Re: [websec] Service auto-configuration and certificate pinning
Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 25 June 2016 05:46 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C57012D5DE for <websec@ietfa.amsl.com>; Fri, 24 Jun 2016 22:46:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xd1Ydt8F_u6 for <websec@ietfa.amsl.com>; Fri, 24 Jun 2016 22:46:00 -0700 (PDT)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1CFB12D5AD for <websec@ietf.org>; Fri, 24 Jun 2016 22:45:59 -0700 (PDT)
Received: by mail-wm0-x236.google.com with SMTP id r190so12238059wmr.0 for <websec@ietf.org>; Fri, 24 Jun 2016 22:45:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=Q/t9j8hLN4sH+H35ofwZNFqE9u8cwZACe/bO6RAcauA=; b=n41I7qnGGrUQHbn0c8D2zcH8vC0bruSCkcyr3XguJ5SDLAQO51gK2LNxvFBUjKIPw3 enQ5p57XWyjzIAbmPiNd6a3A27KhPBw8wbJoqHoj3Gx/XqNj0Lpz+EXe01HJc3DhcRhw RB6wJTIQdDgcDM8UNtcyXbl7+Zkr/WdTVRsc1J36RGTmqs+Aexvnv3G1SnASEnMLZrdq PfblNBVM6/2z7WCPQ3JWyrMmIU8SjjAaCE3KAJXYPmpjKznNypiXn0r1HxsO0ExAFdUW Sge54M5M3qRIQd1Xw7Is+19uBVMqGzX75Hro+IlEUNgykRlfwEI2EgMi9s2+XSZRc0be 88aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=Q/t9j8hLN4sH+H35ofwZNFqE9u8cwZACe/bO6RAcauA=; b=Md4LdErew+nnlx44+Sk4vLkMV8BuRasGgQ0fGb9XZSq4K+XSjS1cfXPlLGTspfslkq jkeJD968S6wDjw3pdIhazRkpdk3N+Wkxs7jr9Q2W3O55mIX6AS5orEakCLtcL9WkAwmL O9W3eJwnY6TEkc05JLUcMQ1XoCXJgndnEB1QtuyuxZkdk+V4EyoGW/ib0M9kSQSaJoBF 6AS05vqamvq6BAdPrkgK7Skdg32urwVayIAeYEscesQLTrg1xYLaIcxh8JQVEaxQZIEa Hn2CAYxhNXP1wlfYlL9YGR4dHbg5A5ylS01fXDmELJK2fambhBXdZkT4pIxNaBGUxUkZ X7ww==
X-Gm-Message-State: ALyK8tIhfNi4aQpA2ykOXKoADKxXqY+IhjR/JQsKOD/LqJSDA3UoQfyxhPXzBQqjZtnvwg==
X-Received: by 10.194.23.7 with SMTP id i7mr7385135wjf.57.1466833557862; Fri, 24 Jun 2016 22:45:57 -0700 (PDT)
Received: from [10.0.0.9] (bzq-109-67-2-59.red.bezeqint.net. [109.67.2.59]) by smtp.gmail.com with ESMTPSA id g195sm1633890wme.23.2016.06.24.22.45.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Jun 2016 22:45:56 -0700 (PDT)
To: Marten Gajda <marten@dmfs.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "D.Rogers@gmx.net" <D.Rogers@gmx.net>
References: <576B0541.7040708@dmfs.org> <trinity-75a661ca-5da5-4e1f-a92c-5b52f3402490-1466672071054@3capp-gmx-bs77> <576BA85A.6000507@cs.tcd.ie> <576C53FD.20004@dmfs.org>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <576E1A8A.1030902@gmail.com>
Date: Sat, 25 Jun 2016 08:45:46 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <576C53FD.20004@dmfs.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/KvK3u5jAuX2kzrPCHnCaTkisk-w>
Cc: websec@ietf.org
Subject: Re: [websec] Service auto-configuration and certificate pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2016 05:46:02 -0000
As a totally different alternative for non-HTTP pinning, please take a look at https://datatracker.ietf.org/doc/draft-sheffer-tls-pinning-ticket/. I the meantime I have also prototyped an implementation by forking the "mint" TLS 1.3 code, https://github.com/yaronf/mint/blob/master/README-pinning.md Thanks, Yaron On 24/06/16 00:26, Marten Gajda wrote: > Thanks to the both of you. I'll have a closer look into that. On a first > glance it looks indeed very interesting. > > Cheers, > > Marten > > Am 23.06.2016 um 11:14 schrieb Stephen Farrell: >> On 23/06/16 09:54, D.Rogers@gmx.net wrote: >>> Hello Marten, >>> it might be of interest to check out the 'Unbearable' group. they are working on >>> pinning bearer certficates. >> For info: unbearable@ietf.org is the WG mailing list. The working >> group is more prosaically named tokbind. [1] :-) >> >> S. >> >> [1] https://tools.ietf.org/wg/tokbind >> >>> Regards >>> Dean Rogers >>> *Gesendet:* Mittwoch, 22. Juni 2016 um 23:38 Uhr >>> *Von:* "Marten Gajda" <marten@dmfs.org> >>> *An:* "websec@ietf.org" <websec@ietf.org> >>> *Betreff:* [websec] Service auto-configuration and certificate pinning >>> Hi list, >>> >>> I'm currently working on an update of a draft that specifies a way for >>> clients to configure themselves with a minimum of user-provided >>> information. The current draft is available at >>> https://tools.ietf.org/html/draft-daboo-aggregated-service-discovery-03 >>> (it's a bit outdated, but we're working on it). >>> This draft specifies a member to contain a server certificate, which >>> presumably was meant to support some sort of certificate pinning. >>> >>> During my research on how to improve this I came across RFC 7469 and >>> https://tools.ietf.org/html/draft-hallambaker-webseccaa-00 >>> >>> I'd like to ask the members of this list whether they think that >>> "bootstrapping" certificate pinning for individual services (like so: >>> https://github.com/CalConnect/AUTODISCOVERY/issues/8#issuecomment-227857982) >>> would be useful to have in a service configuration document or if they >>> have any concerns or other comments about this. >>> >>> I'd also like to hear about opinions if this could be an acceptable >>> solution for certificate pinning with non-HTTP based protocols, i.e. for >>> protocols that don't have an in-band pinning mechanism the client would >>> reload the service configuration document whenever the cached pinning >>> information is outdated (i.e. <max-age> seconds have passed since it was >>> downloaded). >>> >>> Any comments (whether in response to this post or at GitHub) are very >>> welcome. >>> >>> Regards, >>> >>> Marten Gajda >>> >>> -- >>> Marten Gajda >>> CEO >>> >>> dmfs GmbH >>> Schandauer Straße 34 >>> 01309 Dresden >>> GERMANY >>> >>> phone: +49 177 4427167 >>> email: marten@dmfs.org >>> >>> Managing Director: Marten Gajda >>> Registered address: Dresden >>> Registered No.: AG Dresden HRB 34881 >>> VAT Reg. No.: DE303248743 >>> >>> _______________________________________________ >>> websec mailing list >>> websec@ietf.org >>> https://www.ietf.org/mailman/listinfo/websec >>> >>> >>> >>> _______________________________________________ >>> websec mailing list >>> websec@ietf.org >>> https://www.ietf.org/mailman/listinfo/websec >>>
- Re: [websec] Service auto-configuration and certi… Yaron Sheffer
- Re: [websec] Service auto-configuration and certi… Marten Gajda
- Re: [websec] Service auto-configuration and certi… Stephen Farrell
- Re: [websec] Service auto-configuration and certi… D.Rogers
- [websec] Service auto-configuration and certifica… Marten Gajda