Re: [websec] #58: Should we pin only SPKI, or also names
Gervase Markham <gerv@mozilla.org> Wed, 07 August 2013 13:27 UTC
Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA0121F9E27 for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 06:27:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.664
X-Spam-Level:
X-Spam-Status: No, score=-2.664 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id no4jifcXDwFV for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 06:27:19 -0700 (PDT)
Received: from smtp.mozilla.org (mx2.corp.phx1.mozilla.com [63.245.216.70]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC5C21E8124 for <websec@ietf.org>; Wed, 7 Aug 2013 06:27:08 -0700 (PDT)
Received: from [192.168.0.22] (cpc2-enfi16-2-0-cust610.hari.cable.virginmedia.com [94.170.82.99]) (Authenticated sender: gerv@mozilla.org) by mx2.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 4F758F2248; Wed, 7 Aug 2013 06:27:06 -0700 (PDT)
Message-ID: <52024B29.9010600@mozilla.org>
Date: Wed, 07 Aug 2013 14:27:05 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: jeremy.rowley@digicert.com
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <520225B3.5040701@mozilla.org> <CAGZ8ZG227CBrQ4dm0msHpFw7Xbo-ezzbDtA0j7rOFoK=Y4KU+Q@mail.gmail.com> <52023941.8010602@mozilla.org> <001b01ce9371$7bd90210$738b0630$@digicert.com>
In-Reply-To: <001b01ce9371$7bd90210$738b0630$@digicert.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 'websec' <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 13:27:24 -0000
Hi Jeremy, On 07/08/13 14:24, Jeremy Rowley wrote: > For pinning to a specific CA, the end user doesn't care which root they are > trusting. They are indicating trust in an entire PKI. In this case, I > think they expect the set of certificates to change, but have delegated this > trust to a set entity. This is important for two reasons: 1) CAs can partly > mitigate the "too big to fail" routinely cited as a major weakness in the > industry by liming the number of certs signed to each intermediate/root and > 2) enterprises utilizing a completely managed PKI solution can gain the > benefits of pinning, increasing the potential for adoption and use of > pinning. My apologies, but I am having difficulty tying your points (from "This is important..." onwards) to what I was saying. Can you elaborate? Gerv > -----Original Message----- > From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of > Gervase Markham > Sent: Wednesday, August 07, 2013 6:11 AM > To: Trevor Perrin > Cc: websec > Subject: Re: [websec] #58: Should we pin only SPKI, or also names > > On 07/08/13 12:12, Trevor Perrin wrote: >> Hmm.. Not sure what you mean, specifically. > > I mean, I think people who want to use pinning will expect the set of > certificates (and associated security practices) they are pinning to not to > change under their feet. This scheme means that they will. They might also > expect to define a pin and have it work everywhere HPKP is supported, in > exactly the same way. This scheme (due to client version > skew) means that it may not. > > Gerv > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >
- [websec] #58: Should we pin only SPKI, or also na… websec issue tracker
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Rob Stradling
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… websec issue tracker