Re: [websec] DNS publication of HSTS and PKP header data using CAA
Jeffrey Walton <noloader@gmail.com> Mon, 27 April 2015 11:13 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EDAD1B30AF for <websec@ietfa.amsl.com>; Mon, 27 Apr 2015 04:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwr62ImcEbBk for <websec@ietfa.amsl.com>; Mon, 27 Apr 2015 04:13:19 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 728061B30AE for <websec@ietf.org>; Mon, 27 Apr 2015 04:13:19 -0700 (PDT)
Received: by igbpi8 with SMTP id pi8so66572862igb.0 for <websec@ietf.org>; Mon, 27 Apr 2015 04:13:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=xvke7ozGPyd9L6KWIRi1bkQhC3S4ov7+XHJfpsW1rmE=; b=szIxByOb0MNJigREcj6FJWUgzFBmAl7dw7YUkhIhe0sLtXUTu5dUBmhc3CwxUmAkxa whpdWmbEhtg+2//2+s7TWsnkGjSULelzGESnKV82fKLVpwOOXkJFTfMrvQsH7IIiXHyK 7Bx9JcIRqlmDXjE+mdURcr1PcpwjCczsgXBKU8T4XdgwvoF3SglXgmEg4ItQr4bTdxAv T2+pvle8o7kRVziVTowPjy9kqLR730kbYdc+Nxm+gUI6TcbfOVzIT594lc5V+DjeoODA /K1wXeKnRZLqFDRoZNmIy5TpZxkJDrg5GH3Adg+638rHTUUa9hWownR7s8mBl9yq1Hg1 ycpA==
MIME-Version: 1.0
X-Received: by 10.50.108.115 with SMTP id hj19mr12613463igb.34.1430133198971; Mon, 27 Apr 2015 04:13:18 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Mon, 27 Apr 2015 04:13:18 -0700 (PDT)
In-Reply-To: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com>
Date: Mon, 27 Apr 2015 07:13:18 -0400
Message-ID: <CAH8yC8nW_=wtAZMWP_UbHZDbU=2V2ggUBMxZ=19MWYcoz2Ju-A@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/QmzHs-LjjxCJK4dN-zsIsMChQno>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2015 11:13:21 -0000
On Wed, Apr 8, 2015 at 6:00 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > http://tools.ietf.org/html/draft-hallambaker-webseccaa-00 > > It is a pretty straightforward proposal: > > * Use the CAA record with either the hsts or hpkp tag > * Put the same text you would have put into the CAA record value field > > There are a few differences in interpretation. All we are trying to do > here is to help people to close the 'secure after first use' hole, not > replace. > > Given that we have quite a bit of use of HSTS headers, providing a > mechanism for publishing this in the DNS looks like being the obvious > approach. > Off topic, but related: "Please add Pinning Pinsets and CSP to App Manifest," https://bugzilla.mozilla.org/show_bug.cgi?id=1158756. The more channels this information is available the better. Choice is always good. And context specific security information is even better.
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton
- [websec] DNS publication of HSTS and PKP header d… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Martin J. Dürst
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Joseph Bonneau
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… ngnoulaye
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton