Re: [websec] Issue 53 - Key pinning should clarify status of pin validation with private trust anchors

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 05 March 2013 10:26 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4164321F8928 for <websec@ietfa.amsl.com>; Tue, 5 Mar 2013 02:26:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVYs3m4v1w5d for <websec@ietfa.amsl.com>; Tue, 5 Mar 2013 02:26:49 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 93EC421F890F for <websec@ietf.org>; Tue, 5 Mar 2013 02:26:49 -0800 (PST)
Received: from [192.168.13.131] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 67D9BF979; Tue, 5 Mar 2013 05:26:47 -0500 (EST)
Message-ID: <5135C860.2080001@fifthhorseman.net>
Date: Tue, 05 Mar 2013 05:26:40 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130112 Icedove/17.0.2
MIME-Version: 1.0
To: ryan-ietfhasmat@sleevi.com
References: <77ade868e5042a347751a9d025b84b19.squirrel@webmail.dreamhost.com>
In-Reply-To: <77ade868e5042a347751a9d025b84b19.squirrel@webmail.dreamhost.com>
X-Enigmail-Version: 1.6a1pre
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="----enig2CNEFMNBILTNRKMONFNPM"
Cc: websec@ietf.org
Subject: Re: [websec] Issue 53 - Key pinning should clarify status of pin validation with private trust anchors
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 10:26:50 -0000

On 03/04/2013 07:57 PM, Ryan Sleevi wrote:
> As discussed during Atlanta, the way that pinning is currently implemented
> within Google Chrome, pinning is only enforced as it relates to so-called
> "public trust anchors" (eg: those shipped by default as part of a browser
> or OS installation, not those installed by a user).

Sorry -- i wasn't in Atlanta, so i don't know the context or background
for this.  Can you explain more?

Consider the case where pre-loaded trust anchor ("trusted root
certificate authority") X certified my web server's EE certificate with
pubkey Y, and i published a pin on Y and my backup pubkey Z (but no pin
on X).

Are you saying that if i switch my server to use Z, and it is certified
by some non-(pre)loaded trust anchor (or it is self-signed), then Google
Chrome will not respect the pinning and the connection will fail?

	--dkg