IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Trevor Perrin <trevp@trevp.net> Sun, 11 August 2013 04:30 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93E8321F9B86 for <websec@ietfa.amsl.com>; Sat, 10 Aug 2013 21:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.547
X-Spam-Level:
X-Spam-Status: No, score=-1.547 tagged_above=-999 required=5 tests=[AWL=-0.810, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_BACKHAIR_23=1, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tn3DDa3q9we2 for <websec@ietfa.amsl.com>; Sat, 10 Aug 2013 21:30:49 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2C60521F9EEE for <websec@ietf.org>; Sat, 10 Aug 2013 21:25:54 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id t61so4634755wes.31 for <websec@ietf.org>; Sat, 10 Aug 2013 21:25:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=I7vKG8RQeLz9gt3bbQwOUWtGBQY3UlFJxMW9alNI5YI=; b=MVlq9Zrwq5/pVBU2tmsIJwLEDEG1P6dmWoKoVtUsKSpjo0cYkdisJs19l5qJzUbGtK jBDsH4GY3gDheiOU4javhyEis0j2SaJYDvdmiyHXlgv2vV5NDh4FfKQH2oDB+kmCMW6b HI9Q8Mc1b58cRxW1C5NLe5IX3AT3vfzAsgxjqWfrpHXBa0dKHIjtNEpFVvnAAVQ8HaD2 6b3nbkmsDISnWc69SRZl/jYmzSajUl7bj3n5xv+Je6hVIou4FSbqdK4w6cc6l1yx2a3r 2PzD+/BzQ5L+AcRjkpocBbQ9+h7dBBMsNhwKJXnriC3nST44OflslrPzIA/4XSpSAQfa q4vQ==
X-Gm-Message-State: ALoCoQkQtn8fyMDGwVfPVOXTYcROpbkk1UwSYX3MxfIJv+QbbrsPnO6pXiBBR8oyLWs4UyD1dZE1
MIME-Version: 1.0
X-Received: by 10.180.10.202 with SMTP id k10mr3580629wib.17.1376195154066; Sat, 10 Aug 2013 21:25:54 -0700 (PDT)
Received: by 10.216.212.9 with HTTP; Sat, 10 Aug 2013 21:25:53 -0700 (PDT)
X-Originating-IP: [50.37.31.184]
In-Reply-To: <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com>
Date: Sat, 10 Aug 2013 21:25:53 -0700
Message-ID: <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 04:30:55 -0000

On Thu, Aug 8, 2013 at 1:26 PM, Chris Palmer <palmer@google.com> wrote:
> On Tue, Aug 6, 2013 at 11:19 PM, Yoav Nir <ynir@checkpoint.com> wrote:
>
>> That is not to say we must not do this, but we must not do this without a registry for CA strings.
[...]
>
> With such a registry, I'd support it.


Do we need to do this now?

Could we just say:
 - The holder of a domain name is responsible for specifying the SPKIs
that it maps to.
 - How the domain holder communicates this to the UA is out of scope.

In the short term CAs and browser vendors could coordinate manually.
If this type of pinning becomes popular, more scalable mechanisms can
be evolved.

These mechanisms might be complex.  For example, CAs might publish
their key lists somewhere browser vendors could scan for them, and
there might be timing rules requiring changes be published X days in
advance, and requiring browser vendors to rescan for changes every Y
days.

But maybe it would be totally different.  Maybe we'd have to
experiment with multiple mechanisms.  And maybe named pinning won't
take off, so none of this is necessary.

So it seems best to separate this from HPKP, and advance HPKP now in a
way that lets us experiment with named pinning.  The hard work of
building a scaleable system for CA<->key mapping can be postponed
until it's necessary and we have a better understanding of
requirements.


Trevor

v2.23.0 | Report a Bug | By Email