IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Phillip Hallam-Baker <hallam@gmail.com> Sat, 10 August 2013 20:25 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3762711E8187 for <websec@ietfa.amsl.com>; Sat, 10 Aug 2013 13:25:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vNjIKY26X-zx for <websec@ietfa.amsl.com>; Sat, 10 Aug 2013 13:25:15 -0700 (PDT)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id AE53B11E810E for <websec@ietf.org>; Sat, 10 Aug 2013 13:18:45 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id p58so4293649wes.26 for <websec@ietf.org>; Sat, 10 Aug 2013 13:18:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eCrV6U0R1m2LdFUk2nslQZI8SqHCxdSghTfT13KKK4Y=; b=srkz+L/z1gRLK9U7FlAHmR/Hu+/Ix4xHcVbGG+05ngU11wetMhvsTTb4CjXbpdUZZM EhFK20X67SWpIbzTnSrSaPv2Aoxasx646lRa1e+ykbZybOj/Uwhdp9i2qeraAU74tm6r e28wWF4qGcyYusugPf4Gj5z3JUEPPwWuqpHSF4tht/pGtv6rWAyxhERZF8oUB+fF3ID/ SG/qSPuH+nNhH4ChBsoV14ceWk/tYwk/Xhz4AOWtbUN60K+sYrX1DRQVvX2Z9jKh5Opc 3eAK7yCjSWlVlVoRLPjnzVonAN6kFfH1JTUTZLrUqBQ9ViR9fyrREt87hKrcHpGP6e9j GUiw==
MIME-Version: 1.0
X-Received: by 10.180.182.229 with SMTP id eh5mr3180053wic.63.1376165920859; Sat, 10 Aug 2013 13:18:40 -0700 (PDT)
Received: by 10.194.6.67 with HTTP; Sat, 10 Aug 2013 13:18:40 -0700 (PDT)
In-Reply-To: <5201FF3C.3060804@mozilla.org>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <5201FF3C.3060804@mozilla.org>
Date: Sat, 10 Aug 2013 21:18:40 +0100
Message-ID: <CAMm+LwjUd54LPFtCOihPW_wSyLKsg606AOhK2xAYTjzDWpOsrQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Content-Type: multipart/alternative; boundary="089e0163491edd6c5004e39d981e"
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Aug 2013 20:25:16 -0000

On Wed, Aug 7, 2013 at 9:03 AM, Gervase Markham <gerv@mozilla.org> wrote:

> On 07/08/13 07:19, Yoav Nir wrote:
> > Even if others chime in now and say that they do want this change, I
> > think we can't just ask administrators to list random names in
> > headers or resources. For example, what string do you use for the
> > bunch of trust anchors formerly known as "Verisign"?  Do you call it
> > "Verisign"?  "VERISIGN"? "Symantec"? Are the Thawte public keys
> > covered by the "Symantec" label? the "Verisign" label?  A wrong
> > choice by an administrator (like getting your next certificate from a
> > Thawte brand CA and expecting it to be covered by your "Symantec"
> > pin) could lead to bricking the site.
>
> Without expressing an opinion on the question, it's worth noting that
> this is already an issue with CAA, albeit that Symantec has to decide a
> set of domain names (rather than simple strings) to represent them or
> their brands. This was not a particularly difficult exercise for them,
> they probably have the most roots and most brands, and it only had to be
> done once.
>
> So I'd suggest that it's not an insuperable obstacle.
>
> > That is not to say we must not do this, but we must not do this
> > without a registry for CA strings.
>
> Or just require people to use "a domain name I control" rather than a
> bare string, like CAA. No need for a registry.
>

There are two questions here.

1) Should we introduce a level of indirection. i.e. should we only be
talking about pinning to bits that are actually present in the certificate
chain or should we support something more.

2) If the answer to (1) is to have indirection, who should maintain the
registry.


The main argument that I am making is that if the answer to (1) is 'yes'
then reuse the approach taken in CAA and do not introduce a new registry
because we do not want to maintain separate registries for different
purposes.

The secondary argument is that having established that the CAs are going to
have to decide on the domain names and scope etc. issues for CAA, the cost
of indirection is lowered.



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email