5@gmail.com> <32ED4792-4720-471A-A074-ECDAA172CC47@vpnc.org> <39133E20-4136-4AA4-B7C6-48DC1299109E@checkpoint.com> <430F2576-C8CB-4F2C-A3A3-BADDE4600A06@vpnc.org> <4EE62342.9030303@extendedsubset.com>
In-Reply-To: <4EE62342.9030303@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [websec] A few comments on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 18:54:56 -0000

On Dec 12, 2011, at 5:52 PM, Marsh Ray wrote:

> On 12/12/2011 09:06 AM, Paul Hoffman wrote:
>> 
>> On Dec 12, 2011, at 6:57 AM, Yoav Nir wrote:
>>> A year from now, "sha-256" is going to be ambiguous. Better to say
>>> "sha2-256".
>> 
>> Good point, and one that might be made on the SAAG list as well.
> 
> It's already somewhat ambiguous now that NIST has
> defined SHA[-2]-512/256.
> 
> http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4

Then that is what it must be called: "sha2-512/256". I think that's a legal string in HTTP headers.

Supposedly this is faster on 64-bit applications. I wonder if that is true in practice. So far, I have seen no implementations of this hash function.

v2.23.0 | Report a Bug | By Email