IETF Logo Mail Archive

Re: [websec] Key pinning for DSA keys with inherited domain params

Adam Langley <agl@google.com> Mon, 12 December 2011 15:03 UTC

Return-Path: <agl@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 705E321F8B71 for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 07:03:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9GZL9s9NaNTn for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 07:03:06 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id DF9F421F8B6C for <websec@ietf.org>; Mon, 12 Dec 2011 07:03:05 -0800 (PST)
Received: by qcsf15 with SMTP id f15so4258534qcs.31 for <websec@ietf.org>; Mon, 12 Dec 2011 07:03:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=bxrsDCybWwGL5M/ipT4d7TT5jejEG+Ob+BovM7t9AuY=; b=tcN0CuPcDNVQ5sSu+VMuAd9Bu++431exZVQHH960YxatauttSrTJ0L6Np22/VMY7qK Ljhz0Q5WLYsIy/VV2BHg==
Received: by 10.50.203.100 with SMTP id kp4mr16103163igc.7.1323702184944; Mon, 12 Dec 2011 07:03:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.203.100 with SMTP id kp4mr16103153igc.7.1323702184842; Mon, 12 Dec 2011 07:03:04 -0800 (PST)
Received: by 10.231.122.69 with HTTP; Mon, 12 Dec 2011 07:03:04 -0800 (PST)
In-Reply-To: <76E2AAC7-2070-4C98-B0EE-08BE5D2B0CB9@team.telstra.com>
References: <76E2AAC7-2070-4C98-B0EE-08BE5D2B0CB9@team.telstra.com>
Date: Mon, 12 Dec 2011 10:03:04 -0500
Message-ID: <CAL9PXLz7fVbH5SC0X1G+uj_-BZKW=Gj5L1zQbxX8398e+e2t6g@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Key pinning for DSA keys with inherited domain params
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 15:03:06 -0000

On Sat, Dec 10, 2011 at 9:30 AM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
> 1. Say the pinning mechanism MUST NOT be used when a SubjectPublicKeyInfo value does not completely specify the public key, such as when holding a DSA key without its domain parameters. This would be acceptable if no one uses the inherit-parameters-from-the-CA option. I have no idea whether or not that is true.

I believe that you're correct that this is a problem and I suggest
your solution (1): a public key pin cannot be formed if the SPKI is
incomplete when taken in isolation.



Cheers

AGL

v2.23.0 | Report a Bug | By Email