IETF Logo Mail Archive

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Phillip Hallam-Baker <hallam@gmail.com> Sun, 30 June 2013 17:53 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A50821F8F4F for <websec@ietfa.amsl.com>; Sun, 30 Jun 2013 10:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3IJ9K86m+j0d for <websec@ietfa.amsl.com>; Sun, 30 Jun 2013 10:53:29 -0700 (PDT)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id 87CFA21F8F0C for <websec@ietf.org>; Sun, 30 Jun 2013 10:53:28 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id p58so2555803wes.26 for <websec@ietf.org>; Sun, 30 Jun 2013 10:53:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=r0BUIIh3j38VJKXKByswz3h24mUciTz4dpojSpFI5+I=; b=BdTVBaa4AB4SkCPSTQfWeuWGqBHbI9vjDAk3a0oE1QDNpUZ2D3mzCKJT7+0y6MM4Ql IC7Ex76plxXhQ210d4oWl+fIexfMEhFw1JNfPzQf37XuwyafnU6vNaIB3b0xbMdzEgdJ 0fgCzNvMafGUCq5np4JPfzCplVN5G/8L017Ncd9QUBZNJQJ0AZnks1ipm1Jp1CnFmMi3 EtRXttZep3qI+HVryDVAcfR72OhsibLJrG4N+cASVOC5T42wOTPtGEhj/6CByzq1tKFr 2yhBRUA3nNpR/6RHLkF64hgGYj2if93XOLJG9INtJ1H3VlRx7+yGRK9N+DiOA0Ee0wi6 twUQ==
MIME-Version: 1.0
X-Received: by 10.180.106.72 with SMTP id gs8mr9980089wib.51.1372614806503; Sun, 30 Jun 2013 10:53:26 -0700 (PDT)
Received: by 10.194.125.202 with HTTP; Sun, 30 Jun 2013 10:53:26 -0700 (PDT)
In-Reply-To: <CAGZ8ZG0PT-=WPK07wpOVzGNKzu1-Z3iUpe9DZBPPJyjNo-MOZQ@mail.gmail.com>
References: <8c03997da80b4e8da7100491011b8c12@BN1PR03MB039.namprd03.prod.outlook.com> <6F2FE5F2-D02C-4B09-A6CA-7C3B63722E34@checkpoint.com> <CAOuvq203V8LNjkimfd2m+aTX7-gKr=J62jmUqz-PDQEN6O9Lvg@mail.gmail.com> <CAOuvq20_KZPcBWyPgpGj=K5gy=1BGGRv11Zuxmcw_wBmzBhgUA@mail.gmail.com> <CAGZ8ZG1uHYxxh9q+z7767zW4=HWTa19EJGiu4oyERhTyM0KQBw@mail.gmail.com> <51CD39D9.1040801@gondrom.org> <CAMm+LwhRm7dCk=Q=mQAWtOQ5hosjyngSWjVbQ454Tj+ocVDqrQ@mail.gmail.com> <CAGZ8ZG0PT-=WPK07wpOVzGNKzu1-Z3iUpe9DZBPPJyjNo-MOZQ@mail.gmail.com>
Date: Sun, 30 Jun 2013 13:53:26 -0400
Message-ID: <CAMm+LwgXP+fSHc6J8JANPF5OuQgahCDWW1Yagyj=BU5ySXzHSA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary="f46d044519a1f48a7b04e062c993"
Cc: David Matson <dmatson@microsoft.com>, websec <websec@ietf.org>
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning-06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jun 2013 17:53:30 -0000

CAA does not require a central registry. But it does require CAs to decide
what DNS name(s) they are going to use.

For key pinning to work the Web Browsers are going to have to track the
correspondence of name to roots in any case. So it basically becomes a
consistency thing. If it makes sense to do that centrally, it makes sense
for CABForum to be the venue. But it is an 'emergent' process.


On Fri, Jun 28, 2013 at 4:32 PM, Trevor Perrin <trevp@trevp.net> wrote:

>
> On Fri, Jun 28, 2013 at 8:00 AM, Phillip Hallam-Baker <hallam@gmail.com>wrote:
>
>> CAA faced the problem of identifying a CA.
>>
>> During the evolution of the draft we went through pretty much every
>> scheme mentioned in this thread. In the end we decided to go with a domain
>> name that is asserted for that purpose by the CA. So symantec.com /
>> comodo.com / etc.
>>
>
> Makes sense.
>
> How do CAs assert the domain name they'd like to be referenced by?  Are
> these domain names something that could be tracked by the CAB Forum,
> browser root stores, or some other party?
>
>
> HPKP still needs to map the declared domain name to a set of keys.
>  Perhaps CAs could maintain a list at a "well-known" URI derived from the
> domain name?
>
> https://comodo.com/.well-known/hpkp-keys.json
>
> Browser vendors could scan this list periodically and keep their browsers
> in sync with the latest keys from the major CAs.  CAs would make sure to
> publish new keys in advance of issuing certs under a new root.
>
> If a browser encounters an unknown domain name, it could contact the URI
> itself, so this doesn't disenfanchise private CAs.
>
> Anyways, I rather like this.  I think it's a much easier route to CA
> pinning than expecting websites to maintain key lists themselves.
>
> Others?
>
>
> Trevor
>
>


-- 
Website: http://hallambaker.com/

v2.30.2 | Report a Bug | By Email | System Status