Re: [websec] [saag] Pinning
Chris Palmer <palmer@google.com> Fri, 10 August 2012 22:20 UTC
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48CC911E80BF for <websec@ietfa.amsl.com>; Fri, 10 Aug 2012 15:20:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyUHvzRJWRq8 for <websec@ietfa.amsl.com>; Fri, 10 Aug 2012 15:20:24 -0700 (PDT)
Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id AEA8621F85E6 for <websec@ietf.org>; Fri, 10 Aug 2012 15:20:23 -0700 (PDT)
Received: by lahm15 with SMTP id m15so1159780lah.31 for <websec@ietf.org>; Fri, 10 Aug 2012 15:20:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=FTmmwBpKGjH+Tbnx5ZkrEUYsGph/GBInZy34ikeBInE=; b=YuthJyKzNEAkdwrV0uSD9UV5rkXvG4N6ZnY7q9m7tYuCoN3qgrpOqpQReRoF0ovabO I0+ycuMLW1/AbuG85sw2MVHd8mkK0uF70nNKiMag4lK5+9rNb1RM9etbD9YFx6AciC9r R2QY6Glvtn/mfpb/kQo/7rYecwqOjR0JDNab5MOQH2rwr60icnGk7CgxoTv0Okwmo4Lr 1Hsc/byl3JyFTXV97Hrg7/gLsaDrioUsx/WOixQiXoCtXg/+CBiZ8HTzBBim4HP42YMB BKirPKuyoIXZtqcnN3m+NCxXlrffjgyWQUf8oKK5Hv2xuC5p93i0d5ucBsG82fOWP40i PJJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=FTmmwBpKGjH+Tbnx5ZkrEUYsGph/GBInZy34ikeBInE=; b=D12dJCp5OGJ902dp8fj/PQFf4GKbYyQ7a4JOsP78+CpZw1SB87S9u6akj20iAnbiuJ ICyntSI6NVRKVyB9XTdQc1L1JTMnx56e/XYQCqrQSYa69wzFoimXv9eWUzK6OGOSBIjL D23LqBZOUcPvIAwCQ0JR3oVtMFSTkXxmo+TMkKkQHi0voX7xkZuWtzP4SCTBtd6RXrmf fySt54cMppRtPwc4q2Gtdj9gU1fHIWKVmQsqaiSJj6/AaMhp3PWXwzj6cTzYUIr4OQr+ /kaUzk8TtsXhBBROOHFviiVOZ4lb8QwJwXmTleBVwRJxN/VQ2j7k4DD2imxNsjF/uxDK ZDbQ==
Received: by 10.152.111.71 with SMTP id ig7mr4303285lab.28.1344637222718; Fri, 10 Aug 2012 15:20:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.111.71 with SMTP id ig7mr4303269lab.28.1344637222530; Fri, 10 Aug 2012 15:20:22 -0700 (PDT)
Received: by 10.112.77.4 with HTTP; Fri, 10 Aug 2012 15:20:22 -0700 (PDT)
In-Reply-To: <4FCF894B.8080002@gondrom.org>
References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org>
Date: Fri, 10 Aug 2012 15:20:22 -0700
Message-ID: <CAOuvq20iC817T-9U3zWG7S2Z=uU=G0i6usOT915ky+9FO8_Zwg@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQlgCWQpLBUJCtLrnE9UECixZZC6AdBUZRHQleP7GT37kfbb9jKNPg3mqo+RTc44xxM6LRtKNCOJRpwhVm3dqZ3yMiQWho6sdWRSO6Xs5bpDQqDbEImE400BdbKOyVOBfDS9+jjVu4U4wVA6mq+L0QqUY6dn6jcI3WTaOQ4bJ+0/N+vpi0669POpLQnrg1xWa8onDT/9
Cc: Chris Evans <cevans@google.com>, websec@ietf.org, paul.hoffman@vpnc.org, saag@ietf.org, turners@ieca.com, Moxie Marlinspike <moxie@thoughtcrime.org>
Subject: Re: [websec] [saag] Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2012 22:20:25 -0000
Hi all, Resurrecting this ancient thread, and explicitly including Moxie and Trevor in case they aren't already on any of the relevant mailing lists. So ultimately I do think we should decide on either HPKP or TACK, but that we should make that decision after there has been some real-world deployment experience with both (or, sadly, real-world non-deployment of one or both). Additionally, HPKP and TACK might converge, more or less. I have plans to publish a new HPKP I-D that borrows some of TACK's pin activation and expiration ideas, for example. Additionally, one of the main criticisms of HPKP is that it is tied to HTTP. I currently don't consider that a huge problem — even though I consider TACK's TLS-generic-ness a nice benefit — for several reasons: * HTTPS is the big, important application that we need to secure right now. * IMAPS and POPS are surely on the list too, right after HTTPS; but specifying "IPKP" and "PPKP" is likely to be relatively straightforward once we get HPKP working. * It's not clear that SMTP over TLS is very beneficial, because you can't stop delivery due to pin validation failure (or really even regular old X.509 failure). You could use certificate errors as soft-fail spam signals, but you can in principle do that now, too, without explicit pinning. I don't know how much benefit you'd get from using pin validation failure as a spam signal. * SSH already has PKP. :) * The other common application protocols, like SIP, XMPP, and friends, are likely to also be pretty easy to extend in a manner similar to HPKP, "IPKP", and "PPKP". And finally, as Ben Laurie pointed out, there is also Certificate Transparency. I personally consider the "public log" class of solutions (of which CT is a leading member, along with Sovereign Keys) to be The Real Solution. Pinning-like solutions (including HPKP and TACK) are a good, quick fix — as long as they are quick and simple. On Wed, Jun 6, 2012 at 9:46 AM, Tobias Gondrom <tobias.gondrom@gondrom.org> wrote: > Sean et al., > > <hat="individual"> > I agree with Paul and Yoav and think the coordination between dane and > websec on HSTS and key-pinning is ok. Both WGs are aware of potential > coordination issues when mechanisms in both (DNSSEC and HTTP header) will be > implemented eventually. I don't think we need an operations statement yet. > Maybe at some point in the future an informational Best Practice or if you > wish a Std Track can help. > > With regards to draft-perrin-tls-tack and draft-ietf-websec-key-pinning, I > am not so sure about potential conflicts here and whether we need or want > both. > </hat> > > Best regards, Tobias > > > Ps.: > <hat="WG chair"> > And on a personal note, one thing I am not so happy about is that I can see > from the tls-tack draft, that the authors are aware of key-pinning (which is > nice) and perceive that there would be flaws, yet they chose to not post > their comments on it to websec nor inform the WG about their new draft. > > To make it easier in the future to coordinate the two drafts and possibly > discuss and decide whether to boil down to one, it might make sense to > inform websec about draft-perrin-tls-tack and have a discussion about it at > some point there. > Just my 5cents. > </hat> > > > > > On 05/06/12 23:01, Paul Hoffman wrote: >> >> On Jun 5, 2012, at 2:46 PM, Yoav Nir wrote: >> >>>> The similarity of pinning and DANE has been discussed before. DANE >>>> relies on DNSSEC being deployed, which key-pinning does not. >> >> Correct. Further, key-pinning in HTTP only applies to HTTP and relies on >> the client being able to establish a TLS session using non-key-pinning >> semantics. Key-pinning in TLS relies works with any lower-layer protocol and >> relies on the client being able to establish a TLS session using >> non-key-pinning semantics. >> >>>> Come to think of it, the draft needs a section comparing with DANE, but >>>> that's for another thread. >>>> >>>> draft-perrin-tls-tack seems to tackle the same problem as key-pinning. >>>> Instead of the pins getting attested to in HTTP headers, you have a special >>>> public/private key pair, that you use to sign the SPKI from the server >>>> certificate within the a TLS extension. Like key-pinning there's a TOFU >>>> element here, because the client only learns about the special key when it >>>> encounters it in a TLS handshake. >>>> >>>> The obvious question is why would we need both key-pinning and tack. >> >> It would be clearer if you said "both key-pinning in HTTP and key-pinning >> in TLS (tack)". >> >> --Paul Hoffman >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [websec] Fwd: [saag] Pinning Paul Hoffman
- Re: [websec] Pinning Yoav Nir
- Re: [websec] [saag] Pinning Tobias Gondrom
- Re: [websec] [saag] Pinning Chris Palmer
- Re: [websec] [saag] Pinning Paul Hoffman
- Re: [websec] [saag] Pinning Trevor Perrin
- Re: [websec] [saag] Pinning Yoav Nir
- Re: [websec] [saag] Pinning Tom Ritter
- Re: [websec] [saag] Pinning Yoav Nir
- Re: [websec] [saag] Pinning Jeffrey Hutzelman
- Re: [websec] [saag] Pinning Tony Finch
- Re: [websec] [saag] Pinning Alexey Melnikov
- Re: [websec] [saag] Pinning Tobias Gondrom
- Re: [websec] [saag] Pinning Tobias Gondrom