IETF Logo Mail Archive

Re: [websec] Re-litigating Key-Pinning

Trevor Perrin <trevp@trevp.net> Wed, 27 August 2014 07:36 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1CF1A0452 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 00:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sfOMOyYyoafi for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 00:36:39 -0700 (PDT)
Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com [209.85.213.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BC061A0459 for <websec@ietf.org>; Wed, 27 Aug 2014 00:36:39 -0700 (PDT)
Received: by mail-ig0-f170.google.com with SMTP id h3so6920511igd.3 for <websec@ietf.org>; Wed, 27 Aug 2014 00:36:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=KxVt4A71WnfhoWeZ4PIEwd58RyG1QcZRbZtKwDMWIfg=; b=EpC324ADuzFEaKNmfHVQT9RZqa7mUcKiz4VKL/nBdoyks7zViMmqfOt0FtfnKyCxtO JouGRvDwj8v3k7BtoTo3crEYf8eqSR+A5xVm04tg3v+3SwC7X705PCh7WLXl9JqG7MG/ 6GKrLvNy2NckjvvYc2AQJMhdDlm46Rc5UyqDKXWvICamtIArtQo1KK2iM7mKRMXhxet1 njt9L35CGK/RzCrTxWGp8ACfxxi5xsbDKGxrgD6PRSOhDDwdKje2azq5wQG9WJrjxhlA b9YJY/V+daeDVDbH6d5Ml75DnsXF4nCGcf07UtTa5nAgqCYmxRKNpY/XJFNYgp2hkeTQ Odqw==
X-Gm-Message-State: ALoCoQlvu5iq4Ygmk7Zr5wL76paYf70kUrsJzRY+rXnsBB4wrzmL0d2xCBGnuVtpDAHKgaeJoGEp
MIME-Version: 1.0
X-Received: by 10.50.122.99 with SMTP id lr3mr27615969igb.10.1409124998828; Wed, 27 Aug 2014 00:36:38 -0700 (PDT)
Received: by 10.107.133.154 with HTTP; Wed, 27 Aug 2014 00:36:38 -0700 (PDT)
X-Originating-IP: [50.1.57.236]
In-Reply-To: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
Date: Wed, 27 Aug 2014 00:36:38 -0700
Message-ID: <CAGZ8ZG03Uy5OdEaEPoX+zvAWQ9cvDYBeufW4CZvLtHN2SFDB8g@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/K5lvSJYitispsjfP-LdM3CNssNg
Cc: Barry Leiba <barryleiba@computer.org>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 07:36:41 -0000

On Tue, Aug 26, 2014 at 10:44 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Hi folks
>
> In the last few days, we’ve had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO.
>
> This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC.
>
> The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document.


PKP-RO isn't a new issue.

The initial draft of PKP-RO was claimed to "follow the same syntax and
semantics of the Public-Key-Pins header" [1].

But the text was unclear.  When we discussed this in February Ryan
proposed to not store PKP-RO pins [2,3].  Myself, Daniel Kahn-Gillmor,
and Tom Ritter proposed to store them [4,5,6], and Chris added text
for this [7,8,9,10].

I later discussed other cleanup of the PKP-RO text [11].  As part of
that Chris changed some of the wording to *not* store PKP-RO pins
[12].  I pointed out the discrepancy and that "I thought we decided
the opposite" a couple times [13,14], but there was a misunderstanding
and he changed things more towards *not* storing PKP-RO [15].  A
couple days after you declared "this working group has done as much as
we can", and further discussion would be "counter-productive" [16].

But I still think storing PKP-RO would be better, and seemed to be the
group's preference.


Trevor


[1] http://www.ietf.org/mail-archive/web/websec/current/msg01539.html
[2] http://www.ietf.org/mail-archive/web/websec/current/msg02030.html
[3] http://www.ietf.org/mail-archive/web/websec/current/msg02037.html
[4] http://www.ietf.org/mail-archive/web/websec/current/msg02042.html
[5] http://www.ietf.org/mail-archive/web/websec/current/msg02043.html
[6] http://www.ietf.org/mail-archive/web/websec/current/msg02044.html
[7] http://www.ietf.org/mail-archive/web/websec/current/msg02051.html
[8] http://www.ietf.org/mail-archive/web/websec/current/msg02054.html
[9] http://www.ietf.org/mail-archive/web/websec/current/msg02055.html
[10] http://www.ietf.org/mail-archive/web/websec/current/msg02069.html
[11] http://www.ietf.org/mail-archive/web/websec/current/msg02075.html
[12] http://www.ietf.org/mail-archive/web/websec/current/msg02081.html
[13] http://www.ietf.org/mail-archive/web/websec/current/msg02084.html
[14] http://www.ietf.org/mail-archive/web/websec/current/msg02094.html
[15] http://www.ietf.org/mail-archive/web/websec/current/msg02097.html
[16] http://www.ietf.org/mail-archive/web/websec/current/msg02100.html

v2.23.0 | Report a Bug | By Email