IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 07 August 2013 13:35 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2726421F99C2 for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 06:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Rt2UhnidED1 for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 06:35:05 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id D615321F93D4 for <websec@ietf.org>; Wed, 7 Aug 2013 06:35:05 -0700 (PDT)
Received: from JROWLEYL1 (unknown [67.137.52.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 702CB8FA86B; Wed, 7 Aug 2013 07:35:05 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1375882505; bh=1KYZ8EZGk1HhelOKNIqUthbMbIWxs6hOAUIbhQMStOM=; h=Reply-To:From:To:Cc:References:In-Reply-To:Subject:Date; b=Ky5Zviz92ai2drNXrD8EGZHpgHdv8zN4A7HjrzqyIVRAyOVr/D9ztsu8uySh7pr4/ H7DdlhsHBFRnYGz3X44f0K1typZNV4ZyKZxWyo7Zypq87fc8fqCvlu43+DHI3/FCxP CdaphYdzNgxjDGbzunHHFjlvH7HedWRjMT/MGvwY=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'Gervase Markham' <gerv@mozilla.org>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <520225B3.5040701@mozilla.org> <CAGZ8ZG227CBrQ4dm0msHpFw7Xbo-ezzbDtA0j7rOFoK=Y4KU+Q@mail.gmail.com> <52023941.8010602@mozilla.org> <001b01ce9371$7bd90210$738b0630$@digicert.com> <52024B29.9010600@mozilla.org>
In-Reply-To: <52024B29.9010600@mozilla.org>
Date: Wed, 07 Aug 2013 07:35:09 -0600
Organization: DigiCert
Message-ID: <002b01ce9372$f041ec10$d0c5c430$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJoJKS5/1/Jv2JXKWhm99jqPYGDVAJNKJejAdJQI9sCGoZA7wM5pAdUAiWKukcBIDPIBwKEztKWA317OekB69JZTwJi9YGoAc8A35ECm3ZRowHLcgZ4AnEkISkBX1oWQwFkgIQ9l0LxTMA=
Content-Language: en-us
Cc: 'websec' <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: jeremy.rowley@digicert.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 13:35:10 -0000

I suppose it wasn't directly related to your point.  I was simply emphasizing why pinning to a CA is an important option.  There are current CA-customer relationships that would benefit and use a pin to a CA over a root certificate.

-----Original Message-----
From: Gervase Markham [mailto:gerv@mozilla.org] 
Sent: Wednesday, August 07, 2013 7:27 AM
To: jeremy.rowley@digicert.com
Cc: 'websec'
Subject: Re: [websec] #58: Should we pin only SPKI, or also names

Hi Jeremy,

On 07/08/13 14:24, Jeremy Rowley wrote:
> For pinning to a specific CA, the end user doesn't care which root 
> they are trusting.  They are indicating trust in an entire PKI.  In 
> this case, I think they expect the set of certificates to change, but 
> have delegated this trust to a set entity.  This is important for two 
> reasons: 1) CAs can partly mitigate the "too big to fail" routinely 
> cited as a major weakness in the industry by liming the number of 
> certs signed to each intermediate/root and
> 2) enterprises utilizing a completely managed PKI solution can gain 
> the benefits of pinning, increasing the potential for adoption and use 
> of pinning.

My apologies, but I am having difficulty tying your points (from "This is important..." onwards) to what I was saying. Can you elaborate?

Gerv

> -----Original Message-----
> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On 
> Behalf Of Gervase Markham
> Sent: Wednesday, August 07, 2013 6:11 AM
> To: Trevor Perrin
> Cc: websec
> Subject: Re: [websec] #58: Should we pin only SPKI, or also names
> 
> On 07/08/13 12:12, Trevor Perrin wrote:
>> Hmm..  Not sure what you mean, specifically.
> 
> I mean, I think people who want to use pinning will expect the set of 
> certificates (and associated security practices) they are pinning to 
> not to change under their feet. This scheme means that they will. They 
> might also expect to define a pin and have it work everywhere HPKP is 
> supported, in exactly the same way. This scheme (due to client version
> skew) means that it may not.
> 
> Gerv
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
> 
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>

v2.23.0 | Report a Bug | By Email