[websec] Issue 56 - specify includeSubDomains for key pinning

"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Tue, 05 March 2013 00:58 UTC

Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28F0021F890E for <websec@ietfa.amsl.com>; Mon, 4 Mar 2013 16:58:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.289
X-Spam-Level:
X-Spam-Status: No, score=-2.289 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uOu8HhPgF6iV for <websec@ietfa.amsl.com>; Mon, 4 Mar 2013 16:58:14 -0800 (PST)
Received: from homiemail-a63.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id 9F30621F890D for <websec@ietf.org>; Mon, 4 Mar 2013 16:58:14 -0800 (PST)
Received: from homiemail-a63.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTP id 6AC672F4060 for <websec@ietf.org>; Mon, 4 Mar 2013 16:58:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :date:subject:from:to:reply-to:mime-version:content-type: content-transfer-encoding; s=sleevi.com; bh=nB9QkoXANcQ21BBQAfro vtj2OfI=; b=omlGVFLzw/wFxjxK1L+JHgv4niRlfqcJcflgccy5aYG2eLjBX7fu 22G28NMC7xMNUn077JSHbn58dTD5uoL+PCAdKVljqdmam+Wm+ylu2m8k3j+R/95M VwW2mWITJIXOvV+yZwm8oSRSjMuRISE2dtoI1fADHGoALdmD5mvQh/c=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTPA id 4BD3D2F4057 for <websec@ietf.org>; Mon, 4 Mar 2013 16:58:14 -0800 (PST)
Received: from 216.239.45.93 (proxying for 216.239.45.93) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Mon, 4 Mar 2013 16:58:14 -0800
Message-ID: <7c236f42fda755021433a4fd0ee04721.squirrel@webmail.dreamhost.com>
Date: Mon, 4 Mar 2013 16:58:14 -0800
From: "Ryan Sleevi" <ryan-ietfhasmat@sleevi.com>
To: websec@ietf.org
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [websec] Issue 56 - specify includeSubDomains for key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 00:58:15 -0000

With Key Pinning being split out from HTTP Strict Transport Security, one
aspect that was lost was the includeSubDomains directive. This was raised
as Issue 56 - http://trac.tools.ietf.org/wg/websec/trac/ticket/56 -
against draft-03

draft-04 introduces the same directive, and with the same semantics, in
Section 2.1.2 -
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04#section-2.1.2

Is the added language acceptable? Are there any concerns with the
validation/processing model that would prevent us from closing out this
issue?