Re: [websec] #55: Clarify that the newest pinning information takes precedence

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Wed, 03 April 2013 19:54 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F21DF21F8D61 for <websec@ietfa.amsl.com>; Wed, 3 Apr 2013 12:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WwMSHNrMEl+e for <websec@ietfa.amsl.com>; Wed, 3 Apr 2013 12:54:46 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id 8943921F8C09 for <websec@ietf.org>; Wed, 3 Apr 2013 12:54:46 -0700 (PDT)
Received: from homiemail-a71.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTP id D860D42862C; Wed, 3 Apr 2013 12:54:45 -0700 (PDT)
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a71.g.dreamhost.com (Postfix) with ESMTPA id E37FF1D81BC; Wed, 3 Apr 2013 11:18:49 -0700 (PDT)
Received: from 216.239.45.93 (proxying for 216.239.45.93) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 3 Apr 2013 11:18:50 -0700
Message-ID: <48b1f63e3c764f2ddc591feb00fc1d0a.squirrel@webmail.dreamhost.com>
In-Reply-To: <CAOuvq217S6SsuBQ29qajftMVMi28pysdzAt0bzB1F2h3=NHX9Q@mail.gmail.com>
References: <058.106749b7ec8d8775c9a7c03ff71b6de4@trac.tools.ietf.org> <073.ec94ba2e71513562888c29f0af0b3306@trac.tools.ietf.org> <CA+cU71n_8b7R8KRwWi-V0kmuwPqBwpAzy6W6MXeC=AYSwc5TMw@mail.gmail.com> <CAOuvq217S6SsuBQ29qajftMVMi28pysdzAt0bzB1F2h3=NHX9Q@mail.gmail.com>
Date: Wed, 03 Apr 2013 11:18:50 -0700
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: Chris Palmer <palmer@google.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>, websec issue tracker <trac+websec@trac.tools.ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] #55: Clarify that the newest pinning information takes precedence
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 19:54:47 -0000

On Mon, April 1, 2013 3:28 pm, Chris Palmer wrote:
>  On Wed, Mar 27, 2013 at 7:54 PM, Tom Ritter <tom@ritter.vg> wrote:
>
> > " The UA MUST evict all expired Known Pinned Hosts if at any time, an
> > expired Known Pinned Host exists in the cache"
> >
> > I use rrdtool to keep 5 years of statistics for my server.  Once, I
> > accidentally set the date forward, to 2038, wiping out my statistics -
> > there was no way to recover, because rrdtool dutifully wiped all this
> > expired data.
> >
> > Using the word 'evict' seems particularly dangerous, for both active
> > ntp attacks, and accidental wiping.
>
>  Yoav says the text works for him. I wonder if we can satisfy both by
>  saying something like "the UA MUST ignore expired Known Pinned Hosts
>  in the cache." That way, if the client machine gets its clocked fixed
>  and the expired KPHs become un-expired, happiness will ensue once
>  again. Ryan, thoughts?
>  _______________________________________________
>  websec mailing list
>  websec@ietf.org
>  https://www.ietf.org/mailman/listinfo/websec
>

Something like that works for me.

The spec only needs to ensure that the visible client behaviour remains
consistent - and ignoring expired Known Pin Hosts data is the desired
effect of the present language, so its fine to specify as this.

That said, I expect clients will probably continue with the "evict the
cache" approach, which would be fine and spec-compliant. I think there'd
only be an issue if there was language being proposed that said clients
*should not* evict the cache - as you could make an argument on security
considerations using Tom's example.