Re: [websec] #57: Re-add an upper limit to max-age

Trevor Perrin <> Fri, 05 April 2013 16:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 260DD21F8BC4 for <>; Fri, 5 Apr 2013 09:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.249
X-Spam-Status: No, score=-1.249 tagged_above=-999 required=5 tests=[AWL=1.728, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zUEfHTVcigZy for <>; Fri, 5 Apr 2013 09:53:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 983C821F8BD5 for <>; Fri, 5 Apr 2013 09:53:40 -0700 (PDT)
Received: by with SMTP id f12so4077454wgh.22 for <>; Fri, 05 Apr 2013 09:53:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=UHFzH+UXD09oxPcxt1g3xPACwbeMrd2nEAFBs75Bj8c=; b=G5+hAfYoJqGlIK86PwHeMUlD/ZWjRRxGTbnowlEjXzADIqwl0h5cRuLJZp61SQoFtA bWRsEzBBRyUxRl2J/Jt3SyLx99b5PZRpHIFVLZDOAPdC/1bRBGkQoMVjbxs9VfY8uODK kSoyglvzOb6/s2d4laF4fvSjmamflpbEdR03oZKYf/a+pYKRsaGNAu1Kwti6BD/nVR2M KgkY+BPMm3v2o648xvlPIJWJR2g2rl1yJrG2qC7CtvWQxbJZ7x+DddPF0dnbZM2zm15R 0HL1+5lU5nZ4SIWvsQSYenDzZEb1JRaDFjnqLYaVqMnXHRd6E6IOSm74yiKF1vQloeJC 3Lig==
MIME-Version: 1.0
X-Received: by with SMTP id t14mr5828651wib.3.1365180818335; Fri, 05 Apr 2013 09:53:38 -0700 (PDT)
Received: by with HTTP; Fri, 5 Apr 2013 09:53:38 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Fri, 5 Apr 2013 09:53:38 -0700
Message-ID: <>
From: Trevor Perrin <>
To: Yoav Nir <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkhlhyF2m95Y9RYXD+r7nC4BpO4YJYW/O8DTuYNvIso+dL+QL1IhGqwCwFR4pLBB+PcK4GE
Cc: "<>" <>, Ryan Sleevi <>, websec issue tracker <>
Subject: Re: [websec] #57: Re-add an upper limit to max-age
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Apr 2013 16:53:59 -0000

On Fri, Apr 5, 2013 at 1:48 AM, Yoav Nir <> wrote:
> On Apr 5, 2013, at 10:03 AM, Trevor Perrin <> wrote:
>> On Fri, Mar 29, 2013 at 7:05 PM, Yoav Nir <> wrote:
>>> Getting back to the subject of the thread, I still don't see the difference for a site operator between being bricked for 60 days and being bricked for a year. For an only retailer it's catastrophe either way.
>> Hi Yoav,
>> There are other things to consider when thinking about pin lifetimes:
>> - Suppose a site foolishly sets a year-long pin to keys that will be
>> expired in 6 months.  A client who receives this pin and then visits
>> the site 6 months later will perceive that the site is bricked for the
>> next 6 months.
> True. At least in the case of certificates, there was some discussion of capping the maximum noted age to the expiration time of the certificate for that connection. This is not a complete solution, though, because there is some period of time (perhaps 1-2 weeks) where the site operator has a new, valid certificate, but the old one hasn't expired yet.

That also means that if a site uses short-lived or soon-to-expire
certificates the pin lifetime could get badly truncated, so that's not
a great idea.

Anyways, expiration is just one way the above problem could happen.
Imagine that you mistakenly set a year-long pin to CA keys that your
CA is going to roll / phase-out in 6 months.  Same problem.  Capping
pin lifetimes means less risk of this occurring.

> A backup pin should work, as I believe the common practice would be to use the backup pin in the following certificate request. And backup pins are mandatory according to the draft.

Backup pin don't solve this problem.  Backup keys can be revoked /
expired / rolled / lost like other keys.

>> - Suppose a site has a year-long pin to a set of end-entity keys.
>> Suppose these keys are compromised by a hacker.  For the next year,
>> the site will be unable to change keys to re-establish security
>> without a risk of "bricking" the site for clients with the old pin.
> And that is why the draft now requires backup pins. At least, it's one reason.

No, I'm describing the scenario where ALL your pinned keys, including
"backup pins", were compromised.  Maybe you were keeping all your
pinned end-entity keys in an offline laptop which was stolen.  Maybe
you were pinning yourself exclusively to CAs operated by a single
commercial entity (e.g. Symantec), and you lose trust in this entity.

In these scenarios, you are "locked-in" and prevented from key changes
during the pin lifetime.

>> - Suppose you purchase a domain name.  The previous owner may have
>> set long-term pins, meaning the name is not fully usable until these
>> expire.
> Yeah, that's bad. Even worse is if an attacker manages to get a CA to issue them a valid certificate. Users now note pins that match the bad certificate, and they can be blocked from going to the real site for some time.

Yes that's what I'm describing.

> HPKP protects against exactly this attack

No, HPKP or any dynamic-pinning method *CAUSES* this attack, by
allowing the previous owner of any domain name to acquire a
certificate, then use it to set pins.

> I think it's clear that HPKP (much like HSTS) is a gun with which site operators can easily shoot themselves (or their users) in the foot.

The risks and issues around key-pinning lifetimes are completely
different from HSTS.  HSTS cannot make it impossible for a site to be
reached, or lock you into insecure keys.

> There has to be a certain level of competence and responsibility to make use of these mechanisms. They should not be used lightly.

Please note that dynamic pinning creates risks for the entire web by
virtue of existing.  If 1/1000 websites "opt-in" to a key pinning
mechanism, the remaining 999 are still exposed to the risk that their
DNS name could be hijacked and a bad pin could be set.

And anyone who purchases or acquires a domain name is still exposed to
the risk that it could come with an unpleasant "pinning" surprise.

>OTOH I don't think we should bind the hands of administrators who do choose to use it.

Long-lived pins are *more* likely to bind the hands of administrators
than short-lived, which is why I think pin lifetimes should be
strictly limited.