Re: [websec] DNS publication of HSTS and PKP header data using CAA
Jeffrey Walton <noloader@gmail.com> Wed, 08 April 2015 22:19 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15B671A9056 for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 15:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRDg-2lalg9x for <websec@ietfa.amsl.com>; Wed, 8 Apr 2015 15:18:58 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DAF21A905C for <websec@ietf.org>; Wed, 8 Apr 2015 15:18:57 -0700 (PDT)
Received: by igblo3 with SMTP id lo3so50913026igb.0 for <websec@ietf.org>; Wed, 08 Apr 2015 15:18:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=hcT82Qo5aDD9qbIKrHPVQYeKCfaqu13TV2rBVF0wC58=; b=VchtAOtuvlKrl2Av4xO7YydJ0ut2vpotAx5zWv1ZfRM3ciPJHvdG0Y65rEweEn00U1 fyDp6W24zXsqWaOb3w29nNYXJ53VJXoe5d80LqR6Ls2l7796hyZ1eUU/azoKIdkgOYyW nniNBjlBQ0dbOohXu55KeOfJv0RgUjLqHGEJbXpmFp5KVsQBrNd5TlR6WrRAIW/mvRi4 7/Ofauf1PSgO/rwVL/r/fj0VrzKcEtUHf/bhfLKxxd4AmVt8m2AuNHJLHGcd359Z+smQ SjDz/GZjjaeJ0zzmSJPSr/G0c/q8p8AXMzmG7ue6njmG3SgpfwmnQpakoGQyTGG8bco1 WOrg==
MIME-Version: 1.0
X-Received: by 10.42.20.197 with SMTP id h5mr471582icb.22.1428531536758; Wed, 08 Apr 2015 15:18:56 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Wed, 8 Apr 2015 15:18:56 -0700 (PDT)
In-Reply-To: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com>
References: <CAMm+Lwjc_7CWPLgTSy=pX81+NXUguOLZmv0t2YgxTbXotQqZsg@mail.gmail.com>
Date: Wed, 08 Apr 2015 18:18:56 -0400
Message-ID: <CAH8yC8=5BYCi9hRtUo8+dwFWgPanooQvVxwr1d0GPGUse2eJ+Q@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/UxRagg-gXu4JlEvfKjfO30pLTlE>
Cc: websec <websec@ietf.org>
Subject: Re: [websec] DNS publication of HSTS and PKP header data using CAA
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 22:19:00 -0000
On Wed, Apr 8, 2015 at 6:00 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > http://tools.ietf.org/html/draft-hallambaker-webseccaa-00 > > It is a pretty straightforward proposal: > > * Use the CAA record with either the hsts or hpkp tag > * Put the same text you would have put into the CAA record value field > > There are a few differences in interpretation. All we are trying to do > here is to help people to close the 'secure after first use' hole, not > replace. > > Given that we have quite a bit of use of HSTS headers, providing a > mechanism for publishing this in the DNS looks like being the obvious > approach. > A quick question.... > * Use the CAA record with either the hsts or hpkp tag > * Put the same text you would have put into the CAA record value field This is obviously predicated on an online app and DNS. Is there any interest in Installable Web Apps delivered over a trusted distribution channel? Installable Web Apps are simply web apps with a manifest that are packaged and installed like more traditional apps. They still use the same technologies, like HTML, CSS and JavaScript. The trusted distribution channel ensures the app is not tampered during delivery. The class of app is supported by both Firefox and Chrome. In the case of installable apps, the information like HSTS and HPKP can be placed in the app manifest. Even better, standards like HPKP won't need to provide the override because its confused about which pinset is the right one to use. Because the HSTS and HPKP information was in the manifest during delivery, there will be no question about which policy or key to use. Jeff
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton
- [websec] DNS publication of HSTS and PKP header d… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Martin J. Dürst
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Joseph Bonneau
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… Ryan Sleevi
- Re: [websec] DNS publication of HSTS and PKP head… Phillip Hallam-Baker
- Re: [websec] DNS publication of HSTS and PKP head… ngnoulaye
- Re: [websec] DNS publication of HSTS and PKP head… Jeffrey Walton