Re: [websec] Re-litigating Key-Pinning

Barry Leiba <> Wed, 27 August 2014 14:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BCEC31A0792 for <>; Wed, 27 Aug 2014 07:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R3yRlj1YkjXE for <>; Wed, 27 Aug 2014 07:55:22 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2F7681A0739 for <>; Wed, 27 Aug 2014 07:55:22 -0700 (PDT)
Received: by with SMTP id n15so620366lbi.14 for <>; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=nwpQsDHGGM/Po+W3DOGYS8gygcv6fIIT7JF4dXzVEEs=; b=Nw/5ntw77s3bwLbUzAeG9hwRWCBN42e0hVgGXg+fgKKNt06rXuj1v2e2f8LlyBfd63 l0fcbtlx+ENOf6PmyJu6aukfXS86p69L6F7AKry/IJwjA/81Ayw/TJ3VBGNgtraaTBnw xt5skfG658QynqfL6bX7EjTmfOhm18md8s2HipLQACHPJpwN49hbwjurmxVY24/awzTP +ZfVU8P7BzqfZVPy7wqnFUxubbB/owoPv8dSv9SiDgYi2Wa4pO4WvlWGyIqloY92QpgU RaWHiWEn0tjjdx6FXX6hXLKtG5zqsGfWT225o8McbMA0AVy4CikSDDJlGMqqBP9qfG4v 7MRA==
MIME-Version: 1.0
X-Received: by with SMTP id q3mr20820174lba.85.1409151320095; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
Received: by with HTTP; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Wed, 27 Aug 2014 10:55:20 -0400
X-Google-Sender-Auth: Tgh_6Fj2rT_pRRgrA5McaRmg2EI
Message-ID: <>
From: Barry Leiba <>
To: Trevor Perrin <>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "<>" <>
Subject: Re: [websec] Re-litigating Key-Pinning
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Aug 2014 14:55:23 -0000

Hi, Trevor, and thanks for the note.  A couple of things, as responsible AD:

1. Yoav says, "This is an inappropriate time to raise new substantive
issues about the document."  I agree with the sense of what Yoav is
saying, but let me clarify what that means.  It is *always* an
appropriate time to raise new, substantive issues if those issues are
addressing a serious problem with the document.  The point is that
this stage is not the appropriate time to bring up "we should have
gone in a different direction" issues, whether those are new or
revisited.  Serious problems: OK.  "I'd have done it differently": no.

2. That said, we do need to be sure that issues of any sort that had
been raised before were addressed properly, and it's always
appropriate to have a look at that.  No one's input to the working
group should be sloughed off without proper consideration.

So, let me be clear about what you (Trevor) are saying in your
message, because I'm not sure.

 - Is it that an error was made in document editing, such that
something that you thought was decided one way made it into the
document in a different, incorrect way?

 - Or is it that you think the issue you brought up was not adequately
considered, and editing of the document went off in the wrong
direction because of that?

 - Or is it that you think the issue you brought up was discussed, the
working group decided otherwise, and the editing went in the direction
of consensus that you disagree with.

 - Or is it something else?

Barry, Applications AD

On Wed, Aug 27, 2014 at 3:36 AM, Trevor Perrin <> wrote:
> On Tue, Aug 26, 2014 at 10:44 PM, Yoav Nir <> wrote:
>> Hi folks
>> In the last few days, we've had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO.
>> This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC.
>> The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document.
> PKP-RO isn't a new issue.
> The initial draft of PKP-RO was claimed to "follow the same syntax and
> semantics of the Public-Key-Pins header" [1].
> But the text was unclear.  When we discussed this in February Ryan
> proposed to not store PKP-RO pins [2,3].  Myself, Daniel Kahn-Gillmor,
> and Tom Ritter proposed to store them [4,5,6], and Chris added text
> for this [7,8,9,10].
> I later discussed other cleanup of the PKP-RO text [11].  As part of
> that Chris changed some of the wording to *not* store PKP-RO pins
> [12].  I pointed out the discrepancy and that "I thought we decided
> the opposite" a couple times [13,14], but there was a misunderstanding
> and he changed things more towards *not* storing PKP-RO [15].  A
> couple days after you declared "this working group has done as much as
> we can", and further discussion would be "counter-productive" [16].
> But I still think storing PKP-RO would be better, and seemed to be the
> group's preference.
> Trevor
> [1]
> [2]
> [3]
> [4]
> [5]
> [6]
> [7]
> [8]
> [9]
> [10]
> [11]
> [12]
> [13]
> [14]
> [15]
> [16]