Re: [websec] Re-litigating Key-Pinning
Barry Leiba <barryleiba@computer.org> Wed, 27 August 2014 14:55 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEC31A0792 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 07:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3yRlj1YkjXE for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 07:55:22 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F7681A0739 for <websec@ietf.org>; Wed, 27 Aug 2014 07:55:22 -0700 (PDT)
Received: by mail-lb0-f169.google.com with SMTP id n15so620366lbi.14 for <websec@ietf.org>; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=nwpQsDHGGM/Po+W3DOGYS8gygcv6fIIT7JF4dXzVEEs=; b=Nw/5ntw77s3bwLbUzAeG9hwRWCBN42e0hVgGXg+fgKKNt06rXuj1v2e2f8LlyBfd63 l0fcbtlx+ENOf6PmyJu6aukfXS86p69L6F7AKry/IJwjA/81Ayw/TJ3VBGNgtraaTBnw xt5skfG658QynqfL6bX7EjTmfOhm18md8s2HipLQACHPJpwN49hbwjurmxVY24/awzTP +ZfVU8P7BzqfZVPy7wqnFUxubbB/owoPv8dSv9SiDgYi2Wa4pO4WvlWGyIqloY92QpgU RaWHiWEn0tjjdx6FXX6hXLKtG5zqsGfWT225o8McbMA0AVy4CikSDDJlGMqqBP9qfG4v 7MRA==
MIME-Version: 1.0
X-Received: by 10.112.8.99 with SMTP id q3mr20820174lba.85.1409151320095; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.1.106 with HTTP; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
In-Reply-To: <CAGZ8ZG03Uy5OdEaEPoX+zvAWQ9cvDYBeufW4CZvLtHN2SFDB8g@mail.gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com> <CAGZ8ZG03Uy5OdEaEPoX+zvAWQ9cvDYBeufW4CZvLtHN2SFDB8g@mail.gmail.com>
Date: Wed, 27 Aug 2014 10:55:20 -0400
X-Google-Sender-Auth: Tgh_6Fj2rT_pRRgrA5McaRmg2EI
Message-ID: <CALaySJ+ZpTy+g2zJdq+V7dbK=hpkRGCBvqdODn6OOzxjz+J=dw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/TvW15tLML1Rh_6FKutIDhme_JZw
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 14:55:23 -0000
Hi, Trevor, and thanks for the note. A couple of things, as responsible AD: 1. Yoav says, "This is an inappropriate time to raise new substantive issues about the document." I agree with the sense of what Yoav is saying, but let me clarify what that means. It is *always* an appropriate time to raise new, substantive issues if those issues are addressing a serious problem with the document. The point is that this stage is not the appropriate time to bring up "we should have gone in a different direction" issues, whether those are new or revisited. Serious problems: OK. "I'd have done it differently": no. 2. That said, we do need to be sure that issues of any sort that had been raised before were addressed properly, and it's always appropriate to have a look at that. No one's input to the working group should be sloughed off without proper consideration. So, let me be clear about what you (Trevor) are saying in your message, because I'm not sure. - Is it that an error was made in document editing, such that something that you thought was decided one way made it into the document in a different, incorrect way? - Or is it that you think the issue you brought up was not adequately considered, and editing of the document went off in the wrong direction because of that? - Or is it that you think the issue you brought up was discussed, the working group decided otherwise, and the editing went in the direction of consensus that you disagree with. - Or is it something else? Thanks, Barry, Applications AD On Wed, Aug 27, 2014 at 3:36 AM, Trevor Perrin <trevp@trevp.net> wrote: > On Tue, Aug 26, 2014 at 10:44 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: >> Hi folks >> >> In the last few days, we've had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO. >> >> This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC. >> >> The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document. > > > PKP-RO isn't a new issue. > > The initial draft of PKP-RO was claimed to "follow the same syntax and > semantics of the Public-Key-Pins header" [1]. > > But the text was unclear. When we discussed this in February Ryan > proposed to not store PKP-RO pins [2,3]. Myself, Daniel Kahn-Gillmor, > and Tom Ritter proposed to store them [4,5,6], and Chris added text > for this [7,8,9,10]. > > I later discussed other cleanup of the PKP-RO text [11]. As part of > that Chris changed some of the wording to *not* store PKP-RO pins > [12]. I pointed out the discrepancy and that "I thought we decided > the opposite" a couple times [13,14], but there was a misunderstanding > and he changed things more towards *not* storing PKP-RO [15]. A > couple days after you declared "this working group has done as much as > we can", and further discussion would be "counter-productive" [16]. > > But I still think storing PKP-RO would be better, and seemed to be the > group's preference. > > > Trevor > > > [1] http://www.ietf.org/mail-archive/web/websec/current/msg01539.html > [2] http://www.ietf.org/mail-archive/web/websec/current/msg02030.html > [3] http://www.ietf.org/mail-archive/web/websec/current/msg02037.html > [4] http://www.ietf.org/mail-archive/web/websec/current/msg02042.html > [5] http://www.ietf.org/mail-archive/web/websec/current/msg02043.html > [6] http://www.ietf.org/mail-archive/web/websec/current/msg02044.html > [7] http://www.ietf.org/mail-archive/web/websec/current/msg02051.html > [8] http://www.ietf.org/mail-archive/web/websec/current/msg02054.html > [9] http://www.ietf.org/mail-archive/web/websec/current/msg02055.html > [10] http://www.ietf.org/mail-archive/web/websec/current/msg02069.html > [11] http://www.ietf.org/mail-archive/web/websec/current/msg02075.html > [12] http://www.ietf.org/mail-archive/web/websec/current/msg02081.html > [13] http://www.ietf.org/mail-archive/web/websec/current/msg02084.html > [14] http://www.ietf.org/mail-archive/web/websec/current/msg02094.html > [15] http://www.ietf.org/mail-archive/web/websec/current/msg02097.html > [16] http://www.ietf.org/mail-archive/web/websec/current/msg02100.html
- [websec] Re-litigating Key-Pinning Yoav Nir
- Re: [websec] Re-litigating Key-Pinning Trevor Perrin
- Re: [websec] Re-litigating Key-Pinning Tobias Gondrom
- Re: [websec] Re-litigating Key-Pinning Barry Leiba
- Re: [websec] Re-litigating Key-Pinning Trevor Perrin
- Re: [websec] Re-litigating Key-Pinning Yoav Nir
- Re: [websec] Re-litigating Key-Pinning Julian Reschke
- Re: [websec] Re-litigating Key-Pinning Yoav Nir
- Re: [websec] Re-litigating Key-Pinning Julian Reschke