Re: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
Yoav Nir <ynir.ietf@gmail.com> Sat, 16 August 2014 05:42 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9842E1A6FD3 for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 22:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.23
X-Spam-Level:
X-Spam-Status: No, score=-1.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GxAsaD8lPgH for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 22:42:38 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEAC1A6FC6 for <websec@ietf.org>; Fri, 15 Aug 2014 22:42:38 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id n3so1701342wiv.0 for <websec@ietf.org>; Fri, 15 Aug 2014 22:42:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8mZ/9Ji5vGt/8HML0bdN1OJHCiuyU4ECviiV/bjma+w=; b=KcKDSIARnZpZeb7zQM7UUVeKRh0YtIAB9uRBESn0LA2crDNeXFPUMmpn7USNG9CUxG s0xbKVTDjBGCpCGTKcjTZWlBAsQJX2DmL2162V3xcTWx3mAda8ILbEUiy/oQOrMM8KkO Eb9Bzt7fcSW0//uy4BTTfMYWa7mBIwBjS1MVswyHLGvZEQbm/NK5eLMat+niORJMhRlt Gqw3SZHyW0L6tj6t9PhQ/pZd4X7RzjqP9XgYsFDU+p3A9fEbYXKUp04s3dq1dhkEV/2p eBLEZUpw5Qp3FlRnuTWYvMpjs/oCPPPq/e/YGOGQEkung2drxuRij82aUZ7tbHv5xjD5 SRuA==
X-Received: by 10.180.75.49 with SMTP id z17mr25266121wiv.80.1408167757103; Fri, 15 Aug 2014 22:42:37 -0700 (PDT)
Received: from [172.17.1.172] ([199.203.120.178]) by mx.google.com with ESMTPSA id bi3sm1249265wib.6.2014.08.15.22.42.35 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Aug 2014 22:42:36 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <19075EB00EA7FE49AFF87E5818D673D4111F5EA2@PRODEXMB01W.eagle.usaa.com>
Date: Sat, 16 Aug 2014 08:42:34 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <B3FCC287-4258-4BAF-9504-8A36CA2A9AD9@gmail.com>
References: <20140807181140.4935.81427.idtracker@ietfa.amsl.com> <19075EB00EA7FE49AFF87E5818D673D4111F5EA2@PRODEXMB01W.eagle.usaa.com>
To: "Mehner, Carl" <Carl.Mehner@usaa.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/cc3ubBqNTEH_VDvoLPzPQVEf9qs
Cc: "cevans@google.com" <cevans@google.com>, "websec@ietf.org" <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2014 05:42:40 -0000
Thanks, Carl A new revisions is anyways needed because of DISCUSS ballots during IESG review, so these nits can be solved a the same time. Yoav On Aug 16, 2014, at 1:02 AM, Mehner, Carl <Carl.Mehner@usaa.com> wrote: > Sorry for the late, last minute review. I found one capitalization nit, one issue, and one personal-opinion-based nit. > > > > Section 2.1; The first word of the sentence should be capitalized. > Old: > . token and quoted-string are used > New: > . Token and quoted-string are used > > > > Section 4.2 > Public-Key-Pins: pin-sha256="GHI..."; pin-sha256="JKL..." > > This is not a valid Pinning Header as is stated due to it missing the REQUIRED max-age directive. > > I recommend changing to: > Public-Key-Pins: max-age=12000; pin-sha256="GHI..."; pin-sha256="JKL..." > > > > Appendix A: > I understand the POSIX shell may be desirable for some, but openssl is used for everything except for the very last command here. Therefore, I think that it would make more sense to just have the whole thing be openssl commands so that Windows users will also be able to create key pins locally using the direct commands from the draft. > Old: > This POSIX shell program generates SPKI Fingerprints... > ... > openssl dgst -sha256 -binary public.key | base64 > New: > This OpenSSL command generates SPKI Fingerprints... > ... > openssl dgst -sha256 -binary public.key | openssl enc -base64 > > > -cem > >> -----Original Message----- >> From: websec [mailto:websec-bounces@ietf.org] On Behalf Of internet- >> drafts@ietf.org >> Sent: Thursday, August 07, 2014 1:12 PM >> To: i-d-announce@ietf.org >> Cc: websec@ietf.org >> Subject: EXTERNAL: [websec] I-D Action: draft-ietf-websec-key-pinning- >> 20.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Web Security Working Group of the >> IETF. >> >> Title : Public Key Pinning Extension for HTTP >> Authors : Chris Evans >> Chris Palmer >> Ryan Sleevi >> Filename : draft-ietf-websec-key-pinning-20.txt >> Pages : 26 >> Date : 2014-08-07 >> >> Abstract: >> This document describes an extension to the HTTP protocol allowing >> web host operators to instruct user agents to remember ("pin") the >> hosts' cryptographic identities for a given period of time. During >> that time, UAs will require that the host present a certificate >> chain >> including at least one Subject Public Key Info structure whose >> fingerprint matches one of the pinned fingerprints for that host. >> By >> effectively reducing the number of authorities who can authenticate >> the domain during the lifetime of the pin, pinning may reduce the >> incidence of man-in-the-middle attacks due to compromised >> Certification Authorities. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ >> >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20 >> >> A diff from the previous version is available at: >> http://www.ietf.org/rfcdiff?url2=draft-ietf-websec-key-pinning-20 >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec
- [websec] I-D Action: draft-ietf-websec-key-pinnin… internet-drafts
- Re: [websec] I-D Action: draft-ietf-websec-key-pi… Mehner, Carl
- Re: [websec] I-D Action: draft-ietf-websec-key-pi… Yoav Nir