IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

"Jeremy Rowley" <jeremy.rowley@digicert.com> Mon, 12 August 2013 22:19 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EC121F9F7A for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 15:19:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbsJsdVx5tv5 for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 15:19:06 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 2B84421F9EEE for <websec@ietf.org>; Mon, 12 Aug 2013 15:19:06 -0700 (PDT)
Received: from JROWLEYL1 (unknown [65.127.208.182]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 0E9067FA06C; Mon, 12 Aug 2013 16:19:05 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1376345945; bh=y0pRNcNNCwClDTvCFmVbQc7h1jySQhKCQ8exIkhJ5RI=; h=Reply-To:From:To:Cc:References:In-Reply-To:Subject:Date; b=rjtFQq1Cxi2y0WXi80QXwGbKToopWskQmGs0ldLT7a3g7ukq7xdLrImixnBAEggle b8VlrldjHK4h1+hNSMVbsn2PlNCDO+oCpjXzY1Fo7isDTrBy0co/c6wBtjYW2ANYsc nwz/YK+vDuGLPH5hfJ3nOy5wbIRxOsKCEjrZ1kcM=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'Rob Stradling' <rob.stradling@comodo.com>, 'Yoav Nir' <ynir@checkpoint.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com> <FE1FE96A-709A-4966-A238-517086E7AFEB@checkpoint.com> <053201ce9793$9a1dbd30$ce593790$@digicert.com> <52095DF1.80908@comodo.com>
In-Reply-To: <52095DF1.80908@comodo.com>
Date: Mon, 12 Aug 2013 16:19:05 -0600
Organization: DigiCert
Message-ID: <057f01ce97a9$f5a76aa0$e0f63fe0$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJoJKS5/1/Jv2JXKWhm99jqPYGDVAJNKJejAdJQI9sCGoZA7wM5pAdUAiWKukcBIDPIBwNTr9QiAme7tNcCJlWFCwIOi6NMAkVqOGQBVDaKtgLV3uOul3ZA0aA=
Content-Language: en-us
Cc: 'websec' <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: jeremy.rowley@digicert.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 22:19:10 -0000

As would DigiCert.  Finding a home from the registry does not appear to be
difficult if CA pinning is supported.

Jeremy

-----Original Message-----
From: Rob Stradling [mailto:rob.stradling@comodo.com] 
Sent: Monday, August 12, 2013 4:13 PM
To: jeremy.rowley@digicert.com; 'Yoav Nir'
Cc: 'Trevor Perrin'; 'websec'
Subject: Re: [websec] #58: Should we pin only SPKI, or also names

Comodo would be happy to maintain this registry, if this WG decides that
it's required.

On 12/08/13 20:39, Jeremy Rowley wrote:
> There are a couple of groups, in addition to the CAB Forum,  that may 
> be interested in hosting a registrar.  Let me check with them and get 
> back to you.
>
> Many of those questions can be readily addressed once a group or once 
> several groups have expressed a willingness to participate.  The one 
> that this working group is best poised to answer is whether the 
> process details should be defined here or somewhere else.
>
> Jeremy
>
> -----Original Message-----
> From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On 
> Behalf Of Yoav Nir
> Sent: Monday, August 12, 2013 12:50 PM
> To: Trevor Perrin
> Cc: websec
> Subject: Re: [websec] #58: Should we pin only SPKI, or also names
>
>
> On Aug 12, 2013, at 7:11 PM, Trevor Perrin <trevp@trevp.net> wrote:
>
>> On Mon, Aug 12, 2013 at 1:17 AM, Gervase Markham <gerv@mozilla.org>
wrote:
>>> On 11/08/13 05:25, Trevor Perrin wrote:
>>>> Could we just say:
>>>> - The holder of a domain name is responsible for specifying the 
>>>> SPKIs that it maps to.
>>>> - How the domain holder communicates this to the UA is out of scope.
>>>
>>> In other words "Don't set up a registry; just punt the problem and 
>>> hope something works itself out organically"?
>>
>> Yes.
>>
>> If people hate this, someone should make a proposal for a registry:
>>
>> - Who maintains it?
>> - How are requests to add or remove CA names authenticated?
>> - Does the registry map CA names to actual keys?
>>    - If so, how are change requests authenticated?
>>    - What are the timing rules to ensure changes are propagated to 
>> browsers as needed?
>> - How can the registry be monitored and double-checked to avoid it 
>> becoming a single point of failure?
>> - Should these process details be defined in the HPKP spec or 
>> somewhere
> else?
>
> As you've said, before this is for the CAs and browsers to come up 
> with such a solution (assuming they want it, and I'm not hearing this 
> from either the Mozilla people or the Google people on this list). CAs 
> and browers. Now, if only there was some forum where both of these come
together...
>
> Joking aside, The CA/Browser forum is not currently in the business of 
> running registries. IANA is, but I don't know how to specify in a 
> draft an IANA policy that would include following mergers, 
> acquisitions, and branding, and settling trademark disputes. Not do I 
> have any reason to believe that IANA would be willing to do this. So 
> unless the CA/Browser Forum agrees to take on this responsibility, and 
> provide stable link for both machine and human readable mappings, I 
> think this proposal should be shelved until we can find someone who will
answer your questions above.
>
> Yoav
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690 Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by
replying to the e-mail containing this attachment. Replies to this email may
be monitored by COMODO for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no
liability can be accepted and the recipient is requested to use their own
virus checking software.

v2.23.0 | Report a Bug | By Email