Re: [websec] New draft of HTTP header-based public key pinning
"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Wed, 09 November 2011 22:03 UTC
Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2630F11E809B for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 14:03:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfh9jyby6cPD for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 14:03:27 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 870B911E8096 for <websec@ietf.org>; Wed, 9 Nov 2011 14:03:27 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 7CC7526C073; Wed, 9 Nov 2011 14:03:22 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; q=dns; s= sleevi.com; b=TqyuvbzVsBi9mScKaQT8LvCCjpl6Djusl0BkQhwD4JSGfOcDPi 12TgsaFk6ys8ItMDtCbPZ9H7hASyZcy08psmwPZISUkW5+bY8HpQ/Kb20RvugxP1 bOstxN9JKwv0rSMGWctyrFv5k7LJCpcza3bsrneK5fBLnm11LLIjUsLfU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=5dAoxdJWUKMLecxq1uWrnq/OXGo=; b=l7iBH6GpVSZ6youlg FRLvNorTBQqOniYLaNBQ58whFSg1pQR4RcIqm+aeuh+13LkGyc0QZykqPzPUw2OG izLcR6ZDYD5NnHvybQg+6WCSAppQ0w7SIBWPm9YZJjBjftAkiagaYr1X3+VuQpAo 0DJJidh1wTbrCSUaSI1H+/2LFw=
Received: from webmail.sleevi.com (ahfbbjcaiaae.dreamhost.com [75.119.208.4]) (Authenticated sender: ryan@sleevi.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPA id 2885626C072; Wed, 9 Nov 2011 14:03:22 -0800 (PST)
Received: from 72.189.105.152 (proxying for 72.189.105.152) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.sleevi.com with HTTP; Wed, 9 Nov 2011 17:03:22 -0500
Message-ID: <d72e01a27ff6349ac8db5ba4ef714b77.squirrel@webmail.sleevi.com>
In-Reply-To: <CAOuvq23qePapa2AA3k24YXRoGnCz9U5n9eOLOfXoMNa71n_BtA@mail.gmail.com>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <4EBA3B24.5060602@gmx.de> <CAOuvq20NEUAwPzStBa-kRVh4rUCFU6Ece1gN-kEb0FeFsweHGw@mail.gmail.com> <4EBAE198.3020406@gmx.de> <CAOuvq20GYnrbwMQE9KZkNTFqETxJ4utKKzFNZ3ThQLnKbL299Q@mail.gmail.com> <4EBAF460.50009@gmx.de> <CAOuvq23qePapa2AA3k24YXRoGnCz9U5n9eOLOfXoMNa71n_BtA@mail.gmail.com>
Date: Wed, 09 Nov 2011 17:03:22 -0500
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: Chris Palmer <palmer@google.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 22:03:28 -0000
> On Wed, Nov 9, 2011 at 1:45 PM, Julian Reschke <julian.reschke@gmx.de> > wrote: > > >> Could anyone propose exact ABNF grammar that is acceptable given the > >> above constraints? Currently, I have it as: > >> ... > > > > I made a proposal; is there something specific you didn't like? > > Your proposal is fine â thank you! It's just that I am almost > certainly going to write the ABNF wrong, and then we'll have a whole > long thread about that. :) While revisiting the ABNF, should "fp-type" be made into 'token' instead of an explicit list ( "sha1" / "sha256" )? Rather than dealing with the minimal set of "must-implements" in the grammar, define it in the text for processing rules. This is similar to the conversation that happened for the STS grammar rules. I'm just wondering how legacy parsers would be expected to handle future versions with say, SHA-3. Defining it as a token would at least allow it to be syntactically valid and parsed, even if fingerprints of that type are not understood/supported.
- [websec] New draft of HTTP header-based public ke… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Tom Ritter
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
- Re: [websec] New draft of HTTP header-based publi… Chris Evans
- Re: [websec] New draft of HTTP header-based publi… Yoav Nir
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Paul Hoffman
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Ryan Sleevi
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer