Re: [websec] Fwd: New Version Notification for draft-ietf-websec-key-pinning-03.txt
"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Wed, 17 October 2012 16:36 UTC
Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 760EB21F86A3 for <websec@ietfa.amsl.com>; Wed, 17 Oct 2012 09:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iG2cMhnMmzeV for <websec@ietfa.amsl.com>; Wed, 17 Oct 2012 09:36:45 -0700 (PDT)
Received: from homiemail-a73.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id 8CC9A21F8698 for <websec@ietf.org>; Wed, 17 Oct 2012 09:36:45 -0700 (PDT)
Received: from homiemail-a73.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTP id 0E3121F0084; Wed, 17 Oct 2012 09:36:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=DaQqwk//p0+0mpUWcQpmHO2r6Oo=; b=qrs0dZLp389bcjrs3 s0GXdRZE7Y03XcDlZdmYNvryQdyMMNiG9MEP33iDFezJSay+1+53zZKIpuiGg4GV yH4M5L9RxTARCkW9BvaDpnMMZaU4Iijmhc7yUU61iXJJIupIrQiqNL3pbJMKVWc1 877229tOkYlH8WQHYgtW0x+QUA=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTPA id ABEA91F001E; Wed, 17 Oct 2012 09:36:44 -0700 (PDT)
Received: from 173.8.157.162 (proxying for 173.8.157.162) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 17 Oct 2012 09:36:43 -0700
Message-ID: <2a70aa074ea293a87a82b85febcfbd70.squirrel@webmail.dreamhost.com>
In-Reply-To: <CA+cU71kDB19HTgJ0AiH42ErLuRLGJDavqm3boV-Hifyjjy4TgQ@mail.gmail.com>
References: <20121016183544.18082.34326.idtracker@ietfa.amsl.com> <CAOuvq219yJ1P1STBM-AkP7aLNP1W_U8WYp2v-8x1kzXuS_VT6A@mail.gmail.com> <7F0FC8A6-D30D-4AAD-A420-0796F9703184@checkpoint.com> <CA+cU71kDB19HTgJ0AiH42ErLuRLGJDavqm3boV-Hifyjjy4TgQ@mail.gmail.com>
Date: Wed, 17 Oct 2012 09:36:43 -0700
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: Tom Ritter <tom@ritter.vg>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Fwd: New Version Notification for draft-ietf-websec-key-pinning-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2012 16:36:46 -0000
On Wed, October 17, 2012 7:23 am, Tom Ritter wrote: > Section 2.4: "Validating Pinned Connections": > > For the purposes of Pin Validation, the UA MUST ignore > certificates who SPKI cannot be taken in isolation and superfluous > certificates in the chain that do not form part of the validating > chain. > > I know I just modified this, but the second phrase just hit me. > Because path construction is non-standard, could a client wind up in a > situation where the site pinned to CA_Alice, with the intended path > CA_Alice -> CA_Bob -> Intermediate -> Leaf; but because CA_Bob was > trusted, the ultimate validating chain was simply CA_Bob -> > Intermediate -> Leaf? I'm not sure what the right way to counteract > that would be... Yes. This is one of the troubling areas of the current draft, and that has been particularly challenging when implementing within Chromium. It's not clear whether your case was demonstrative of the inter-organizational cross-signing relationships (a new CA getting cross-certified by an existing, established CA) or whether it was an intra-organizational relationship, such as a SHA-1 root cross-signing the SHA-2 root, until such a time as the SHA-2 root is included in the trust stores. In the case of inter-organizational, where CA_Alice and CA_Bob are two distinct entities, it's generally seen as unlikely that the "site" would pin to CA_Alice, since their business relationship is almost certainly with CA_Bob (by virtue of CA_Bob having certified Intermediate). So if the site were to pin to CA_Bob, their issue would be mitigated. However, for the intra-organizational scenario, where intermediates and roots are changed or re-issued more commonly than site operators may realized or be re-configuring, I agree that this is a very real problem. The mitigation for this has been to make the pins an appropriate cross-section of both root and intermediates - intermediates in the event of new roots being issued, and roots in the event of the CA issuing new intermediates (and serving them up via AIA, as the common case is) This leaves the broader question of "How does the site operator know about CA_Alice and CA_Bob to begin with". One possible solution for this is a report-but-unenforced mode, where user agents could describe their observed chains to the site. As unseemly as this is, it's very likely that many site operators - even Very Large, High Value sites - may not have a full understanding of the PKI that they're a participant in. Another solution is to rely on policy changes in root stores, such as Mozilla's recent proposed CA Certificate Store requirements change, which would encourage (by requiring, with only one acceptable alternative) the public disclosure of such CA hierarchies. As a result of such changes, there would be knowledge of the relationship between CA_Alice and CA_Bob, which under today's model, is actually quite hard for site operators to discover. Because pinning permits multiple entries, and is considered satisfied so long as at least one SPKI appears in the client validated chain, the issue here is largely not a technical challenge, but an operational one, and that's why this issue is not critical, but remains very important.
- [websec] Fwd: New Version Notification for draft-… Chris Palmer
- Re: [websec] Fwd: New Version Notification for dr… Yoav Nir
- Re: [websec] Fwd: New Version Notification for dr… Tom Ritter
- Re: [websec] Fwd: New Version Notification for dr… Ryan Sleevi
- Re: [websec] Fwd: New Version Notification for dr… Carl Wallace
- Re: [websec] Fwd: New Version Notification for dr… Ryan Sleevi
- Re: [websec] Fwd: New Version Notification for dr… Carl Wallace
- Re: [websec] Fwd: New Version Notification for dr… Ryan Sleevi
- Re: [websec] Fwd: New Version Notification for dr… Chris Palmer
- Re: [websec] Fwd: New Version Notification for dr… Chris Palmer
- Re: [websec] Fwd: New Version Notification for dr… Tobias Gondrom
- Re: [websec] Fwd: New Version Notification for dr… Tom Ritter
- Re: [websec] Fwd: New Version Notification for dr… Chris Palmer