[websec] Richard Barnes' Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
"Richard Barnes" <rlb@ipv.sx> Wed, 06 August 2014 19:23 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18841A00FA; Wed, 6 Aug 2014 12:23:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHCBGWBsP0PH; Wed, 6 Aug 2014 12:23:08 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 52E571A00AD; Wed, 6 Aug 2014 12:23:08 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Richard Barnes <rlb@ipv.sx>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140806192308.15466.52635.idtracker@ietfa.amsl.com>
Date: Wed, 06 Aug 2014 12:23:08 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/Pj96JVap5_4fL_2SrjlWwm2KyqI
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, websec-chairs@tools.ietf.org
Subject: [websec] Richard Barnes' Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 19:23:10 -0000
Richard Barnes has entered the following ballot position for draft-ietf-websec-key-pinning-19: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- This is an important document, and overall clearly written. There are a few points that it would be good to clean up. Introduction: "At least one UA..." FWIW, this is now "At least two UAs..." Firefox also has a manual pin list as of version 32, currently in Beta. Introduction: "but is possible to pin keys without requiring HSTS" -> "but it is ... and vice versa." Section 2.2.2. "Pinned Hosts SHOULD NOT include..." This applies not just to Pinned Hosts, but to any web host, right? Section 2.3.1. "If a UA receives more than one PKP header field ... only the first PKP-RO header field (if present)" This seems problematic in light of the fact that HTTP recipients are allowed to coalesce the values of multiple header fields. http://tools.ietf.org/html/rfc7230#section-3.2.2 So, for example, if header coalescing were done at a lower layer in the HTTP stack than HPKP, then the pinning code wouldn't be able to distinguish "first" vs. "rest". On the other hand, maybe this is a use case for using semicolons as separators, since the combined header field would not be valid. In either case, there's a need for updated text. Section 2.5. "at least one Pin that does NOT refer to an SPKI in the certificate chain" I understand the motivation for this, but this doesn't actually force the site to have a backup pin -- they can just make up a pin value. It seems like it would be more effective to make the recommendation in Section 4.3 stronger. Section 4. "Security Considerations" Most of these seem more like "Operational Considerations" or "How-To-Not-Brick-Your-Site Considerations". :)
- [websec] Richard Barnes' Yes on draft-ietf-websec… Richard Barnes
- Re: [websec] Richard Barnes' Yes on draft-ietf-we… Ryan Sleevi
- Re: [websec] Richard Barnes' Yes on draft-ietf-we… Richard Barnes
- Re: [websec] Richard Barnes' Yes on draft-ietf-we… Yoav Nir