Re: [websec] Certificate Pinning via HSTS
Philip Gladstone <pgladsto@cisco.com> Tue, 13 September 2011 14:02 UTC
Return-Path: <pgladsto@cisco.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FA521F8A95 for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 07:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Fru2mm-KO6I for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 07:02:33 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 26FF821F8A80 for <websec@ietf.org>; Tue, 13 Sep 2011 07:02:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pgladsto@cisco.com; l=1700; q=dns/txt; s=iport; t=1315922679; x=1317132279; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=n1uJJBnlv02ZCVAvPWiZ+FmmI5515w13Z4i/1MH1bkU=; b=kW37tSQEJlGwg8iqMuhVn8tgv1MWoIOaIzJcxruKC0G0LQKgnf0NUkLe alqUyEJAZT0OYxjJRFBkq95O/rX3OYSbwMcfIO8itpxMX+K3T8vZl3qMX AMn7mlAkSY3theMZlYznnmPaMDdmhdPjOp4ae1zkFw6bTY85fY4ORiLqD Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApsHALhib06tJXG9/2dsb2JhbABChFWUSIxTgXh4gVMBAQEBAxIBEBVAEQsYAgIFFgsCAgkDAgECAUUTCAEBHqB9AYw5kgmBLIQxgREEkz2FGYwl
X-IronPort-AV: E=Sophos;i="4.68,374,1312156800"; d="scan'208";a="21105312"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-4.cisco.com with ESMTP; 13 Sep 2011 14:04:31 +0000
Received: from [161.44.112.199] (dhcp-161-44-112-199.cisco.com [161.44.112.199]) by rcdn-core2-2.cisco.com (8.14.3/8.14.3) with ESMTP id p8DE4VKJ032601 for <websec@ietf.org>; Tue, 13 Sep 2011 14:04:31 GMT
Message-ID: <4E6F62EE.2070409@cisco.com>
Date: Tue, 13 Sep 2011 10:04:30 -0400
From: Philip Gladstone <pgladsto@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: websec@ietf.org
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <CA+cU71=7tM9tS6bAddiLDtOBTX_DH3cebEd5dM=1DSMKXUMdjw@mail.gmail.com>
In-Reply-To: <CA+cU71=7tM9tS6bAddiLDtOBTX_DH3cebEd5dM=1DSMKXUMdjw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 14:02:34 -0000
On 9/13/2011 8:10 AM, Tom Ritter wrote: > > I find the Revocation section very confusingly written. > > > "In the event of a mismatch, clients must check whatever revocation > mechanism is available and attempt to discover whether the certificate > with the mismatching fingerprint has been revoked." > > What is the definition of mismatch? I interpreted it as no cert in > the chain contains a fingerprint which matches one of the fingerprints > in the pin list (supplied via prior pinned directive, or preloaded > list). Therefore all certificates in the chain supplied by the site > are mismatching. But seeing if they are revoked is useless, I want to > check the pinned list to see if any in the pin list is revoked, so I > can reevaluate the pinned list and possibly downgrade the site to > 'Known HSTS Host'. But the pin list only contains fingerprints - how > do I check if a cert is revoked by fingerprint? > > I don't understand this either. I thought that if a subsequent HTTPS connection was established and none of the certificates in the chain matched any of the fingerprints, then the connection was closed (with no way for the user to override this). Is it the case that the model is for the UA to store the actual certificates associated with each fingerprint? This is the only way that I can see for the UA to determine which certificates have been revoked. Does this proposal also support self-signed certificates? I.e. if you connect to a site, accept the self-signed certificate, can that site then pin itself using that self-signed cert? I.e. can the validation of the cert chain stop as soon as there is a pin match? Philip
- [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS SM
- Re: [websec] Certificate Pinning via HSTS =JeffH
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS Marsh Ray
- Re: [websec] Certificate Pinning via HSTS Yoav Nir
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS James Nicoll
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS Tobias Gondrom
- Re: [websec] Certificate Pinning via HSTS Tom Ritter
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Philip Gladstone
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker