IETF Logo Mail Archive

Re: [websec] Decouple HSTS's two orthogonal effects?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 29 March 2011 22:23 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E63A128C0EE for <websec@core3.amsl.com>; Tue, 29 Mar 2011 15:23:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.322
X-Spam-Level:
X-Spam-Status: No, score=-2.322 tagged_above=-999 required=5 tests=[AWL=0.277, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUQ3+vvtomLi for <websec@core3.amsl.com>; Tue, 29 Mar 2011 15:23:55 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by core3.amsl.com (Postfix) with ESMTP id 5A4673A695B for <websec@ietf.org>; Tue, 29 Mar 2011 15:23:55 -0700 (PDT)
Received: from [192.168.13.75] (lair.fifthhorseman.net [216.254.116.241]) by che.mayfirst.org (Postfix) with ESMTPSA id AF25CF975 for <websec@ietf.org>; Tue, 29 Mar 2011 18:25:31 -0400 (EDT)
Message-ID: <4D925C55.1070900@fifthhorseman.net>
Date: Tue, 29 Mar 2011 18:25:25 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110309 Icedove/3.1.9
MIME-Version: 1.0
To: websec@ietf.org
References: <4D92317B.6020804@fifthhorseman.net> <BANLkTinGEt42DM1NqbrjOfdqTqLUjnQ5KQ@mail.gmail.com>
In-Reply-To: <BANLkTinGEt42DM1NqbrjOfdqTqLUjnQ5KQ@mail.gmail.com>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enigF428EBE052DF79068BC0082F"
Subject: Re: [websec] Decouple HSTS's two orthogonal effects?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: websec@ietf.org
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 22:23:57 -0000

On 03/29/2011 04:58 PM, Adam Barth wrote:
> There's no coupling between HSTS and the particular algorithm a UA
> uses to verify certificates.  The UA is free to use whatever
> verification mechanism it desires.  You can remove whatever CAs you
> consider sloppy from the list of trusted certificate authorities and
> add in whatever other verification mechanism you like.
> 
> For example, if/when certificate verification through DNSSEC becomes
> widespread, we won't need to change anything about the HSTS spec.  Of
> course, we'll need to change our implementations, but that's true
> regardless of what the HSTS spec says.

I hear what you're saying; however, i'm unaware of any HSTS-compliant
User Agent that implements anything but the standard weakest-link X.509
certificate pool of trusted authorities.

Perhaps an explicit mention that says HSTS is not intended to be
incompatible with alternative certificate verification mechanisms would
provide useful guidance to browser vendors?

	--dkg

v2.46.0 | Report a Bug | By Email | System Status