Re: [websec] Key pinning for DSA keys with inherited domain params

Yoav Nir <ynir@checkpoint.com> Tue, 13 December 2011 06:11 UTC

From: Yoav Nir <ynir@checkpoint.com>
To: Chris Palmer <palmer@google.com>
Date: Tue, 13 Dec 2011 08:11:39 +0200
Thread-Topic: [websec] Key pinning for DSA keys with inherited domain params
Thread-Index: Acy5Xhld5Y+196YyRvKZnr+G5tKZKg==
Message-ID: <D36CA259-5E25-41A4-A3BE-765636D7C491@checkpoint.com>
References: <76E2AAC7-2070-4C98-B0EE-08BE5D2B0CB9@team.telstra.com> <CAL9PXLz7fVbH5SC0X1G+uj_-BZKW=Gj5L1zQbxX8398e+e2t6g@mail.gmail.com> <CAOuvq213m-KNTenfNLi1nknj1KPa4O_m7yAXpDtX7NaDiMraWA@mail.gmail.com> <CAOuvq22Y0Ame2BGZuPM_YsYztQB0en=5+btQVg5C9p-Hk4V67g@mail.gmail.com>
In-Reply-To: <CAOuvq22Y0Ame2BGZuPM_YsYztQB0en=5+btQVg5C9p-Hk4V67g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Key pinning for DSA keys with inherited domain params
Precedence: list

True. I don't expect DSA to ever become viable enough to worry about.  I think if you ran the same select for ECDSA, you would come up with zero, but there is some expectation of that changing in the long run. 

By now all the major browsers except Opera support ECDSA, so we might be seeing some of those when websites feel it's safe to abandon the IE6-on-Windows-XP and old Macs.

On Dec 13, 2011, at 2:55 AM, Chris Palmer wrote:

> Of these, the handful that I spot-checked are all either down,
> expired, or have been replaced with certificates for RSA keys.
> 
> On Mon, Dec 12, 2011 at 4:37 PM, Chris Palmer <palmer@google.com> wrote:
>> Also, FWIW, from the EFF SSL Observatory:
>> 
>> mysql> select distinct `Subject Public Key Info:Public Key Algorithm`
>> from valid_certs;
>> +----------------------------------------------+
>> | Subject Public Key Info:Public Key Algorithm |
>> +----------------------------------------------+
>> |  rsaEncryption                               |
>> |  dsaEncryption                               |
>> +----------------------------------------------+
>> 2 rows in set (4.09 sec)
>> 
>> mysql> select count(*) from valid_certs where `Subject Public Key
>> Info:Public Key Algorithm` like '%dsa%';
>> +----------+
>> | count(*) |
>> +----------+
>> |       25 |
>> +----------+
>> 1 row in set (3.26 sec)

[websec] Key pinning for DSA keys with inherited … Manger, James H
Re: [websec] Key pinning for DSA keys with inheri… Adam Langley
Re: [websec] Key pinning for DSA keys with inheri… Chris Palmer
Re: [websec] Key pinning for DSA keys with inheri… Chris Palmer
Re: [websec] Key pinning for DSA keys with inheri… Yoav Nir
Re: [websec] Key pinning for DSA keys with inheri… Phillip Hallam-Baker
Re: [websec] Key pinning for DSA keys with inheri… Adam Langley
Re: [websec] Key pinning for DSA keys with inheri… Phillip Hallam-Baker