Re: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
"Mehner, Carl" <Carl.Mehner@usaa.com> Fri, 15 August 2014 22:02 UTC
Return-Path: <prvs=03043d89bb=carl.mehner@usaa.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 168331A06D3 for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 15:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.569
X-Spam-Level:
X-Spam-Status: No, score=-7.569 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1h1uT9Ck2B0 for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 15:02:55 -0700 (PDT)
Received: from prodomx01.usaa.com (prodomx01.usaa.com [167.24.101.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 527271A06D2 for <websec@ietf.org>; Fri, 15 Aug 2014 15:02:54 -0700 (PDT)
Received: from pps.filterd (prodomx01.usaa.com [127.0.0.1]) by prodomx01.usaa.com (8.14.5/8.14.5) with SMTP id s7FLxW5A006432; Fri, 15 Aug 2014 17:02:51 -0500
Received: from prodexch03w.eagle.usaa.com (prodexch03w.usaa.com [10.70.41.152]) by prodomx01.usaa.com with ESMTP id 1nph6c3evq-1; Fri, 15 Aug 2014 17:02:51 -0500
Received: from PRODEXCH11W.eagle.usaa.com (10.70.40.36) by PRODEXCH03W.eagle.usaa.com (10.70.41.152) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 15 Aug 2014 17:02:51 -0500
Received: from PRODEXMB01W.eagle.usaa.com ([169.254.1.161]) by PRODEXCH11W.eagle.usaa.com ([10.70.40.36]) with mapi id 14.03.0158.001; Fri, 15 Aug 2014 17:02:51 -0500
From: "Mehner, Carl" <Carl.Mehner@usaa.com>
To: "websec@ietf.org" <websec@ietf.org>
Thread-Topic: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
Thread-Index: AQHPuNSnPAJPbxM0q0WPAcHDcJDc7w==
Date: Fri, 15 Aug 2014 22:02:50 +0000
Message-ID: <19075EB00EA7FE49AFF87E5818D673D4111F5EA2@PRODEXMB01W.eagle.usaa.com>
References: <20140807181140.4935.81427.idtracker@ietfa.amsl.com>
In-Reply-To: <20140807181140.4935.81427.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.122.15.114]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Direction: FromExch
X-Proofpoint-Direction: Internet
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.27, 0.0.0000 definitions=2014-08-15_06:2014-08-15,2014-08-15,1970-01-01 signatures=0
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/HZlId9B9v8knkvlF0kmw5WnWXSg
Cc: "cevans@google.com" <cevans@google.com>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 22:02:58 -0000
Sorry for the late, last minute review. I found one capitalization nit, one issue, and one personal-opinion-based nit. Section 2.1; The first word of the sentence should be capitalized. Old: . token and quoted-string are used New: . Token and quoted-string are used Section 4.2 Public-Key-Pins: pin-sha256="GHI..."; pin-sha256="JKL..." This is not a valid Pinning Header as is stated due to it missing the REQUIRED max-age directive. I recommend changing to: Public-Key-Pins: max-age=12000; pin-sha256="GHI..."; pin-sha256="JKL..." Appendix A: I understand the POSIX shell may be desirable for some, but openssl is used for everything except for the very last command here. Therefore, I think that it would make more sense to just have the whole thing be openssl commands so that Windows users will also be able to create key pins locally using the direct commands from the draft. Old: This POSIX shell program generates SPKI Fingerprints... ... openssl dgst -sha256 -binary public.key | base64 New: This OpenSSL command generates SPKI Fingerprints... ... openssl dgst -sha256 -binary public.key | openssl enc -base64 -cem > -----Original Message----- > From: websec [mailto:websec-bounces@ietf.org] On Behalf Of internet- > drafts@ietf.org > Sent: Thursday, August 07, 2014 1:12 PM > To: i-d-announce@ietf.org > Cc: websec@ietf.org > Subject: EXTERNAL: [websec] I-D Action: draft-ietf-websec-key-pinning- > 20.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Security Working Group of the > IETF. > > Title : Public Key Pinning Extension for HTTP > Authors : Chris Evans > Chris Palmer > Ryan Sleevi > Filename : draft-ietf-websec-key-pinning-20.txt > Pages : 26 > Date : 2014-08-07 > > Abstract: > This document describes an extension to the HTTP protocol allowing > web host operators to instruct user agents to remember ("pin") the > hosts' cryptographic identities for a given period of time. During > that time, UAs will require that the host present a certificate > chain > including at least one Subject Public Key Info structure whose > fingerprint matches one of the pinned fingerprints for that host. > By > effectively reducing the number of authorities who can authenticate > the domain during the lifetime of the pin, pinning may reduce the > incidence of man-in-the-middle attacks due to compromised > Certification Authorities. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-websec-key-pinning-20 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] I-D Action: draft-ietf-websec-key-pinnin… internet-drafts
- Re: [websec] I-D Action: draft-ietf-websec-key-pi… Mehner, Carl
- Re: [websec] I-D Action: draft-ietf-websec-key-pi… Yoav Nir