IETF Logo Mail Archive

Re: [websec] New draft of HTTP header-based public key pinning

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Wed, 09 November 2011 22:03 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2630F11E809B for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 14:03:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tfh9jyby6cPD for <websec@ietfa.amsl.com>; Wed, 9 Nov 2011 14:03:27 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 870B911E8096 for <websec@ietf.org>; Wed, 9 Nov 2011 14:03:27 -0800 (PST)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 7CC7526C073; Wed, 9 Nov 2011 14:03:22 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; q=dns; s= sleevi.com; b=TqyuvbzVsBi9mScKaQT8LvCCjpl6Djusl0BkQhwD4JSGfOcDPi 12TgsaFk6ys8ItMDtCbPZ9H7hASyZcy08psmwPZISUkW5+bY8HpQ/Kb20RvugxP1 bOstxN9JKwv0rSMGWctyrFv5k7LJCpcza3bsrneK5fBLnm11LLIjUsLfU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=5dAoxdJWUKMLecxq1uWrnq/OXGo=; b=l7iBH6GpVSZ6youlg FRLvNorTBQqOniYLaNBQ58whFSg1pQR4RcIqm+aeuh+13LkGyc0QZykqPzPUw2OG izLcR6ZDYD5NnHvybQg+6WCSAppQ0w7SIBWPm9YZJjBjftAkiagaYr1X3+VuQpAo 0DJJidh1wTbrCSUaSI1H+/2LFw=
Received: from webmail.sleevi.com (ahfbbjcaiaae.dreamhost.com [75.119.208.4]) (Authenticated sender: ryan@sleevi.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPA id 2885626C072; Wed, 9 Nov 2011 14:03:22 -0800 (PST)
Received: from 72.189.105.152 (proxying for 72.189.105.152) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.sleevi.com with HTTP; Wed, 9 Nov 2011 17:03:22 -0500
Message-ID: <d72e01a27ff6349ac8db5ba4ef714b77.squirrel@webmail.sleevi.com>
In-Reply-To: <CAOuvq23qePapa2AA3k24YXRoGnCz9U5n9eOLOfXoMNa71n_BtA@mail.gmail.com>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <4EBA3B24.5060602@gmx.de> <CAOuvq20NEUAwPzStBa-kRVh4rUCFU6Ece1gN-kEb0FeFsweHGw@mail.gmail.com> <4EBAE198.3020406@gmx.de> <CAOuvq20GYnrbwMQE9KZkNTFqETxJ4utKKzFNZ3ThQLnKbL299Q@mail.gmail.com> <4EBAF460.50009@gmx.de> <CAOuvq23qePapa2AA3k24YXRoGnCz9U5n9eOLOfXoMNa71n_BtA@mail.gmail.com>
Date: Wed, 09 Nov 2011 17:03:22 -0500
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: Chris Palmer <palmer@google.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 22:03:28 -0000

>  On Wed, Nov 9, 2011 at 1:45 PM, Julian Reschke <julian.reschke@gmx.de>
>  wrote:
>
> >> Could anyone propose exact ABNF grammar that is acceptable given the
> >> above constraints? Currently, I have it as:
> >> ...
> >
> > I made a proposal; is there something specific you didn't like?
>
>  Your proposal is fine — thank you! It's just that I am almost
>  certainly going to write the ABNF wrong, and then we'll have a whole
>  long thread about that. :)

While revisiting the ABNF, should "fp-type" be made into 'token' instead
of an explicit list ( "sha1" / "sha256" )? Rather than dealing with the
minimal set of "must-implements" in the grammar, define it in the text for
processing rules. This is similar to the conversation that happened for
the STS grammar rules.

I'm just wondering how legacy parsers would be expected to handle future
versions with say, SHA-3. Defining it as a token would at least allow it
to be syntactically valid and parsed, even if fingerprints of that type
are not understood/supported.

v2.23.0 | Report a Bug | By Email