IETF Logo Mail Archive

Re: [websec] #60: Well Known URIs vs Response Headers

Trevor Perrin <trevp@trevp.net> Fri, 02 August 2013 01:40 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B41111E8167 for <websec@ietfa.amsl.com>; Thu, 1 Aug 2013 18:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.358
X-Spam-Level:
X-Spam-Status: No, score=-2.358 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcuxpNunAc+J for <websec@ietfa.amsl.com>; Thu, 1 Aug 2013 18:39:53 -0700 (PDT)
Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by ietfa.amsl.com (Postfix) with ESMTP id CC2B411E8311 for <websec@ietf.org>; Thu, 1 Aug 2013 17:51:24 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id m15so31533wgh.17 for <websec@ietf.org>; Thu, 01 Aug 2013 17:51:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=WkdZZ9LfdKFJQtsbq7SOnrfKNA3qwJKou/FTWp7AQ1A=; b=FmaQKBhiVTpyFl4Ew4JbV/uw2yTY4wBqCWgwuZJHBSIejPCXZmeJY3N7l2hf5GBd38 gnP//z6RFv7SfxXSBsqR6D4AuR7QSOi5ZxhF1DE0OShObumqRQBTTlqflFumNS4ORe27 yVGdDnaWe0FyOQ5HlRBc6Cs/ydTACcYk7Ks+SAENfIwiQcyItIue5z9W1uajy9t92Yj5 iVQhvPxECuLhBdaEF7vGnd5KKjNlczXoHiNwEw91zfvvw9gKLkv6NuC2huPPZsWx61Ie IYCygrt1k9HB4TuQ/h9M0URNTySpazsL8gqUHexSOJoP9X242o5CFNUFAhgCxZiFO/XM siDw==
X-Gm-Message-State: ALoCoQmjkeihv6X4b/FywEBRXljLx/VQBM54exObJX/WvwkYBUuyraJvTBDrDvm7CS9YwHyFhw/l
MIME-Version: 1.0
X-Received: by 10.180.100.225 with SMTP id fb1mr174623wib.22.1375404668153; Thu, 01 Aug 2013 17:51:08 -0700 (PDT)
Received: by 10.216.212.9 with HTTP; Thu, 1 Aug 2013 17:51:08 -0700 (PDT)
X-Originating-IP: [204.62.111.55]
In-Reply-To: <CAOuvq206UHumfA3kJ8xc0Eb0hapt2G4FYvkgRwVEfrh3tqRrQQ@mail.gmail.com>
References: <060.e0f8fef9b2d28177be54bca787fadd87@trac.tools.ietf.org> <FA4BC0F4-EEEB-485B-BF8E-A326F6BA86AE@checkpoint.com> <C68CB012D9182D408CED7B884F441D4D3472734AF4@nambxv01a.corp.adobe.com> <32D5F3CB-E742-4A9F-94A9-01B8224F9C49@checkpoint.com> <51FA1C35.1090005@mozilla.org> <4B4A645A-793F-4276-96BF-FBA5BA740632@checkpoint.com> <51FA26AD.2020405@gondrom.org> <CAOuvq206UHumfA3kJ8xc0Eb0hapt2G4FYvkgRwVEfrh3tqRrQQ@mail.gmail.com>
Date: Thu, 01 Aug 2013 17:51:08 -0700
Message-ID: <CAGZ8ZG3CTkwJzx2wz+60fmLK6CFHdazFbntLzBFFMMh-r++scw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] #60: Well Known URIs vs Response Headers
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 01:40:06 -0000

On Thu, Aug 1, 2013 at 9:24 AM, Chris Palmer <palmer@google.com> wrote:
> * Regarding generic security policy URI: If we can't achieve consensus
> in this WG, why would adding dependencies on more WGs and W3C help?
> Obviously, it would not. Thus, we should stick to defining only
> pinning policy in this draft.

Definitely.


> It does make more sense to try to make it
> generic to transport security, but even then, it's optional and Jeff
> Hodges might be tired and might not want to specify JSON syntax for
> HSTS... Jeff?

If we go the .well-known URI route, it might as well be extensible to
"similar things", though I agree we shouldn't spend effort on them
now.


> And it doesn't make much sense to put TACK policy in the
> resource, does it? TACK is all at the TLS layer.

It might make sense, at some point.  TACK is mainly just a key that
can be pinned.

TACK has its own way of asserting pins (setting an "activation flag").
 But if you leave the flag cleared then a tack is just a signing key
and signature.  Other layers could assert pins to the signing key,
perhaps to add features like HPKP's "report-URI" or "strict" or
something.

Not saying that's a great idea, but it's not crazy...


> * "possibly dozens of hashes": As we can see from Chrome's
> net/http/transport_security_state_static.json, Twitter does indeed
> trust a huge number of signers in its static key pins. I hope that
> Twitter is an outlier in this, and that sites don't start needing to
> trust so many signers. (Google uses fewer pins, for example.)

They may be an outlier, but we don't really know.  Sites might want
very safe pins that list several CAs, so they have backup options.
And apparently some CAs have several keys (11 for Verisign?  7 for
GeoTrust?)


> But,
> maybe not, and maybe header bloat will become a concern. (Even so,
> wake me up when response body bloat is no longer a concern...) But we
> can resolve that problem with trust anchor names in place of SPKIs
> just as easily as with a W-K URI.

Agreed.

If we had to solve this one way or the other, I'd prefer to do pinning
CA names, because I think it solves a bigger useability problem for
sites.


> * We could also relax the requirement to send the PKP header on each
> response. To be honest I can't recall now why we required it, but it
> seems like it resolved some security concern? Maybe it's in the
> archives...

I don't recall it being discussed.  I do think this requirement could
be relaxed.


Trevor

v2.23.0 | Report a Bug | By Email