IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Yoav Nir <ynir@checkpoint.com> Wed, 07 August 2013 06:20 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF82921F8FDC for <websec@ietfa.amsl.com>; Tue, 6 Aug 2013 23:20:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.508
X-Spam-Level:
X-Spam-Status: No, score=-10.508 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KA-1TphoFcI4 for <websec@ietfa.amsl.com>; Tue, 6 Aug 2013 23:20:03 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id C0B6121F8F4F for <websec@ietf.org>; Tue, 6 Aug 2013 23:20:02 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r776K1Mj028409 for <websec@ietf.org>; Wed, 7 Aug 2013 09:20:01 +0300
X-CheckPoint: {5201E711-1-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Wed, 7 Aug 2013 09:20:00 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: websec <websec@ietf.org>
Thread-Topic: [websec] #58: Should we pin only SPKI, or also names
Thread-Index: AQHOjHagv3/BmvZ4wU6WrbkIw+Bd/ZmAXZOAgAADk4CAAHu6gIAIRDGA
Date: Wed, 07 Aug 2013 06:19:59 +0000
Message-ID: <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com>
In-Reply-To: <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.54]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 1148d0e074cc7892dfa87de41a27e368dc1bbcbb49
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <40F97ACD5C56864F9C2B54ABB8A83F2E@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 06:20:11 -0000

[with chair hat on]

Hi

So far, only Phil and Jeremy have been in favor of making this change. I don't think we have consensus for this change.

Even if others chime in now and say that they do want this change, I think we can't just ask administrators to list random names in headers or resources. For example, what string do you use for the bunch of trust anchors formerly known as "Verisign"?  Do you call it "Verisign"?  "VERISIGN"? "Symantec"? Are the Thawte public keys covered by the "Symantec" label? the "Verisign" label?  A wrong choice by an administrator (like getting your next certificate from a Thawte brand CA and expecting it to be covered by your "Symantec" pin) could lead to bricking the site.

That is not to say we must not do this, but we must not do this without a registry for CA strings. The go to body for registries at the IETF is IANA, but I don't think we've ever had an IANA registry for brand names. So unless we can get some body (the CA/Browser Forum ?) to create such a registry and provide a stable link that we can reference, I think this is a non-starter. Even with such a registry, I don't see consensus for this.

Yoav

v2.23.0 | Report a Bug | By Email