Re: [websec] Certificate Pinning via HSTS
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 September 2011 17:35 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AF3521F8C60 for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 10:35:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Level:
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxsRlA4Dn5bQ for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 10:35:07 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8A621F8C10 for <websec@ietf.org>; Wed, 14 Sep 2011 10:35:07 -0700 (PDT)
Received: from [192.168.23.207] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 5F3A4F970; Wed, 14 Sep 2011 13:37:14 -0400 (EDT)
Message-ID: <4E70E67A.5030409@fifthhorseman.net>
Date: Wed, 14 Sep 2011 13:38:02 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110807 Icedove/5.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <4E6F5056.800@fifthhorseman.net> <CAOuvq22E-OvU_53gf_go8Nf_jXX_=wbTf7rn2XEa+GAWHTU+7w@mail.gmail.com> <4E70A8F8.80102@fifthhorseman.net> <CAMm+Lwj4LMjivR0nHWQ4eqkTz_WVTq8w5+QWGPSOat0KgvM3HA@mail.gmail.com> <4E70C4AB.7050206@fifthhorseman.net> <CAMm+LwgVvJ+ScrxGcdhckX9_E5OpEmThp+GWqbhCvmr9Qf7FDQ@mail.gmail.com>
In-Reply-To: <CAMm+LwgVvJ+ScrxGcdhckX9_E5OpEmThp+GWqbhCvmr9Qf7FDQ@mail.gmail.com>
X-Enigmail-Version: 1.2.1
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig940CB68BE9D238B8A7C5FD5D"
Cc: Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: IETF WebSec WG <websec@ietf.org>
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 17:35:08 -0000
On 09/14/2011 12:44 PM, Phillip Hallam-Baker wrote: > On Wed, Sep 14, 2011 at 11:13 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net >> wrote: > I really hate having private keys move off a host. > > If people are going to be doing that pattern of hosting I would prefer to > have keys tied to the virtual hosts such that they are generated in place > and never ever move from the host. Then have certs generated with short > lived expiry (36 hours), that way the attack surface is kept to a bare > minimum. I personally like this approach and i use multiple keys for different hosts serving the same domain for at least one domain i administer myself. i also note that it is diametrically opposed to your earlier stated goal of avoiding "major operational headache", particularly when using an external CA. I was trying to offer a way to avoid major operational headache in my proposal. Of course, the other way to avoid the headache in this is to use an in-house CA, but of course that gets back to my "the only reasonable CA to pin is an in-house CA". > Keys should be unique to the host and never move from the host. > > It is certainly not just citibank that has that scheme. Are these other organizations public? I'm looking to compile a list of groups that do this to raise this concern with the Convergence/Perpsectives folks, since these always show up as bad under their model of analysis. Feel free to mail the the list privately if you don't want to publish it, or if you feel it is off-topic for this list. >> if those intermediate authorities are not explicitly domain-restricted >> *in their own certificate*, then yes -- the risk is larger. i don't > > Not if the signing keys are in the same hardware module as the intermediate > they are signed under. You're asking me to assume a whole stack of things about operational integrity, access control, system maintenance, and coding practice at various CAs. I have no idea whether any of these things are true for any CA in particular. All i know is that there is a CA that is nominally under the control of a separate organization. I'd happy if someone could prove that these intermediate CAs are actually all locked down under very high security and properly limited in what kinds of certificates they can issue; but i'm not convinced such a proof is possible. And given the recent events, i'd have no confidence in an unproved assertion of secure operations of these subordinate CAs. > It is an operational issue. There is practically no difference in the code > between only checking the EE cert or key and checking intermediate > certs/keys. > > Designs should be as simple as possible BUT NO SIMPLER. > > The 'I don't see the need, therefore I will obstruct feature X' approach is > the reason that PKIX has become what it is. We could have had policy > constraints and cross certificate mechanisms that really worked the way we > wanted if they had been baked in on day one. Instead they have become a > black art which can be practiced by a very small circle of people and even > they will tell you how broken the system is. > > Give operators the tools to do their job, do not presume to tell them how to > secure their systems. The draft as initially proposed included both explicit mechanism and several "best practice" recommendations (e.g. pin rollover and backup). I think these recommendations were good ones, and contribute a lot toward making the draft clear and useful to the people who will have to deploy the mechanism. If this becomes an RFC, i'd hope these recommendations would persist in a "SECURITY CONSIDERATIONS" section or the equivalent. I'm proposing an additional recommendation: unless you control and operate your own CA, you probably only want to pin EEs. Regards, --dkg
- [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS SM
- Re: [websec] Certificate Pinning via HSTS =JeffH
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS Marsh Ray
- Re: [websec] Certificate Pinning via HSTS Yoav Nir
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS James Nicoll
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS Tobias Gondrom
- Re: [websec] Certificate Pinning via HSTS Tom Ritter
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Philip Gladstone
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker