[websec] Some issues with key-pinning

Yoav Nir <ynir@checkpoint.com> Mon, 18 March 2013 04:21 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1B7E21F8935 for <websec@ietfa.amsl.com>; Sun, 17 Mar 2013 21:21:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.375
X-Spam-Level:
X-Spam-Status: No, score=-10.375 tagged_above=-999 required=5 tests=[AWL=0.223, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVnfkkVtoBAb for <websec@ietfa.amsl.com>; Sun, 17 Mar 2013 21:21:20 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id EE57021F8925 for <websec@ietf.org>; Sun, 17 Mar 2013 21:21:19 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r2I4LEed004475 for <websec@ietf.org>; Mon, 18 Mar 2013 06:21:14 +0200
X-CheckPoint: {51469529-0-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.54]) by DAG-EX10.ad.checkpoint.com ([169.254.3.48]) with mapi id 14.02.0342.003; Mon, 18 Mar 2013 06:21:14 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: Some issues with key-pinning
Thread-Index: AQHOI5AGjmneSZSsgkm5XHxWc8tUNw==
Date: Mon, 18 Mar 2013 04:21:13 +0000
Message-ID: <F9AF3988-2F43-4527-8AB3-615D693C998C@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.240]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_F9AF39882F4345278AB3615D693C998Ccheckpointcom_"
MIME-Version: 1.0
Subject: [websec] Some issues with key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 04:21:21 -0000

Hi

I have reviewed this draft, and here are some comments.

Section 2.1 last paragraph says that the hash function MUST be sha1 or sha256. This is weird. First it provides no algorithm agility, so adding support for, say, SHA-3 would require a document that updates this one (section 2.4 says so explicitly). Second, SHA2-256 is slower on 64-bit platforms than SHA2-512, so right now some may prefer it. Third, in various locales, some other hash function might be required, such as GOST-34.311-95. I would much prefer that we referred to a registry of hash names ( perhaps this one<http://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xml> ), and allow anything from there (notably, it doesn't solve the GOST issue). There should be implementation advice advising support of SHA-1 and SHA-256, perhaps even calling them "mandatory to implement", but I don't think we need to require a new spec for updating a list of algorithms. It might also be good to advise on using the same hash algorithm that is used in the signature of the certificate, as the client would be sure to be able to calculate the hash function (or it wouldn't be able to verify the certificate signature.

Some of the mandates in section 2 are mixed up. Section 2.2.1 second sentence has "… UAs MUST treat the host …" - clearly a UA mandate. But this is part of section 2.2 ("Server Processing Model").  UA mandates should be somewhere under section 2.3 ("User Agent Processing Model"). Some cleaning up is needed there.

Section 2.6 requires the same no-error-or-block behavior here as in HSTS. I wonder if we need this level of strictness, or whether requiring this only for errors involving the verification of pins. IOW, should this document require that expired certificates cause a block, when such policy can and should be communicated via HSTS?

Section 2.8 is about pinning self-signed (or self-issued) certificates. Should mention DANE (RFC 6698) type 2 or 3, because those are a more trust-worthy case than normal self-signed or self-issued certificates.

Section 4 (security considerations) should have something about why it's wrong to use this header without HSTS. 3rd paragraph of section 1 says that using them together is intended, so we should explain why.

Section 5: yes, there are actions for IANA, as they allocate HTTP headers (other than X-something).  See the text from draft -14 of HSTS:

15<http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-15>15>.  IANA Considerations


   Below is the Internet Assigned Numbers Authority (IANA) Permanent
   Message Header Field registration information per [RFC3864<http://tools.ietf.org/html/rfc3864>]4>].

     Header field name:           Strict-Transport-Security
     Applicable protocol:         HTTP
     Status:                      standard
     Author/Change controller:    IETF
     Specification document(s):   this one


A more structural note: The introduction looks a little thin to me. The draft dives into syntax in section 2 before the reader has any idea:

  *   When and why you should want to add this header to your web server responses. What is this defending against
  *   Why you would want to pin an end-entity key, and alternatively why you would want to ping something higher up the chain
  *   What does it mean when there are multiple pins. AND? OR?

The third question is answered later in the draft, but I think this information should go in the introduction.


And one nit:

  *   The upper-case SHOULD in the introduction seems inappropriate. RFC 2119 labels SHOULD (not sure this is even a pun) be used for cases of interoperability or for preventing harm. Here, the use is the simple English "should", and doesn't mandate anything at all, so it ought to be lower-case:
"We propose a new HTTP header to enable a web host to express to user agents (UAs) which Subject Public Key Info (SPKI) structure(s) UAs *should* expect to be present in the host's certificate chain in future connections using TLS (see [RFC5246]).

Note: this review is with no hats. It is not part of some last-call process. Please treat this as any other review on the list.

Yoav