Re: [websec] New draft of HTTP header-based public key pinning

"Steingruebl, Andy" <asteingruebl@paypal-inc.com> Wed, 09 November 2011 16:38 UTC

DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=RbcC+f9ZktUtZsaLEI0mlyKwTvqOM/rBhLOBXDJHV0xOtK6cX458EuLM JtcXosRPI94HQIc/hLIR1S3+bulE3ryYxJ9Gnd4JFugLSlAOqRzb5Ym0U 8ZuE2NPkR5Qt0gU;
From: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
To: Adam Barth <ietf@adambarth.com>
Date: Wed, 09 Nov 2011 09:38:13 -0700
Thread-Topic: [websec] New draft of HTTP header-based public key pinning
Thread-Index: AcyewQpRTroclxM/R2ip3xP77iZtBQAPMB6w
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEBED718198@DEN-MEXMS-001.corp.ebay.com>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <CAOuvq20uCZsp80yJ6gjeh-AGVswu3GTPuSYYCGyXPWpO-RJpsA@mail.gmail.com> <5EE049BA3C6538409BBE6F1760F328ABEBED718018@DEN-MEXMS-001.corp.ebay.com> <CAJE5ia9Ryjus6Zy38PFffCnGsZHw+byvdTVCi7XmYWUd8rVdTQ@mail.gmail.com>
In-Reply-To: <CAJE5ia9Ryjus6Zy38PFffCnGsZHw+byvdTVCi7XmYWUd8rVdTQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>, Ian Fette <ifette@google.com>, Wan-Teh Chang <wtc@google.com>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
Precedence: list

> -----Original Message-----
> From: Adam Barth [mailto:ietf@adambarth.com]


> > We battled this problem with HSTS as well.  I think what Mozilla settled on
> (and I don't remember the Chrome solution) is to use a different storage
> mechanism when HSTS is *set* during private browsing mode, and clear on
> exit from private browsing.
> 
> It's been a while since I wrote that code, but I'm pretty sure that's how it
> works in Chrome too.  There's a separate memory-only HSTS store that's
> used for incognito.  That's consistent with how we handle other host-specific
> data stored by the network layer, such as cookies.

Is this documented anywhere?  Where should it be?  Maybe add a section to the browser security handbook, if nowhere else, so at least we all have it written down what the browsers have implemented?

And, since we decided these specifics don't belong in the IETF  HSTS spec, where could we document them for real?

- Andy

[websec] New draft of HTTP header-based public ke… Chris Palmer
Re: [websec] New draft of HTTP header-based publi… Tom Ritter
Re: [websec] New draft of HTTP header-based publi… Chris Palmer
Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
Re: [websec] New draft of HTTP header-based publi… Chris Evans
Re: [websec] New draft of HTTP header-based publi… Yoav Nir
Re: [websec] New draft of HTTP header-based publi… Julian Reschke
Re: [websec] New draft of HTTP header-based publi… Adam Barth
Re: [websec] New draft of HTTP header-based publi… Steingruebl, Andy
Re: [websec] New draft of HTTP header-based publi… Adam Barth
Re: [websec] New draft of HTTP header-based publi… Paul Hoffman
Re: [websec] New draft of HTTP header-based publi… Adam Barth
Re: [websec] New draft of HTTP header-based publi… Chris Palmer
Re: [websec] New draft of HTTP header-based publi… Julian Reschke
Re: [websec] New draft of HTTP header-based publi… Chris Palmer
Re: [websec] New draft of HTTP header-based publi… Julian Reschke
Re: [websec] New draft of HTTP header-based publi… Chris Palmer
Re: [websec] New draft of HTTP header-based publi… Ryan Sleevi
Re: [websec] New draft of HTTP header-based publi… Chris Palmer