IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

Philip Gladstone <pgladsto@cisco.com> Tue, 13 September 2011 14:02 UTC

Return-Path: <pgladsto@cisco.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FA521F8A95 for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 07:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Fru2mm-KO6I for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 07:02:33 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 26FF821F8A80 for <websec@ietf.org>; Tue, 13 Sep 2011 07:02:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pgladsto@cisco.com; l=1700; q=dns/txt; s=iport; t=1315922679; x=1317132279; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=n1uJJBnlv02ZCVAvPWiZ+FmmI5515w13Z4i/1MH1bkU=; b=kW37tSQEJlGwg8iqMuhVn8tgv1MWoIOaIzJcxruKC0G0LQKgnf0NUkLe alqUyEJAZT0OYxjJRFBkq95O/rX3OYSbwMcfIO8itpxMX+K3T8vZl3qMX AMn7mlAkSY3theMZlYznnmPaMDdmhdPjOp4ae1zkFw6bTY85fY4ORiLqD Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsHALhib06tJXG9/2dsb2JhbABChFWUSIxTgXh4gVMBAQEBAxIBEBVAEQsYAgIFFgsCAgkDAgECAUUTCAEBHqB9AYw5kgmBLIQxgREEkz2FGYwl
X-IronPort-AV: E=Sophos;i="4.68,374,1312156800"; d="scan'208";a="21105312"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-4.cisco.com with ESMTP; 13 Sep 2011 14:04:31 +0000
Received: from [161.44.112.199] (dhcp-161-44-112-199.cisco.com [161.44.112.199]) by rcdn-core2-2.cisco.com (8.14.3/8.14.3) with ESMTP id p8DE4VKJ032601 for <websec@ietf.org>; Tue, 13 Sep 2011 14:04:31 GMT
Message-ID: <4E6F62EE.2070409@cisco.com>
Date: Tue, 13 Sep 2011 10:04:30 -0400
From: Philip Gladstone <pgladsto@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: websec@ietf.org
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <CA+cU71=7tM9tS6bAddiLDtOBTX_DH3cebEd5dM=1DSMKXUMdjw@mail.gmail.com>
In-Reply-To: <CA+cU71=7tM9tS6bAddiLDtOBTX_DH3cebEd5dM=1DSMKXUMdjw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 14:02:34 -0000

On 9/13/2011 8:10 AM, Tom Ritter wrote:
>
> I find the Revocation section very confusingly written.
>
> > "In the event of a mismatch, clients must check whatever revocation
> mechanism is available and attempt to discover whether the certificate
> with the mismatching fingerprint has been revoked."
>
> What is the definition of mismatch?  I interpreted it as no cert in
> the chain contains a fingerprint which matches one of the fingerprints
> in the pin list (supplied via prior pinned directive, or preloaded
> list).  Therefore all certificates in the chain supplied by the site
> are mismatching.  But seeing if they are revoked is useless, I want to
> check the pinned list to see if any in the pin list is revoked, so I
> can reevaluate the pinned list and possibly downgrade the site to
> 'Known HSTS Host'.  But the pin list only contains fingerprints - how
> do I check if a cert is revoked by fingerprint?
>
>
I don't understand this either. I thought that if a subsequent HTTPS 
connection was established and none of the certificates in the chain 
matched any of the fingerprints, then the connection was closed (with no 
way for the user to override this).

Is it the case that the model is for the UA to store the actual 
certificates associated with each fingerprint? This is the only way that 
I can see for the UA to determine which certificates have been revoked.

Does this proposal also support self-signed certificates? I.e. if you 
connect to a site, accept the self-signed certificate, can that site 
then pin itself using that self-signed cert? I.e. can the validation of 
the cert chain stop as soon as there is a pin match?

Philip

v2.23.0 | Report a Bug | By Email