IETF Logo Mail Archive

Re: [websec] #60: Well Known URIs vs Response Headers

Joseph Bonneau <jbonneau@gmail.com> Tue, 06 August 2013 22:15 UTC

Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A63821F9EB0 for <websec@ietfa.amsl.com>; Tue, 6 Aug 2013 15:15:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.339
X-Spam-Level:
X-Spam-Status: No, score=-2.339 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEq3IYtHl3la for <websec@ietfa.amsl.com>; Tue, 6 Aug 2013 15:15:27 -0700 (PDT)
Received: from mail-vb0-x236.google.com (mail-vb0-x236.google.com [IPv6:2607:f8b0:400c:c02::236]) by ietfa.amsl.com (Postfix) with ESMTP id 9847A21F9EC4 for <websec@ietf.org>; Tue, 6 Aug 2013 15:15:27 -0700 (PDT)
Received: by mail-vb0-f54.google.com with SMTP id q14so1064394vbe.41 for <websec@ietf.org>; Tue, 06 Aug 2013 15:15:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+Ok0x27MeUcJMlO+q+BN1Mj0DvnLq97wiSYMQiQ5P1k=; b=jMXVflcldR7INQJmnlUto7hZ8I5ZAGIoGT+9sUqymM2yh3mekU3Vj/fnZARk6EF5l0 XlcTzmJ88jFoXGi7s/QgStkvyCy6njGdw8QuWiTYhnl5+tu+rm84MaAVUjcvps6ktrze wd/s5e9OzaB4qloHl0I/FIr0M9/1Ud+9kIj14c/yy6VZwa+Tk2QHk69n3zXBcSsuk8AY 0HdNx2v9zAD2ERHES03jJxB/b7J5bH6WSrgTKkRFIDTMX/Rt3pQgR3pMWzTAIwNj4Gso 7CMa/B+fVuDIpC0ErTNxB8Z/1D8hfaplRGpd0a3UAhhIK0XptrLit1i+nri4Z6Y3JlsR HOFg==
X-Received: by 10.58.219.232 with SMTP id pr8mr72062vec.80.1375827327009; Tue, 06 Aug 2013 15:15:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.62.73 with HTTP; Tue, 6 Aug 2013 15:15:06 -0700 (PDT)
In-Reply-To: <be2c7fd9605147d5e6d8695950a09c35.squirrel@webmail.dreamhost.com>
References: <060.e0f8fef9b2d28177be54bca787fadd87@trac.tools.ietf.org> <FA4BC0F4-EEEB-485B-BF8E-A326F6BA86AE@checkpoint.com> <C68CB012D9182D408CED7B884F441D4D3472734AF4@nambxv01a.corp.adobe.com> <32D5F3CB-E742-4A9F-94A9-01B8224F9C49@checkpoint.com> <51FA1C35.1090005@mozilla.org> <4B4A645A-793F-4276-96BF-FBA5BA740632@checkpoint.com> <51FA26AD.2020405@gondrom.org> <CAOuvq206UHumfA3kJ8xc0Eb0hapt2G4FYvkgRwVEfrh3tqRrQQ@mail.gmail.com> <CAGZ8ZG3CTkwJzx2wz+60fmLK6CFHdazFbntLzBFFMMh-r++scw@mail.gmail.com> <CAOe4Ui=kVFbQUBuAS6t_Qu4h3LgBiDegtnKkfRnE=oz2gw+6hA@mail.gmail.com> <0C788DC3-4C7F-47D4-B0A6-54E94FC5EAD0@checkpoint.com> <CAGZ8ZG3j__s6mDTkuX9PBb65acEk-T4X9fwjnGVJ-o5jXqPwOQ@mail.gmail.com> <CAGZ8ZG0u1A_X2x8gU-rQGzwt3SMR3XPgwX5Y5YVW6bV93Tw8Lw@mail.gmail.com> <be2c7fd9605147d5e6d8695950a09c35.squirrel@webmail.dreamhost.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Tue, 06 Aug 2013 18:15:06 -0400
Message-ID: <CAOe4UinadDJs2r2h9ZbY4UKbGdwqHy0dpXwcQeoJdX79RmUw_Q@mail.gmail.com>
To: ryan-ietfhasmat@sleevi.com
Content-Type: multipart/alternative; boundary="047d7bd6b88c194a6f04e34ec351"
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] #60: Well Known URIs vs Response Headers
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 22:15:28 -0000

> In our mind, one of the biggest factors has been "What are the hurdles to
> practical deployment?". While there is admittedly complexity from the
> header approach, it's our view that it's not greater than the inherent
> complexity of effective pinning, as enumerated in the existing
> considerations. The complexity of an efficient and reasonable
> implementation of well-known URIs, or of a practical deployment of server
> extensions, seems to greatly outweigh both, and the benefits are not as
> seemingly significant.


I am in agreement that a TLS extension seems like far too much to ask of
deploying sites. I'm also appreciating more and more from this thread the
difficulty of a well-known URI and though I think it's a cleaner approach
in the long-term I can see the argument that it's too much to do right now.

I'm fully on-board with headers if we can address two issues that I think
are real impediments to servers deploying HPKP and doing so correctly: (a)
header bloat (600 bytes of for a site requiring 10 pins) (b) inadvertent
HPKP hole-punching when resources are accidentally served without headers
set. Other issues (e.g. discoverability by crawlers) seem secondary.

I think we can address (b) by not interpreting a missing HPKP header as a
max-age=0, and I was hoping we could deal with (a) by clients sending a
hash or policy serial number to avoid repeatedly sending the header. Does
this approach add too much complexity given the level of concern about
header bloat, which doesn't seem huge?

v2.23.0 | Report a Bug | By Email