Re: [websec] Issue 55 - Key pinning should clarify that the newest pinning information takes precedence

Tom Ritter <tom@ritter.vg> Wed, 06 March 2013 02:56 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8262621F85B4 for <websec@ietfa.amsl.com>; Tue, 5 Mar 2013 18:56:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.917
X-Spam-Level:
X-Spam-Status: No, score=-2.917 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LskvOE6HPVM for <websec@ietfa.amsl.com>; Tue, 5 Mar 2013 18:56:03 -0800 (PST)
Received: from mail-ve0-f181.google.com (mail-ve0-f181.google.com [209.85.128.181]) by ietfa.amsl.com (Postfix) with ESMTP id E6BD321F8501 for <websec@ietf.org>; Tue, 5 Mar 2013 18:56:02 -0800 (PST)
Received: by mail-ve0-f181.google.com with SMTP id d10so6245444vea.26 for <websec@ietf.org>; Tue, 05 Mar 2013 18:56:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=epb5Ls3B2Az6Ua2N7bO4KrgWsrZKZOPwcvw+hOL1ohU=; b=gPQLyFU2l9IkHNDdiLKMRQXF0sqVZ5b8OgLhGbf5fGTusznr+sBjhEY2zoj0kTurN/ m7gjbk8ovCzsuxzsWoimffBE5sdtOOLjsN8dLKUaijIVXpMLw/PcgtTypmJdmPKX70zc FHoofJ+od0IoguJCZPUztGP6DIRB+2jzT5zaQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=epb5Ls3B2Az6Ua2N7bO4KrgWsrZKZOPwcvw+hOL1ohU=; b=T2HM1KbP6uG08hCKtkLBMl15pWZxB8GvGuQ/yEFvdKte7VmQDii4JWN2TzywmzBm/e kUZ9D9Wl+UGmlwXl90ePkzfn+kQ+y1vJdXSxZYpz5QDRefDAwGAKOs0tAjagYmrlP/ij 9f9DIsljbqCOE3Kk0VT5LpXYxsN9fVO0l4VFMtu7OpJ7IoI+4uu40ofCwsIjbCkQVekC kFJRTgvqwn92o83+Y34b707xQh3SNbXPv3i5yyMkgiakta+hXKDRXU0EVB3Q2pdKUsSC TR07x6S3AJ6d6BWTt5l2dd2HPT8FkkgK9MgM6AswuEdSmwhjz4egjeQWxLai8nCf7CvN cbCQ==
X-Received: by 10.58.12.69 with SMTP id w5mr10962608veb.16.1362538562373; Tue, 05 Mar 2013 18:56:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.182.169 with HTTP; Tue, 5 Mar 2013 18:55:42 -0800 (PST)
In-Reply-To: <b6009964af0dae16c45619eb94c0f0e9.squirrel@webmail.dreamhost.com>
References: <b6009964af0dae16c45619eb94c0f0e9.squirrel@webmail.dreamhost.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 5 Mar 2013 21:55:42 -0500
Message-ID: <CA+cU71nCoCOSL+qpB3OkvjBEHYxOBA40-DLdHrjNNUxJ1M_7=w@mail.gmail.com>
To: ryan-ietfhasmat@sleevi.com
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQlBaWrNcvyIvg3RabyeqwoMbtK0lO8ATVGTDgRtEa6zdBBTRVSOMzaplbSPxG5plfP/+6lB
Cc: websec@ietf.org
Subject: Re: [websec] Issue 55 - Key pinning should clarify that the newest pinning information takes precedence
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2013 02:56:03 -0000

On 4 March 2013 19:57, Ryan Sleevi <ryan-ietfhasmat@sleevi.com> wrote:
> The authors belief is that the issues that arise from either
> implementations are artifacts of the implementation and distribution of
> preloaded pins, rather than an issue intrinsic to this specification. That
> is, the "correct" answer is that the preloaded pin list should be updated
> for Site 1 - however that information is distributed between the site
> operator and the creator of the preloaded pin list.
>
> Are there concerns with this interpretation, or can we close out Issue 55?

I guess I'm just confused.  I agree it's rife for implementation
differences, but I either
A) Incorrectly parse this as punting on guidance that would (try to)
achieve parity across implementations and prevent yet another thing
that webmasters need to understand when requesting preloading in
multiple browsers
b) Correctly parse it as such, but don't understand why you would punt
on expressing a standard behavior instead.

-tom