IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 September 2011 15:10 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C8E621F8B71 for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 08:10:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rR8V33cJvGSd for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 08:10:57 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5FDFB21F8B84 for <websec@ietf.org>; Wed, 14 Sep 2011 08:10:57 -0700 (PDT)
Received: from [192.168.23.207] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id DF0E0F970; Wed, 14 Sep 2011 11:12:58 -0400 (EDT)
Message-ID: <4E70C4AB.7050206@fifthhorseman.net>
Date: Wed, 14 Sep 2011 11:13:47 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110807 Icedove/5.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <4E6F5056.800@fifthhorseman.net> <CAOuvq22E-OvU_53gf_go8Nf_jXX_=wbTf7rn2XEa+GAWHTU+7w@mail.gmail.com> <4E70A8F8.80102@fifthhorseman.net> <CAMm+Lwj4LMjivR0nHWQ4eqkTz_WVTq8w5+QWGPSOat0KgvM3HA@mail.gmail.com>
In-Reply-To: <CAMm+Lwj4LMjivR0nHWQ4eqkTz_WVTq8w5+QWGPSOat0KgvM3HA@mail.gmail.com>
X-Enigmail-Version: 1.2.1
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig59D969115E03CB39ED0224AB"
Cc: Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: IETF WebSec WG <websec@ietf.org>
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 15:10:58 -0000

On 09/14/2011 09:46 AM, Phillip Hallam-Baker wrote:
> It gives you scaling and administrative convenience.
> 
> If you have 10,000 hosts in your enterprise network you really do not want
> to have to be managing trust on a per host level.

You're not "managing trust on a per host level" -- you're managing
*identity* on a per-host level, which is exactly what it should be.  If
you have 10K hosts, you need to think clearly about the identity
presented by each of those hosts.

> Now consider the case
> where you are renting your compute power in the cloud and so the machine
> instances are existing for a few hours at a time.
>
> Any scheme that insists on only tying to the EE cert or key is going to
> create a major operational headache for those sites. It is really easy to
> design a scheme that is easy to administer.

is it more of an operational headache to get an external CA to sign a
new key for each host each time it comes up "for a few hours"?  or to
just push the relevant pre-existing keys+certificates onto the hosts in
question?

> It is also going to cause huge amounts of state that the client has to
> manage. If you have 10,000 front end web servers you are going to need
> 10,000 different client keys to do the job right.

eh?  why?  if these are front-end web servers hosting the same service,
wouldn't they just share a key (and a certificate)?  The only large
organization i know of that uses one key per server is citibank, and
many people are making decent arguments that this is problematic for
other methods of identity verification (e.g. Perspectives and
Convergence plugins)

> So what most of the large enterprises would likely do if they introduced any
> form of security policy would be to have a private CA run up that is an
> intermediate in a larger hierarchy.

Sure, as i pointed out, the only reason you'd want to pin a CA is if the
CA is under your own organization's direct control.

> This is why the bogus EFF study came up
> with the absurd number of 600 CAs. What they have never come clean on is the
> fact that 150 of those 'CAs' are in fact merely intermediate roots tied to a
> single customer that are managed in the same infrastructure as the root CA
> operations.

if those intermediate authorities are not explicitly domain-restricted
*in their own certificate*, then yes -- the risk is larger.  i don't

> What pinning to a CA does raise is the absolute need to have the ability to
> pin more than one CA at a time.

i think for rollover purposes, you already need to be able to pin
multiple certs if you're pinning an EE.

Still unconvinced,

	--dkg

v2.23.0 | Report a Bug | By Email