Re: [websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)
Phillip Hallam-Baker <hallam@gmail.com> Tue, 18 October 2011 03:26 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 138CD1F0C5A for <websec@ietfa.amsl.com>; Mon, 17 Oct 2011 20:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.666, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obFFuRoboV0o for <websec@ietfa.amsl.com>; Mon, 17 Oct 2011 20:26:24 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1F021F8515 for <websec@ietf.org>; Mon, 17 Oct 2011 20:26:24 -0700 (PDT)
Received: by gyh20 with SMTP id 20so189581gyh.31 for <websec@ietf.org>; Mon, 17 Oct 2011 20:26:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=IBPTIn/L/N6YH4rXvXZdodrsTMqcIe1Y0TotM8h42qk=; b=fFOM9qXS7gOQOgQKoxJfGuFDuSSklJYcg4+UXG0+z+UA0+zUUaTHnxaiVLnqGfbFJQ LaBCktRj/WNJy6QUmCBi9ddO4BQ1F1o0w3s4DGgLr/wHJNtoU/VAjKVQo3CmkQBSoGtj au5uJbBsNEbwBjwIR1HPGdZqkXItZylOAzhM0=
MIME-Version: 1.0
Received: by 10.100.18.21 with SMTP id 21mr77519anr.118.1318908382040; Mon, 17 Oct 2011 20:26:22 -0700 (PDT)
Received: by 10.100.212.14 with HTTP; Mon, 17 Oct 2011 20:26:21 -0700 (PDT)
In-Reply-To: <4E9CB1FF.5050407@extendedsubset.com>
References: <4E9CA78C.5050805@KingsMountain.com> <CAOuvq20WgodTnW9sfbBHbvzUuwuae1H=+uzzYnne2p20wp43+g@mail.gmail.com> <4E9CB1FF.5050407@extendedsubset.com>
Date: Mon, 17 Oct 2011 23:26:21 -0400
Message-ID: <CAMm+LwhS2arYKVbb7KAroTAOZRF23qEz1nyhr7Kvrum_+TUiFQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: multipart/alternative; boundary="0016e64764729a542b04af8a4992"
Cc: Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2011 03:26:25 -0000
I think that the complexity of pinning and the consequences of getting it wrong are going to mean that this is something that should only be done by the very competent and knowledgable or those who hand over administration of their systems to such. This may be in the form of outsourced provision or code that does the right thing and makes it hard to do the wrong thing. I don't think the capabilities/ease of use of currently existing free DIY cert signer kits should be the criteria to measure against. If this is going to work people need to be using tools designed for the purpose of managing the whole thing end to end. Even if that is only a Perl front end on those fee tools, there is going to need to be something that walks the sysadmin through. Rather than look at the extent of the changes required, I prefer to look at the number of components in the system that need to be touched. I would rather make two separate modifications to the CA than one to the CA and another to the Web server. In general, every piece of the system that has to be touched costs when it comes to deployment. We are going to have to touch the CA/cert server system to make pinning work. (Even if only because the CAs are the people who explain to the typical admin how to make all of this work). So far we do not need to make changes to the Web server beyond adding static headers which is something most Web servers already support. Changing the TLS component of the Web server opens a box labelled 'code' and gets us into some really long product cycle delays. Like on IIS for example. On Mon, Oct 17, 2011 at 6:53 PM, Marsh Ray <marsh@extendedsubset.com> wrote: > On 10/17/2011 05:21 PM, Chris Palmer wrote: > >> >> Your average sys admin is more comfortable telling Apache to send a >> particular header with particular text than wrangling openssl(1) to >> add various extensions to a certificate. >> > > My understanding is that most people just generate their certs directly > using their CA's web interface and download the result. > > On one hand this would suggest that admins will be ill-prepared to set > custom x509 extensions. On the other, we may find that CAs are quite > receptive to new features which support pinning customers to > themselves. > > - Marsh > > ______________________________**_________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/**listinfo/websec<https://www.ietf.org/mailman/listinfo/websec> > -- Website: http://hallambaker.com/
- [websec] wrt "breaking pins" aka "un-pinning" (br… =JeffH
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Trevor Perrin
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Chris Palmer
- Re: [websec] wrt "breaking pins" aka "un-pinning"… =JeffH
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Chris Palmer
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Marsh Ray
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Phillip Hallam-Baker