IETF Logo Mail Archive

Re: [websec] draft-ietf-websec-key-pinning

Joseph Bonneau <jbonneau@gmail.com> Thu, 28 August 2014 16:03 UTC

Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B51C11A8725 for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 09:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZlMILIHDlfO for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 09:02:59 -0700 (PDT)
Received: from mail-vc0-x234.google.com (mail-vc0-x234.google.com [IPv6:2607:f8b0:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3E321A870F for <websec@ietf.org>; Thu, 28 Aug 2014 09:02:58 -0700 (PDT)
Received: by mail-vc0-f180.google.com with SMTP id lf12so1077679vcb.11 for <websec@ietf.org>; Thu, 28 Aug 2014 09:02:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=tQvpBB+f11irFMQ//htYF+pdlEit7YKiCHDfhoO/Bh4=; b=0BLHyRJR0V8trcOZnmDFNGRdadaqtHPzZ+iDAyGibdjHYSn8mh+6AHhumrAz2oJrcu 2X14AaZYp6JSYf3Vvup27ZV6t3oEFvfJb3hZ5dlPdUUyWb9k+M3WhcC+2GJu9bqxwYqJ V9ix1JKGb+JmVIOFxJ3JgLX2KwXC0dwzZnU36QIbI/8kc3nXjVZNIutODuR7MdkbW1Rd bH2Qnf8PbGU2AJ39Bts1QvU4hzycpJVpM49W4d3n85vINTIVgUwzy0MGpZ0MrLQ43gOv /9mp3n96Z5QxjgTneUcPMqsuAAopRumC7lzxVY7Xsq81rk/m+CM80MaD2ExXl5DuKfJx L7Ag==
X-Received: by 10.52.30.2 with SMTP id o2mr3652747vdh.12.1409241777821; Thu, 28 Aug 2014 09:02:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.219.1 with HTTP; Thu, 28 Aug 2014 09:02:36 -0700 (PDT)
In-Reply-To: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com> <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com> <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com> <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com> <0EBE1766-612D-442E-B2B1-149D368144D4@gmail.com> <CA+cU71=gTW1ePN9HX4urTDktF-RohgrmYP_jRgKVStQ4F7QP6w@mail.gmail.com> <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 28 Aug 2014 12:02:36 -0400
Message-ID: <CAOe4Uik7wAr0TnHvDDfcpv2PrcDiCO8kfuPYAv1QgMcM0ULdig@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Content-Type: multipart/alternative; boundary="20cf307d06b291dc380501b2abf3"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/lJHHCijJqqB6MdOJ1LX1T2tY1X4
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 16:03:00 -0000

On Wed, Aug 27, 2014 at 9:14 PM, Ryan Sleevi <sleevi@google.com> wrote:

> Right, so, I do agree with Joe that I do think we've reached conclusions
> on the suitability for security and the suitability for testing, and I do
> want to see what can be done to editorially resolve this.
>
> Without having fully drafted the text, it seems like one possible solution
> is to describe HOW a site operator might use this to test deployment of
> pins, knowing that it may not be a perfect solution for all use cases, it
> would at least help to clarify both the strengths and limitations.
>
> The example I'm thinking of is as follows:
>

With Ryan's proposed testing plan I fear many site operators can't easily
enumerate all subdomains and even if they try this is a particularly
difficult test mode because there's no feedback if you forget a subdomain.
This allows you to make sure it works on all subdomains you know about-but
what about the ones you don't?

Beyond that though, we're probably kidding ourselves if we think most site
operators will actually sit down and read an RFC front-to-back. They won't.
Some evidence from a project a student of mine is working on, finding a
large number of sites (~30%) are not properly setting HSTS headers per the
spec (which is comparably simple to achieve):
http://jbonneau.com/doc/KB14-hsts_pinning_survey_working_draft.pdf. Clearly
a lot of people didn't read the RFC and that's not even counting minor
errors like incorrect capitalization.

I think we should be realistic that this RFC will primarily be read by
developers building support into user agents and not site operators. Site
operators will, at best, read somebody's 500-word how-to blog post. Many
will probably just copy what some other site is doing and modify it until
it appears to work.

In a perfect world, we'd do "developer testing" on an draft like this where
we give a random site-operator-off-the-street the RFC and ask if they can
comprehend it and add support to their site. This is similar to how any new
software tool should have user testing. Short of that, the evidence we have
is that multiple people (including myself) who are security enthusiasts and
have been following this draft for years had a broken mental model of how
PKP-RO works. I think this design is violating the Principal of Least
Astonishment and we're asking for trouble no matter how much explanatory
text gets added to the RFC.

v2.23.0 | Report a Bug | By Email