IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Mon, 12 August 2013 22:53 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE3EF21E8084 for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 15:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9l6rwwrhry9I for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 15:53:36 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 0211311E80E2 for <websec@ietf.org>; Mon, 12 Aug 2013 15:53:26 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 5E83F36006D; Mon, 12 Aug 2013 15:53:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=zSms/Fu1HqQizhR2C4P8WfHZWYc=; b=OT4nm1rFpMM36pV6V zpv39wjYMew4Hw73LjfMZPOeo/Xa/Uawy/poCb2Cfr/nOCgjAkSbOtNn83M4v+2E 9k30fzMCOqJ3uVnooi4CLSpua3RhRde6bn/yfzb9OU7UgRLwAce4LQvWXrhdpA6X Zn2JJK1o1nCh138El2dJIJl4Q0=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPA id 2123B36006B; Mon, 12 Aug 2013 15:53:13 -0700 (PDT)
Received: from 216.239.45.93 (proxying for 216.239.45.93) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Mon, 12 Aug 2013 15:53:13 -0700
Message-ID: <faac23b0797219a618f8ffee1932f7e2.squirrel@webmail.dreamhost.com>
In-Reply-To: <52091598.7000306@mozilla.org>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com> <52091598.7000306@mozilla.org>
Date: Mon, 12 Aug 2013 15:53:13 -0700
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: Gervase Markham <gerv@mozilla.org>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 22:53:44 -0000

On Mon, August 12, 2013 10:04 am, Gervase Markham wrote:
>  On 12/08/13 17:11, Trevor Perrin wrote:
> > If people hate this, someone should make a proposal for a registry:
>
>  Or make a proposal to stick with the current spec, and not pin names :-)

+1 to not pinning names.

>
> >> I think there will be problems with people not being protected who
> >> expect to be, if you allow this sort of pinning into the spec but leave
> >> entirely undefined the mechanisms for communicating what it actually
> >> should mean when someone pins to a name.
> >
> > Could you explain how these problems would arise?
> >
> > I'm proposing CAs would coordinate with browsers, then inform their
> > customers (websites) which name to use.  A misbehaving CA could inform
> > its customers of a meaningless name, causing browsers to ignore the
> > pin.  But a misbehaving CA could violate its customers' security in
> > other ways.
>
>  They would arise via any of the obvious mechanisms this could go wrong,
>  e.g.:
>
>  * CA fails to communicate with (some subset of) browsers, perhaps the
>  small ones, leading to divergent behaviour
>
>  * Browser update is not universally accepted, leading to divergent
>  behaviour
>
>  Say Foo CA merges with Bar CA, and issues an edict that from now on the
>  string "fooca.com" will include the already-deployed root, "Bar CA
>  Super-Secure". Six months later, after gnashing their teeth at the delay
>  that this process is introducing into their business, they start issuing
>  certs from "Bar CA Super-Secure" to Foo CA customers. A site,
>  naiveshop.com, is pinned to fooca.com, and buys one of these new certs.
>  All naiveshop.com's customers whose browsers are older than 6 months get
>  connection failures, and naiveshop.com can't easily detect that this is
>  happening, or to how many people.
>
>  Gerv


To echo Gerv, I think there are a number of real and practical problems to
the idea of pinning to names that make this even more error prone in
practice than pinning to SPKIs.

The most obvious one is how to distribute updates to names such that they
are universally accepted/recognized? An SPKI is an unambiguous identifier,
but a named layer of indirection creates issues, especially if names are
re-used (which is their whole value over SPKIs - is that they CAN be
reused for different sets of pins over time).

It's well known and understood that not every user updates their browser
every cycle. Or, when and if pinning is integrated into an OS, they don't
always update their OS. So you will quickly have a situation, very easily
within a few releases, of the name 'Foo CA' ambiguously referring to
multiple different sets of SPKIs.

This is independent of mergers - CAs that are issuing new intermediates,
or deprecating old roots, etc.

You also create an assumption that "User Agent == Root Store", which is
NOT a universal. There are a LARGE number of UAs (typically, smaller ones)
that do not operate their own root store, and even one of the most popular
UAs does not operate a root store across all their supported platforms. In
this situation, roots may be added/removed from the root store on a time
frame different from modifications to this proposed 'CA name list', thus
creating interop issues like the one Gerv highlighted.

Support for SPKI pinning relies on no other infrastructure - whether it be
the registry or the update mechanisms - and can actively be shown to work
in practice. The existing failure modes discussed in
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-08#section-4
highlight the need to balance usability with security, and the trade-offs
involved.

Adding two or three more parties into the pinning infrastructure seems to
trade security, add complexity, and not actually provide real benefit to
usability, because it still allows pin skewing, but of a different nature.

To me, this represents a similar attempt to create another situation like
the Public Suffix List ( http://publicsuffix.org/ ) - well intentioned,
and certainly valuable, but easily opening up a whole host of new security
and deployment issues.

v2.23.0 | Report a Bug | By Email