Re: [websec] #54: Specify a report-only mode

"Ryan Sleevi" <> Fri, 19 October 2012 00:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4C66B21F8477 for <>; Thu, 18 Oct 2012 17:40:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id w-SI0s0KR4ab for <>; Thu, 18 Oct 2012 17:40:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5F3F221F8475 for <>; Thu, 18 Oct 2012 17:40:42 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 2D69350806E; Thu, 18 Oct 2012 17:40:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s=; bh=bRwXXQiVnis5mhldDe8jPGcvyio=; b=QWKfU2/iuTGCqUl/6 yFWoiHB3kasYHNj4yfL2hSRWvVHUdFcqmaeHidipiSvLPPf2NeNjLRzftlMtvKqo KJf18lj5bCozxcwn3RuW7VgKCzagSzotlxfOdQ0bo1Hayb8hvOQ/y8iIL0vcDGA0 Mr82cHY6Mc1RIAqIviLjbFtvOs=
Received: from ( []) (Authenticated sender: by (Postfix) with ESMTPA id DBB9A508069; Thu, 18 Oct 2012 17:40:41 -0700 (PDT)
Received: from (proxying for (SquirrelMail authenticated user by with HTTP; Thu, 18 Oct 2012 17:40:42 -0700
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Thu, 18 Oct 2012 17:40:42 -0700
From: Ryan Sleevi <>
To: Chris Palmer <>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [websec] #54: Specify a report-only mode
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Oct 2012 00:40:43 -0000

On Thu, October 18, 2012 5:17 pm, Chris Palmer wrote:
>  On Thu, Oct 18, 2012 at 4:56 PM, websec issue tracker
>  <> wrote:
> > #54: Specify a report-only mode
> >
> >  Should there be a "report-only" mode, allowing site operators to see
> > how
> >  using HPKP would affect their site's operation in browsers supporting
> >  HPKP? (Probably.)
> >
> >  If so, specify how that mode would work.
>  What are people's thoughts on this? The motivation for a report-only
>  mode is twofold: (1) site operators want to see what would happen
>  before going live with pinning; and (2) site operators often don't
>  know all their keys, or all their intermediate signers' keys, or all
>  their trust anchors' keys, and a reporting mode could help them find
>  out.
>  (2) implies that the reporting interface would have to allow the UA to
>  tell the site not just "pin validation succeeded/failed", but also why
>  (probably by simply reporting the entire validated certificate chain
>  that the UA computed/observed).
>  The reporting interface must be one that is easy for site operators to
>  implement — writing code to collect the reports should not be a huge
>  burden for developers. Perhaps a simple JSON blob:
>  {
>    "pin-validation-succeeded": (true|false),
>    "expected-pins": [ "sha1/blahblah", "sha256/foobar", ... ],
>    "validated-chain": [ "PEM blob of EE", "PEM blob of intermediate",
>  ..., "PEM blob of anchor" ]
>  }
>  The next issue is, should the site be able to specify a URL to which
>  the UA will POST the JSON blob, or should we specify a single,
>  well-known URL path? Using a well-known path seems simpler and less
>  error-prone generally.

To wit, this was also brought up by several people during the IETF 84

As an example of how such behaviour might be specified, a similar
report-only mode is implemented with Content Security Policy [1]. In CSP,
both the "Content-Security-Policy" and the
"Content-Security-Policy-Report-Only" headers may be present, both are
considered, and both may contain independent/conflicting policies.

In CSP, one of the token/directives is "report-uri", which indicates the
URI to use to send violation reports to, as well as a defined format for
what the contents of the report should contain.

The distinction here between PKP and CSP is that CSP is evaluated
per-resource load within a web origin, whereas PKP is enforced at the
transport layer. A PKP violation is nominally detected during the TLS
handshake, and depending on client implementation, may either be treated
as an error during the TLS handshake or immediately following it, prior to
using the connection to transmit the (original) HTTPS request.

If a report-only mode is supported, the following considerations should be
worked out:
  - Should the origin of the report URI be constrained the the origin of
the target URI?
  - Should the report URI be allowed to specify HTTPS?
  - If the report URI specifies HTTPS, and the report URI origin is the
same as the target URI, but the report URI violates either the PKP or
PKP-Report-Only policy, should the report still be submitted?
    - Is there a blacklist or whitelist of headers that should be used to
prevent against abuse or compromise. For example, presumably including
cookies in the report submission for an invalid PKP over the same
connection that generated the invalid PKP would be bad, as it may
(will) lead to the compromise of the users' data.
  - If the report contains validated certificates, what should the format
be? draft-josepfsson-pkix-textual [3] may be of normative use here.

, with the expired, less-comprehensive draft submitted to IETF at