IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Yoav Nir <ynir@checkpoint.com> Wed, 07 August 2013 15:53 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF4C421E8143 for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 08:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.511
X-Spam-Level:
X-Spam-Status: No, score=-10.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrPnu+OhacLT for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 08:53:28 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7F43321E8137 for <websec@ietf.org>; Wed, 7 Aug 2013 08:53:27 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r77FrOU4009532; Wed, 7 Aug 2013 18:53:24 +0300
X-CheckPoint: {52026D74-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Wed, 7 Aug 2013 18:53:23 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Trevor Perrin <trevp@trevp.net>
Thread-Topic: [websec] #58: Should we pin only SPKI, or also names
Thread-Index: AQHOjHagv3/BmvZ4wU6WrbkIw+Bd/ZmAXZOAgAADk4CAAHu6gIAIRDGAgAA0tQCAAAIEgIAAAsgAgAACowCAAAVKAIAAXsaA
Date: Wed, 07 Aug 2013 15:53:23 +0000
Message-ID: <CB91CFAD-5C75-42C1-9A04-89D55E5E669C@checkpoint.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com>
In-Reply-To: <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.54]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 111581a387ac895af907077791836970cbec21ba38
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <642D94392020EF48AB82B044521AF147@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 15:53:34 -0000

On Aug 7, 2013, at 1:14 PM, Trevor Perrin <trevp@trevp.net> wrote:

> On Wed, Aug 7, 2013 at 2:55 AM, Gervase Markham <gerv@mozilla.org> wrote:
>> On 07/08/13 10:45, Trevor Perrin wrote:
>>> Presumably the browser would have a table mapping names to key lists,
>>> and would evaluate a site's cert chain by checking for an intersection
>>> with all relevant keys in the pin (direct or indirect).
>> 
>> Yes; this would need to be metadata associated with each cert in the
>> root store. It would need to be added when roots were added.
> 
> I was imagining a table which is indexed by CA names, and which maps a
> CA name to a corresponding list of key hashes.  These hashes might
> correspond to certs in the root store or they might not (e.g., they
> might correspond to intermediates).
> 
> Only CAs which had "opted-in" and provided the requisite info to
> browsers would be in the table.

I'm only wondering where I get a copy of that table and who maintains it. Having a different one maintained by each browser vendor IMO makes the Internet worse, not better. So do we have a volunteer to maintain it, maintain a stable link to it, receive updates from numerous new and old certificate vendors, and verify those updates with the browser vendors (so you can't register a new CA in the list if you aren't also trying to get in listed in the browser verndors' lists of trusted CAs.

BTW: it's OK to pin to trust anchors, but it also works to pin to the leaf public key (with a "spare" public key to be used in the next certificate). Surprisingly, pinning to intermediate CAs combines the worst of both options (out of your control like the CA, and changes often like the end entity)

Yoav

v2.23.0 | Report a Bug | By Email