IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Yoav Nir <ynir@checkpoint.com> Thu, 08 August 2013 06:09 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A23A921F9EF2 for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 23:09:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.513
X-Spam-Level:
X-Spam-Status: No, score=-10.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6sCcI3YPvqe for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 23:08:56 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 3198621F9ADC for <websec@ietf.org>; Wed, 7 Aug 2013 23:08:55 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r7868sts001434 for <websec@ietf.org>; Thu, 8 Aug 2013 09:08:54 +0300
X-CheckPoint: {520335F6-1-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Thu, 8 Aug 2013 09:08:54 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: websec <websec@ietf.org>
Thread-Topic: [websec] #58: Should we pin only SPKI, or also names
Thread-Index: AQHOjHagv3/BmvZ4wU6WrbkIw+Bd/ZmAXZOAgAADk4CAAHu6gIAIRDGAgAA0tQCAAAIEgIAAAsgAgAACowCAAAVKAIAAXsaAgADFHACAACnrgA==
Date: Thu, 08 Aug 2013 06:08:53 +0000
Message-ID: <09644FE8-F979-4604-BC58-6622A632ECE3@checkpoint.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <CB91CFAD-5C75-42C1-9A04-89D55E5E669C@checkpoint.com> <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com>
In-Reply-To: <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.186]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 1180ccb663425e8fbb6050f54efa16267cd26babc9
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <D58CC99FAF271742A9FAE6F36EBCB0A1@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 06:09:02 -0000

On Aug 8, 2013, at 6:38 AM, Trevor Perrin <trevp@trevp.net> wrote:

> On Wed, Aug 7, 2013 at 8:53 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>> 
>> On Aug 7, 2013, at 1:14 PM, Trevor Perrin <trevp@trevp.net> wrote:
>>> 
>>> Only CAs which had "opted-in" and provided the requisite info to
>>> browsers would be in the table.
>> 
>> I'm only wondering where I get a copy of that table and who maintains it.
> 
> CAs and Browsers would have to work that out.  I don't know what their
> preferred coordination method would be.

Yes. But they haven't so far. Since it's something that the CAs and browsers should work out, the obvious candidate organization is the CA/Browser forum. However, that organization contains neither all CAs not all browsers. It's easy to think that the set of browsers is {Chrome, IE, Firefox, Safari, Opera}, but there are dozens more. Relying on each one of them (including the small ones) getting information about labels from all CAs doesn't scale. Even more, the web server administrators need access to that list of labels and what it means.

So I suggest we don't include this now. Instead we make sure that whatever the result of #60 is, that HPKP is extensible. Later, when/if the CA/BF can get us a stable link to a list of labels, we can do a quick update document and add it then.

Objections?

Yoav

v2.23.0 | Report a Bug | By Email