IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS (.txt version)

Chris Palmer <palmer@google.com> Tue, 13 September 2011 20:18 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6292D21F8B83 for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 13:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GifnPMb-0AYN for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 13:18:56 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 7270B21F8B87 for <websec@ietf.org>; Tue, 13 Sep 2011 13:18:56 -0700 (PDT)
Received: from hpaq1.eem.corp.google.com (hpaq1.eem.corp.google.com [172.25.149.1]) by smtp-out.google.com with ESMTP id p8DKL2iE016711 for <websec@ietf.org>; Tue, 13 Sep 2011 13:21:02 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1315945262; bh=N/I4oQyC2FGfcNk/X00CJI5W+/0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Content-Type; b=RLsMcTTFwbA7uoxHhGiN9u5zFr4gbql1skDMBSqYnr2HurrsNJyFLgpc9lRuvf8SY /N4mOqM60Y5z51FOIAKog==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:content-type:x-system-of-record; b=RX17OyFdIJwhKE3G9SHzBDRcL+XvpQ7eXmSKVpKGR2A3fZem99mSvbdyPOWobGccq /5EvsBGbTAGawHi2ZBhFQ==
Received: from wwi18 (wwi18.prod.google.com [10.241.243.18]) by hpaq1.eem.corp.google.com with ESMTP id p8DKL1ls023965 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <websec@ietf.org>; Tue, 13 Sep 2011 13:21:01 -0700
Received: by wwi18 with SMTP id 18so1162928wwi.3 for <websec@ietf.org>; Tue, 13 Sep 2011 13:21:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=mnASrcdIZ0WPgHYSRBllSVFZfxYhKBYIvkL54eOplGA=; b=TmZkUBeCDfmrgKPBWYhnacYgmxcjHL1TET+uN1KoRiPkEReIC1Z35ybnbmPNyLII82 KZ1HYxd4TLPQKFU4IyJw==
Received: by 10.216.220.220 with SMTP id o70mr1097565wep.19.1315945260871; Tue, 13 Sep 2011 13:21:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.220.220 with SMTP id o70mr1097562wep.19.1315945260646; Tue, 13 Sep 2011 13:21:00 -0700 (PDT)
Received: by 10.216.61.16 with HTTP; Tue, 13 Sep 2011 13:21:00 -0700 (PDT)
In-Reply-To: <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com>
References: <4E6E9B77.1020802@KingsMountain.com> <4E6F9DC6.2080006@stpeter.im> <FA8A58ED-DD2B-446B-9F01-9D1D25140569@checkpoint.com>
Date: Tue, 13 Sep 2011 13:21:00 -0700
Message-ID: <CAOuvq220w+tit2s8MuimQGuWZJ0_7Lx42udVYEzB8KxYJ+LJLg@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 20:18:57 -0000

On Tue, Sep 13, 2011 at 11:41 AM, Yoav Nir <ynir@checkpoint.com> wrote:

> Six months ago we would not have thought that Comodo
> or DigiNotar were easy to hack. In the latter case, the
> customers of DigiNotar were left out in the cold. Without
> certificate pinning, they just need to spend money on a
> new certificate and their site is working again. With it,
> they are in trouble.

This is why we strongly advocate that you have a backup pin, so that
you can pivot to it in the event of any of several disasters that we
outline in the document. We are even thinking about requiring backup
pins, because they are so important. (See the Risks of Pinning
section, and the Ideas section.)

Assuming that the disaster is not one of private key compromise
(either end entity or signer), you can also recover by having your
public key re-signed by a new CA.

v2.14.0 | Report a Bug | By Email