Re: [websec] New draft of HTTP header-based public key pinning
Chris Palmer <palmer@google.com> Thu, 10 November 2011 19:35 UTC
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF9821F8B7E for <websec@ietfa.amsl.com>; Thu, 10 Nov 2011 11:35:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.406
X-Spam-Level:
X-Spam-Status: No, score=-103.406 tagged_above=-999 required=5 tests=[AWL=-0.429, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0JEO4-CQFbf for <websec@ietfa.amsl.com>; Thu, 10 Nov 2011 11:35:47 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9CFB521F8B7B for <websec@ietf.org>; Thu, 10 Nov 2011 11:35:47 -0800 (PST)
Received: by wyf28 with SMTP id 28so1406369wyf.31 for <websec@ietf.org>; Thu, 10 Nov 2011 11:35:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=niLoBj4OdLP5vQDVMdb/pVCsqkww3G1sva3b3GUHjWI=; b=tNvfbLcKuKOBzNp8LfEcF+pcr3XINrDVyGO8w4HUodZHhHIao2sAp3SGJr3sGXZRJp ZMwcNNScBafULs5kvZqA==
Received: by 10.216.153.137 with SMTP id f9mr19930wek.4.1320953746724; Thu, 10 Nov 2011 11:35:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.216.153.137 with SMTP id f9mr19921wek.4.1320953746521; Thu, 10 Nov 2011 11:35:46 -0800 (PST)
Received: by 10.216.216.205 with HTTP; Thu, 10 Nov 2011 11:35:46 -0800 (PST)
In-Reply-To: <d72e01a27ff6349ac8db5ba4ef714b77.squirrel@webmail.sleevi.com>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <4EBA3B24.5060602@gmx.de> <CAOuvq20NEUAwPzStBa-kRVh4rUCFU6Ece1gN-kEb0FeFsweHGw@mail.gmail.com> <4EBAE198.3020406@gmx.de> <CAOuvq20GYnrbwMQE9KZkNTFqETxJ4utKKzFNZ3ThQLnKbL299Q@mail.gmail.com> <4EBAF460.50009@gmx.de> <CAOuvq23qePapa2AA3k24YXRoGnCz9U5n9eOLOfXoMNa71n_BtA@mail.gmail.com> <d72e01a27ff6349ac8db5ba4ef714b77.squirrel@webmail.sleevi.com>
Date: Thu, 10 Nov 2011 11:35:46 -0800
Message-ID: <CAOuvq21zD2E5_KOWobmXfVTLq2uGRAD4Si6a0UJ-Cnny=EWhsw@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: ryan-ietfhasmat@sleevi.com
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2011 19:35:48 -0000
On Wed, Nov 9, 2011 at 2:03 PM, Ryan Sleevi <ryan-ietfhasmat@sleevi.com> wrote: > While revisiting the ABNF, should "fp-type" be made into 'token' instead > of an explicit list ( "sha1" / "sha256" )? Rather than dealing with the > minimal set of "must-implements" in the grammar, define it in the text for > processing rules. This is similar to the conversation that happened for > the STS grammar rules. Here is what I have now: <figure anchor="header-abnf"> <artwork> Public-Key-Pins = "Public-Key-Pins" ":" LWS directives directives = max-age LWS ";" LWS pins / pins LWS ";" LWS max-age max-age = "max-age" LWS "=" LWS delta-seconds pins = pin / pin LWS ";" LWS pins pin = "pin-" token LWS "=" LWS quoted-string </artwork> </figure> <t>In the pin rule, the token is the name of a cryptographic hash algorithm, and MUST be either "sha1" or "sha256". (Future versions of this specification may change the hash functions.) The quoted-string is a sequence of base64 digits: a base64-encoded hash. See <xref target="pin-semantics"/>.</t>
- [websec] New draft of HTTP header-based public ke… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Tom Ritter
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
- Re: [websec] New draft of HTTP header-based publi… Chris Evans
- Re: [websec] New draft of HTTP header-based publi… Yoav Nir
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Paul Hoffman
- Re: [websec] New draft of HTTP header-based publi… Adam Barth
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Julian Reschke
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer
- Re: [websec] New draft of HTTP header-based publi… Ryan Sleevi
- Re: [websec] New draft of HTTP header-based publi… Chris Palmer