Re: [websec] Comments on draft-ietf-websec-key-pinning
Joseph Bonneau <jbonneau@gmail.com> Thu, 19 February 2015 18:01 UTC
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DB1D1A1EEF for <websec@ietfa.amsl.com>; Thu, 19 Feb 2015 10:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzDxw_zFs7-Z for <websec@ietfa.amsl.com>; Thu, 19 Feb 2015 10:01:09 -0800 (PST)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E93C31A1B7D for <websec@ietf.org>; Thu, 19 Feb 2015 10:01:08 -0800 (PST)
Received: by lbvp9 with SMTP id p9so1477993lbv.3 for <websec@ietf.org>; Thu, 19 Feb 2015 10:01:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=SMHWrs0wxcdQuIgjErO9yacoVoOwrxKhPO864Z5HWA0=; b=q8xjhKIwCao3v9VDy4xb5s6WET3OHuTqEcGvgeeBhPwNAcxHRmwWp7jo11aorqS1ls bkH58B3URNV2BR8k1cNzHRIT4OTuJlmPEZEeHymMIu8lnlNTmlTKROsf9D/xSYG71bmB +dTs/MlqpaeC6jVyXFfCWEXSn1P5KFBp7YutJWLXoQpqtX/put3sGfDRlUvmQUUxOq05 gBAnSQtH5d22pHXBkxS2GoKPDdk1L6nKX42IbKIzaEWUWgmWwahilYfNOigl/CCgBcM3 zT53N3XmPr2E6E6XvpyaNW69Pf4TOzGZQq9JNOmPflsN4sF3uy2u1X5WbuwiWwWLj1ZE 6USQ==
X-Received: by 10.152.2.227 with SMTP id 3mr4841901lax.85.1424368867280; Thu, 19 Feb 2015 10:01:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.112.227.102 with HTTP; Thu, 19 Feb 2015 10:00:47 -0800 (PST)
In-Reply-To: <CAH8yC8==Bkw_65UALEgz73djDyQFnw5m3bHY0Wav=ABvi9ORVA@mail.gmail.com>
References: <CAH8yC8=XEr9q8VHarucKa0rVqSPt3=oDzDRWXA3_u4rkhpZmoQ@mail.gmail.com> <CAH8yC8==Bkw_65UALEgz73djDyQFnw5m3bHY0Wav=ABvi9ORVA@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 19 Feb 2015 10:00:47 -0800
Message-ID: <CAOe4UikDvdbcN-mekL25hdWEp22tUMYpsMFw-Wp3sW6O5TBrEg@mail.gmail.com>
To: noloader@gmail.com
Content-Type: multipart/alternative; boundary="089e013c6bc05d0bab050f74b876"
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/OB3m7EHewUs_rkg7a-EfH6giO5g>
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 18:01:11 -0000
On Thu, Feb 19, 2015 at 9:43 AM, Jeffrey Walton <noloader@gmail.com> wrote: > Quod erat demonstratum: > > http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ > > This proposal needs to be revisited. It has serious defects. Ryan's previous post already covered the reasons for disabling pin validation for user-defined trust anchors, which still hold even though Superfish did their superfish thing. If the spec did not allow this behavior, the next Superfish would probably just configure local UAs to launch with pinning disabled completely. I don't think their recklessness would somehow stop short of overriding the browser's pinning policy.
- [websec] Comments on draft-ietf-websec-key-pinning Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Yoav Nir
- Re: [websec] Comments on draft-ietf-websec-key-pi… Ryan Sleevi
- [websec] Sites with Key Pinning Headers (not prel… Martin J. Dürst
- Re: [websec] Sites with Key Pinning Headers (not … Joseph Bonneau
- Re: [websec] Sites with Key Pinning Headers (not … Pawel Krawczyk
- Re: [websec] Comments on draft-ietf-websec-key-pi… Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Joseph Bonneau
- Re: [websec] Comments on draft-ietf-websec-key-pi… Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Ryan Sleevi
- Re: [websec] Comments on draft-ietf-websec-key-pi… Jeffrey Walton
- Re: [websec] Comments on draft-ietf-websec-key-pi… Daniel Kahn Gillmor