Re: [websec] Certificate Pinning via HSTS
Phillip Hallam-Baker <hallam@gmail.com> Wed, 14 September 2011 13:58 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD24121F8BFE for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 06:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.462
X-Spam-Level:
X-Spam-Status: No, score=-3.462 tagged_above=-999 required=5 tests=[AWL=0.136, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvdpBqzjQNTL for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 06:58:00 -0700 (PDT)
Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA5721F8B52 for <websec@ietf.org>; Wed, 14 Sep 2011 06:58:00 -0700 (PDT)
Received: by gxk28 with SMTP id 28so2199786gxk.27 for <websec@ietf.org>; Wed, 14 Sep 2011 07:00:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kjxBPOnM5/+Y66rYrerhc/MIRYoS/eN2FRVkyw47Igo=; b=ie+sfW+k4JvQDdTtVsuHsKKkcTagbNtTDpDGmZDEv8MXcOePnEFwpWFzccU4g/Cn6i 8sI+pcT6FIfr+oE0NNo9wmyXvTd8zLarBHAs7W0r9x0GEvxzAK4X97UieEzOpSOk27uP rgCPg3dXzD6IQteHlPoiUi0aK/4yBYR9CbmWc=
MIME-Version: 1.0
Received: by 10.101.11.36 with SMTP id o36mr326696ani.74.1316008808974; Wed, 14 Sep 2011 07:00:08 -0700 (PDT)
Received: by 10.100.120.20 with HTTP; Wed, 14 Sep 2011 07:00:08 -0700 (PDT)
In-Reply-To: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com>
Date: Wed, 14 Sep 2011 10:00:08 -0400
Message-ID: <CAMm+Lwh4Q2fW_ZLYuyC0UnhFEqXc_o6+BJ9eZ3c0XtA1DmmiQw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Chris Palmer <palmer@google.com>
Content-Type: multipart/alternative; boundary="0016e68ef4579489bf04ace72d63"
Cc: Chris Evans <cevans@google.com>, websec@ietf.org
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 13:58:04 -0000
One technical point, have you considered the ODI mechanism that we developed for CAA up to the -01 version when the client enforcement bit got kiboshed? The name is confuising, but lets say we call it the DIGEST URI type and the digest data consists of DIGEST: < Base64 ( <Object-type> + <Digest-alg> + <Digest-value>) The idea was that this is something we could write code into various crypto libs to generate as a fixed ASCII blob that the user can then cut and paste. It is thus easier for the admin to manage than having the digest alg being a separate parameter that they have to get right. A practical benefit here is that it makes it easy to have multiple digests in the same header without the need for bracketing: Pin: DIGEST:w2eoiuweoifuweoi== DIGEST:weowoeifwoeifj== Is easier to parse than: Pin: [alg=sha1 fingerprint=odoiweoifjio==] [alg=sha256 fingerprint=wejwekhjw==] This makes it easy to provide two versions of the digest so that old and new browsers can make use of the same data. This is the type of capability that I think will be essential in emergency response if we ever have a SHA2 breach to cope with. It also means that the digest format is intrinsically proof against content type substitution attacks. If the code expects a cert or a key, it can check that it is not being fed a cunningly crafted object of another type. One minor point, the draft mentions SHA1. Could we just dump that? I can't see a good reason to use SHA1 in new code at this point. I would like all new code to be SHA3 capable from the start. Which is why the ODI scheme used ASN.1. Any code that is going to touch certs is going to have to have an ASN.1 algorithm type mechanism. But knowing what the IANA situation is takes an additional bit of data. [As a matter of policy I would prefer that the IETF get out of the business of giving code points that recognize vanity crypto and only ever issue code points for algorithms that the IETF endorses as MUSTs for IETF protocols.] On Mon, Sep 12, 2011 at 5:56 PM, Chris Palmer <palmer@google.com> wrote: > Hi all, > > Chris Evans and I work at Google on the Chrome security team. We have > devised this specification for a new extension to Strict Transport > Security to allow site operators to "pin" certificates: UAs will > require that TLS connections be validated with at least one of the > public keys identified in the new "pins" directive in the HSTS header. > (Sites can pin to one or more public keys in end entity, subordinate > CA, and/or root CA certificates, for flexibility and disaster > recovery.) > > We hope that this mechanism opens up the benefits of certificate > pinning to more sites. Currently, Chrome can "pre-load" HSTS behavior > and certificate pins for sites, but the mechanism for doing this > (email us!) does not scale. > > We eagerly anticipate your comments, questions, concerns, et c. As you > can see from the Ideas section, there are some unanswered questions > about the behavior of UAs and hosts, and possible extensions to the > policy. > > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > > -- Website: http://hallambaker.com/
- [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS SM
- Re: [websec] Certificate Pinning via HSTS =JeffH
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS Marsh Ray
- Re: [websec] Certificate Pinning via HSTS Yoav Nir
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS James Nicoll
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS Tobias Gondrom
- Re: [websec] Certificate Pinning via HSTS Tom Ritter
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Philip Gladstone
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker