IETF Logo Mail Archive

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Phillip Hallam-Baker <hallam@gmail.com> Fri, 28 June 2013 15:00 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF45121F9B99 for <websec@ietfa.amsl.com>; Fri, 28 Jun 2013 08:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZF-JzbDmy9Z5 for <websec@ietfa.amsl.com>; Fri, 28 Jun 2013 08:00:58 -0700 (PDT)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 84D8921F9BF8 for <websec@ietf.org>; Fri, 28 Jun 2013 08:00:57 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id z11so1737713wgg.22 for <websec@ietf.org>; Fri, 28 Jun 2013 08:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Q7438EHSEzAnLIl6Je8jlxL/ejWsGFauBoYQZP/t9C4=; b=pi5zu0k5Z8pxinljMLMLOh9CBBYd4Eqzh8+wXxOftwcicp7Q2YtJvS6dYP1pvtAPWm mg3k0siXfP8fPpmmB58Q4JdQm3RY3vcy6YhXDHuqAhHee1K7CUhaM8fOl+XpI5Aznsmg SzeOeCodFuVx0nGd0Yaq6z3BstbPsdp/iygpJ+5xEe81A5ckfX+qRUDjJwcxM0BP1dvf L9zXIjfr1VFisVIZGtMzWou7fSnwFbGfQPb5ufNKgDxnov8lhKSPL9WQhW7bfr8vBLSR fdCL+MipU/PP/0oavAAlwbvInxqGoNLrpQU66iVSXrMmE9K+z2YCTHGpJB95lISb5lHa WjbQ==
MIME-Version: 1.0
X-Received: by 10.180.187.136 with SMTP id fs8mr2717900wic.18.1372431656755; Fri, 28 Jun 2013 08:00:56 -0700 (PDT)
Received: by 10.194.54.10 with HTTP; Fri, 28 Jun 2013 08:00:56 -0700 (PDT)
In-Reply-To: <51CD39D9.1040801@gondrom.org>
References: <8c03997da80b4e8da7100491011b8c12@BN1PR03MB039.namprd03.prod.outlook.com> <6F2FE5F2-D02C-4B09-A6CA-7C3B63722E34@checkpoint.com> <CAOuvq203V8LNjkimfd2m+aTX7-gKr=J62jmUqz-PDQEN6O9Lvg@mail.gmail.com> <CAOuvq20_KZPcBWyPgpGj=K5gy=1BGGRv11Zuxmcw_wBmzBhgUA@mail.gmail.com> <CAGZ8ZG1uHYxxh9q+z7767zW4=HWTa19EJGiu4oyERhTyM0KQBw@mail.gmail.com> <51CD39D9.1040801@gondrom.org>
Date: Fri, 28 Jun 2013 11:00:56 -0400
Message-ID: <CAMm+LwhRm7dCk=Q=mQAWtOQ5hosjyngSWjVbQ454Tj+ocVDqrQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: multipart/alternative; boundary="001a11c381ec612d4b04e03825a3"
Cc: dmatson@microsoft.com, websec <websec@ietf.org>
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning-06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2013 15:00:58 -0000

CAA faced the problem of identifying a CA.

During the evolution of the draft we went through pretty much every scheme
mentioned in this thread. In the end we decided to go with a domain name
that is asserted for that purpose by the CA. So symantec.com / comodo.com /
etc.


At this point the main reason Cert Pinning should follow the same route is
that it is already in use and absent a good reason, TLS CA pinning should
follow the existing approach. This makes it more likely that we will get
the support embedded into platforms accurately.

The main reason for going with domain names in CAA was that it means there
is no need to create a new registry. That is important as it feels wrong to
have an IETF spec differentiate between commercial and private CAs. It
feels even wronger to have IANA managing registries of commercial
providers. There are good business reasons for the CAs to not want their
business under the control of IANA and vice versa.


There are several other advantages though. One is that it makes it much
easier to work out how to put in mechanisms to 'unpin' since these can now
key off Domain names.

So hypothetically let us imagine that there was a Diginotar situation and
several hundred thousand browsers are now pinned to the busted root. Ooops.

One way that we could approach unpinning in this situation would be to use
something involving DNSSEC


Now that is not an argument for writing more code now. But putting DNS
names there are at least as good as any other option but the fact that they
are a discovery index provides a LOT of power that may be useful down the
line.

This might happen in CAA. An obvious next step for CAA is to have a cert
request mechanism where the end entity looks at the CAA record to find out
where it can get certs from.

v2.30.2 | Report a Bug | By Email | System Status