IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 September 2011 15:28 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFBC621F8B3D for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 08:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xFWnOlR6sgF2 for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 08:28:51 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 4431F21F8B3C for <websec@ietf.org>; Wed, 14 Sep 2011 08:28:51 -0700 (PDT)
Received: from [192.168.23.207] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 61468F970; Wed, 14 Sep 2011 11:30:59 -0400 (EDT)
Message-ID: <4E70C8E2.3050604@fifthhorseman.net>
Date: Wed, 14 Sep 2011 11:31:46 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110807 Icedove/5.0
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <4E6F5056.800@fifthhorseman.net> <CAOuvq22E-OvU_53gf_go8Nf_jXX_=wbTf7rn2XEa+GAWHTU+7w@mail.gmail.com> <4E70A8F8.80102@fifthhorseman.net> <CAMm+Lwj4LMjivR0nHWQ4eqkTz_WVTq8w5+QWGPSOat0KgvM3HA@mail.gmail.com> <4E70C4AB.7050206@fifthhorseman.net>
In-Reply-To: <4E70C4AB.7050206@fifthhorseman.net>
X-Enigmail-Version: 1.2.1
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig116AFA6A43637BA26646DB54"
Cc: Chris Evans <cevans@google.com>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: IETF WebSec WG <websec@ietf.org>
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 15:28:51 -0000

On 09/14/2011 11:13 AM, Daniel Kahn Gillmor wrote:
>> This is why the bogus EFF study came up
>> with the absurd number of 600 CAs. What they have never come clean on is the
>> fact that 150 of those 'CAs' are in fact merely intermediate roots tied to a
>> single customer that are managed in the same infrastructure as the root CA
>> operations.
> 
> if those intermediate authorities are not explicitly domain-restricted
> *in their own certificate*, then yes -- the risk is larger.  i don't

sorry -- this got cut off somehow.

... i don't think EFFs study is bogus in its analysis.  "the same
infrastructure" doesn't mean "using the same access controls" --
certainly customers in control of an intermediate root have more access
to that root than other people, so there are additional risks to relying
parties from them if they're not explicitly domain-restricted.

Were these 150 intermediate certs explicitly domain-restricted in the
certificates themselves?

	--dkg

v2.39.1 | Report a Bug | By Email | System Status