IETF Logo Mail Archive

Re: [websec] #56: Specify includeSubdomains directive for HPKP

Chris Palmer <palmer@google.com> Mon, 10 December 2012 19:19 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B170421F860B for <websec@ietfa.amsl.com>; Mon, 10 Dec 2012 11:19:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25P2H22JFCGy for <websec@ietfa.amsl.com>; Mon, 10 Dec 2012 11:19:06 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id E5A8421F860F for <websec@ietf.org>; Mon, 10 Dec 2012 11:19:05 -0800 (PST)
Received: by mail-ee0-f44.google.com with SMTP id b47so1951726eek.31 for <websec@ietf.org>; Mon, 10 Dec 2012 11:19:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jY7MTTR9tqMS7UViD83kNgetnarG7HX62LHxsQrei5U=; b=N3e+j2HEeF/oqOesk5VnCszDXPidalLIgrV+ZcuyctC9UjnT7ituTlL2bX1Fw8Cm2d Qu8FZs2yPPcEgslRLiehAvH0TqM8MYH6ahteK4+KqqF1ckPoR+EqQbJjTuMQi/wmJEKp B2wmYRemvU4tsWc2mtKNygI9JxpLsDPJlEGOE8FJNTyNunzYwH+peNkHsV9dkJgzDeZe 9LcQudzAFfX1md0S4d3ohPg37Gy64yWlFpTIZQ4qk1mFhrCUBRCg6wnGwcS2PHZwwMtj xIZuJW20Rr2dcZCj2jR5r5yS2E5cHKKGJgxXpB15XN6+GxRVOcGnFnDzT2G8qt+cQ17f /b5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=jY7MTTR9tqMS7UViD83kNgetnarG7HX62LHxsQrei5U=; b=MgatSqWH/g0JH1B9WaLjuznBWW/NioUynE5JmbP4zHSTIyx0NkPvgkTEfzzVsi2Q2y oR3eP84anD2YoDO1tegbsH3j2oJrgrjYzjkw2TejwBIuKLRScUqmuRMAu5mPlkeO4aBP Bf+aO3bWkvMdcVFkBF3b/MT3DVP2vyPk/hkQJsUvFfVoubyVulbiD00Qsin2lPTLQW8N VgTxQ2lFYTrLBE2ygeH8vkcJiFH6WB/X94fvUsYY5P4mRtFez1Fh7lP0QE+loYhkwK5m uhsojpktcGR/NHD+hno8w2a8Qetwl9s9wXO9zSXplN3/Rb9i8NqniyDrRQd/onJafDwW Lynw==
MIME-Version: 1.0
Received: by 10.14.174.198 with SMTP id x46mr52646574eel.23.1355167144982; Mon, 10 Dec 2012 11:19:04 -0800 (PST)
Received: by 10.223.157.143 with HTTP; Mon, 10 Dec 2012 11:19:04 -0800 (PST)
In-Reply-To: <4613980CFC78314ABFD7F85CC30277210EDD6872@IL-EX10.ad.checkpoint.com>
References: <058.f40b082eeef2f8676dd01f9fbb11ca5b@trac.tools.ietf.org> <073.d40b91d81cbf3caf09f91a3f886f6120@trac.tools.ietf.org> <CAOuvq21_v1Povw32R=qu5okz7RNxYjbavduuAfKWX5cNRyiTrg@mail.gmail.com> <4613980CFC78314ABFD7F85CC30277210EDD6872@IL-EX10.ad.checkpoint.com>
Date: Mon, 10 Dec 2012 11:19:04 -0800
Message-ID: <CAOuvq23nJ7jPr_FLGeOHRsKBE5nJpajL_2yyMhh_PiSChnWz+Q@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmGB5/rqJXPWicOQbjoLGwLdNI86zF0xIIfVkNW/pmyAIMGILUDJLFwqrjWBob3q14gg5EnVWuyxu2w6OpYNFNDjV3uP1p+4NTuuHAXxmmGJYf0ulP3I1c44JJWphnTQcGvkjirRXlpRkAvlOpFho1NuM81+4cmmqjuCNlQPoZUzzMI86Mn9A4EjlPIo2ev3J8Cn/D1
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] #56: Specify includeSubdomains directive for HPKP
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 19:19:06 -0000

On Fri, Dec 7, 2012 at 2:17 PM, Yoav Nir <ynir@checkpoint.com> wrote:

> Sort of. I see that includeSubdomains is included, but I couldn't find the discussion about resolving conflicts between a superdomain (such as google.com) that has the includeSubdomain directive, and a subdomain (such as www.google.com) that has a different key in its PKP directive. This question is asked in the ticket.

In addition to Ryan's comments, I'll add that I think we should talk
more in the draft about how we follow the hostname matching rules of
HSTS. The only reference to it in our I-D is in section 2.3.2:

"""   Otherwise, if the substring does not congruently match a Known Pinned
   Host's domain name, per the matching procedure specified in Section
   8.2 of [RFC6797], then the UA MUST note this host as a Known Pinned
   Host, caching the Pinned Host's domain name and noting along with it
   the expiry time of this information, as effectively stipulated per..."""

So I think we'll add a discussion of how this affects Pin Validation
(section 2.6) as well.

v2.30.2 | Report a Bug | By Email | System Status