IETF Logo Mail Archive

Re: [websec] I-D Action: draft-ietf-websec-key-pinning-12.txt

Chris Palmer <palmer@google.com> Mon, 16 June 2014 23:12 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8256C1A02BE for <websec@ietfa.amsl.com>; Mon, 16 Jun 2014 16:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUelIeYuoSXM for <websec@ietfa.amsl.com>; Mon, 16 Jun 2014 16:12:41 -0700 (PDT)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145AB1A02A8 for <websec@ietf.org>; Mon, 16 Jun 2014 16:12:41 -0700 (PDT)
Received: by mail-ie0-f181.google.com with SMTP id y20so5663664ier.40 for <websec@ietf.org>; Mon, 16 Jun 2014 16:12:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=yx8+4pu8liR73//KS9DhmppReXq2RKG561azbM5EX2M=; b=mClrTjgCvLnLkYPLyDaJAqLZHjZWLHRyJnFHyylvvGuQNCTbap/oMHxxvqMRU015aP Jdgs9suQsU5c/cOb01WWyj8G+jBCmL/u6IGN5enr/ouNAvw9Q7K6WAL2WMXQNaD749fp 6huHQ0TuJvx97fwd6relb1aQ3VQef/2th7a41wfCG6XRt2kui46VRug+1ffLfBJrusDs kaIymtWFvh6ZcLyLslzZQzknkAj7RRy5N4BbVPuSYVk/WqRLIfaY4I18FqHMcrlpHedE Y4vVZ6lj9BJFOclAAjZc0Ns5S+cZmLK+GrnQu/TY17QxsfygoVo9wYGssa+7Due9CPS8 fzYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=yx8+4pu8liR73//KS9DhmppReXq2RKG561azbM5EX2M=; b=EoST1e9D1LoeG5RnJoSCcARIY0GkdEU+n1VNBfyOJxES3+k/P/b2HJatQpJ/swUXYK UPTt3Dp3jPu5XO4/kpZN0YPU84ClqnH7Bqu21TcNZhoc66etlQPq2SujdQMWtTesdCXJ BVzNsU0eElgMwfViN3MF1UMhOtEGNtO+2FqFtpUP9LEJp7S1ddG/mMbmmg9EwlrKJfuJ j8TnfApBdhsZXaw29Alim3sFqtjKG9VQc8neMvZVTJOrEvJM2NZ0HZ99b34rrQH6L0G2 eSDqILSHJL7POY2XcPtG0zs/hU2Nv477l1XmjKL0Vh40q0CSl1NPehqsdXq+TATVmzyc T6ZQ==
X-Gm-Message-State: ALoCoQlJSIGKIYMogelthjqJWCiFuSN5hRX+E4XffmW9MFyefro/Ny6Upurf05qdvsxjccMp5q1q
MIME-Version: 1.0
X-Received: by 10.43.151.7 with SMTP id kq7mr5564182icc.78.1402960360414; Mon, 16 Jun 2014 16:12:40 -0700 (PDT)
Received: by 10.64.137.40 with HTTP; Mon, 16 Jun 2014 16:12:40 -0700 (PDT)
In-Reply-To: <CAGZ8ZG2EE5KjESiLmPN+_-pDLAN_Wg-5rbyYo+8oOMOcLpkd_g@mail.gmail.com>
References: <20140428231041.12685.8218.idtracker@ietfa.amsl.com> <35B52561-A6B3-43F9-9291-81D46444D3D2@gmail.com> <CAGZ8ZG2Fmd694piWonBn-J40Wj_AVMk1Df0iYzSXpbtpt7Wutg@mail.gmail.com> <2FB9B161-A4DB-4905-A9EC-CF05D72EE7A3@gmail.com> <CAGZ8ZG3sDu=T3HC9JDdpjJhCLzB3ctgOU52bBpULoxEx_LTWug@mail.gmail.com> <CAOuvq20Br0_8=uaWbZK+hvC=dGcbVAzXo3WL9oFbnFr0rRhuUg@mail.gmail.com> <CAGZ8ZG2EE5KjESiLmPN+_-pDLAN_Wg-5rbyYo+8oOMOcLpkd_g@mail.gmail.com>
Date: Mon, 16 Jun 2014 16:12:40 -0700
Message-ID: <CAOuvq21iVNZ3AteoeQL9dj7RBL6rAQeM3g6hzrufn3pTaZbSvw@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/ehu-Jn1goL-Z6B7msXwVcpPOJtQ
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] I-D Action: draft-ietf-websec-key-pinning-12.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jun 2014 23:12:42 -0000

On Mon, May 19, 2014 at 11:28 PM, Trevor Perrin <trevp@trevp.net> wrote:

>> PKP vs. PKP-RO:
>> https://code.google.com/p/key-pinning-draft/source/detail?r=994a00dc31bf2cca6f3edea29871a6a4f18090f9
>
> The new text about PKP-RO in 2.5 (quoted below) seems to say that a
> PKP-RO header is only evaluated against the current connection, not
> stored as a pin.  I thought we decided the opposite (which is what I
> think 2.3.2 is saying):
>
> 2.3.2 (existing text):
>   If a Host sets both the Public-Key-Pins header and the Public-Key-
>    Pins-Report-Only header, the UA MUST note and enforce Pin Validation
>    as specified by the Public-Key-Pins header, and SHOULD note the Pins
>    and directives given in the Public-Key-Pins-Report-Only header.

Most recent text
(https://tools.ietf.org/html/draft-ietf-websec-key-pinning-14#section-2.3.2)
FWIW:

"""
   If a Host sets both the PKP header and the PKP-RO header, the UA MUST
   note and enforce Pin Validation as specified by the PKP header, and
   SHOULD note the Pins and directives given in the PKP-RO header.  If
   the UA does note the Pins and directives in the PKP-RO header it
   SHOULD evaluate the specified policy and SHOULD report any would-be
   Pin Validation failures that would occur if the report-only policy
   were enforced.
"""

So, the bug is still present. I will change "note" to "process",
indicating that the UA need not store anything about the PKP-RO
header. Indeed its purpose is ephemeral, and I don't see any reason to
store anything, *except for the purpose of determining that it has
already sent a report for a given policy*. I'll add some text to that
effect.

> 2.5 (new text):
>     The UA SHOULD NOT note any pins or other policy expressed in the PKP-
>     RO response header field.

I'll add the text in this section.

Here's the change:

https://code.google.com/p/key-pinning-draft/source/detail?r=fed01d71c5012137c2fb483b0ccad21b83b5888b

v2.29.0 | Report a Bug | By Email | System Status