Re: [websec] Certificate Pinning via HSTS
Adam Langley <agl@google.com> Tue, 13 September 2011 08:57 UTC
Return-Path: <agl@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9BD421F8B9B for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 01:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.917
X-Spam-Level:
X-Spam-Status: No, score=-105.917 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NG5Vz+RVXnlS for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 01:57:13 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 9965E21F850E for <websec@ietf.org>; Tue, 13 Sep 2011 01:57:13 -0700 (PDT)
Received: from wpaz9.hot.corp.google.com (wpaz9.hot.corp.google.com [172.24.198.73]) by smtp-out.google.com with ESMTP id p8D8xHXO021540 for <websec@ietf.org>; Tue, 13 Sep 2011 01:59:18 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1315904358; bh=ro9aZSLOagKNBfPabm4eULdpEoc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=RV8OCLFzLtcthGsUc1/abY2iMvfzadvOrf2mpx3Ee3Zh+Eaw5v+XxEpsgiBrQ0KOG LxvSlzkqm0fWydWxxCvHA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=Vkc03V+ueJ//csDOl5O3+zzb554b+GMNYGWpqDReV88GKXIarWdjU8a3Q5563Dhig Dm6Si/hOesKEqdtDEx2Rg==
Received: from yie13 (yie13.prod.google.com [10.243.66.13]) by wpaz9.hot.corp.google.com with ESMTP id p8D8xEIJ019660 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <websec@ietf.org>; Tue, 13 Sep 2011 01:59:16 -0700
Received: by yie13 with SMTP id 13so347318yie.11 for <websec@ietf.org>; Tue, 13 Sep 2011 01:59:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=shwDbREn3jNTIc+qWH7GDODHuZQIu6zSIKxEqKesP5I=; b=eAcYiB0xCHiEtVorSuSwrgN+Bndq8q8wOsyV3s0DScFtBD8jpaacKMwzRLDGDWe999 5hM9wl0eB2VrOyJ/r8kQ==
Received: by 10.231.65.72 with SMTP id h8mr9038969ibi.47.1315904353368; Tue, 13 Sep 2011 01:59:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.65.72 with SMTP id h8mr9038957ibi.47.1315904353091; Tue, 13 Sep 2011 01:59:13 -0700 (PDT)
Received: by 10.231.19.137 with HTTP; Tue, 13 Sep 2011 01:59:12 -0700 (PDT)
In-Reply-To: <86A71F95-AAFF-4A09-853E-3888962C4930@checkpoint.com>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <498A0E83-7C80-4226-9D69-7A7E93D8C929@bbn.com> <86A71F95-AAFF-4A09-853E-3888962C4930@checkpoint.com>
Date: Tue, 13 Sep 2011 04:59:12 -0400
Message-ID: <CAL9PXLxcg4jM=4ox_CMjtK_WD_AteiuciVQr7JLfL-C1AjJwxA@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: Chris Evans <cevans@google.com>, "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 08:57:14 -0000
On Tue, Sep 13, 2011 at 1:53 AM, Yoav Nir <ynir@checkpoint.com> wrote: > I can think of two reasons. You're basically right. Quoting from my http://www.imperialviolet.org/2011/05/04/pinning.html "In general, hashing certificates is the obvious solution, but the wrong one. The problem is that CA certificates are often reissued: there are multiple certificates with the same public key, subject name etc but different extensions or expiry dates. Browsers build certificates chains from a pool of certificates, bottom up, and an alternative version of a certificate might be substituted for the one that you expect. For example, StartSSL has two root certificates: one signed with SHA1 and the other with SHA256. If you wished to pin to StartSSL as your CA, which certificate hash would you use? You would have to use both, but how would you know about the other root if I hadn't just told you? Conversely, public key hashes must be correct: Browsers assume that the leaf certificate is fixed: it's always the starting point of the chain. The leaf certificate contains a signature which must be a valid signature, from its parent, for that certificate. That implies that the public key of the parent is fixed by the leaf certificate. So, inductively, the chain of public keys is fixed, modulo truncation. The only sharp edge is that you mustn't pin to a cross-certifying root. For example, GoDaddy's root is signed by Valicert so that older clients, which don't recognise GoDaddy as a root, still trust those certificates. However, you wouldn't want to pin to Valicert because newer clients will stop their chain at GoDaddy." Public key hashes are hashes of the SubjectPublicKeyInfo, which should be nailed down in any spec. There is the possibility of a cert getting reissued with a difference SPKI, but the same effective public key. (i.e. omitting a NULL AlgorithmIdentifier.Parameters). However, I'm not aware of any instances of this actually happening. Cheers AGL
- [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS SM
- Re: [websec] Certificate Pinning via HSTS =JeffH
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS Marsh Ray
- Re: [websec] Certificate Pinning via HSTS Yoav Nir
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS James Nicoll
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS Tobias Gondrom
- Re: [websec] Certificate Pinning via HSTS Tom Ritter
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Philip Gladstone
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker