Re: [websec] Certificate Pinning via HSTS
Adam Langley <agl@google.com> Tue, 13 September 2011 11:11 UTC
Return-Path: <agl@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B3B21F8B11 for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 04:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWK-dQ9c4uRo for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 04:11:14 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3D12921F8AFF for <websec@ietf.org>; Tue, 13 Sep 2011 04:11:14 -0700 (PDT)
Received: from hpaq12.eem.corp.google.com (hpaq12.eem.corp.google.com [172.25.149.12]) by smtp-out.google.com with ESMTP id p8DBDHvG016139 for <websec@ietf.org>; Tue, 13 Sep 2011 04:13:18 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1315912398; bh=e9C/Spr5Mp6YZV6tSKoo7C80e6Y=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=DbY670yp+8tOb5wC+JoroCazR0sZXRblkdWkuXTCn2yYQK0HwvSjnjFD6UDXN3VRk TPtdi8xilDRHQ6/+Jb94Q==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=ZWOCaqpk0XtpnKA5jsgjjOeV0obEpEgC3UFXmJ5bO7AHQf88+aphjOjtzojuT39g9 3JA1KMlR/tduJUjG44FDg==
Received: from ywp17 (ywp17.prod.google.com [10.192.16.17]) by hpaq12.eem.corp.google.com with ESMTP id p8DBCkib002149 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <websec@ietf.org>; Tue, 13 Sep 2011 04:13:16 -0700
Received: by ywp17 with SMTP id 17so352140ywp.41 for <websec@ietf.org>; Tue, 13 Sep 2011 04:13:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=S8utOVVVaaDA2PrCDoxXnFKtXUHaYwAI5Ri5N9NDQZE=; b=p7zXCtQyiVdswWNB5S0zvTRWglNyzrjQvi6uIc0kyP/TLFZirwh1hD8wXwWC9c8rI9 ok83Qbit7ORbN/NmUBHA==
Received: by 10.42.28.5 with SMTP id l5mr69235icc.224.1315912396348; Tue, 13 Sep 2011 04:13:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.28.5 with SMTP id l5mr69229icc.224.1315912396206; Tue, 13 Sep 2011 04:13:16 -0700 (PDT)
Received: by 10.231.19.137 with HTTP; Tue, 13 Sep 2011 04:13:16 -0700 (PDT)
In-Reply-To: <CA94F179.10036%jrn@st-andrews.ac.uk>
References: <86A71F95-AAFF-4A09-853E-3888962C4930@checkpoint.com> <CA94F179.10036%jrn@st-andrews.ac.uk>
Date: Tue, 13 Sep 2011 07:13:16 -0400
Message-ID: <CAL9PXLy6FZsqh=MHnB5ek08MBENJHCm2U8iFfWcu6CME2LGm2w@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: James Nicoll <jrn@st-andrews.ac.uk>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: Chris Evans <cevans@google.com>, "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 11:11:15 -0000
On Tue, Sep 13, 2011 at 6:41 AM, James Nicoll <jrn@st-andrews.ac.uk> wrote: > I was under the impression that this wasn't a good idea, as periodic > replacement of the keys was done incase of an undetected compromise? One typically pins, at least, to a CA which allows a site to rotate its keys without issue so long as they use the same CA. Cheers AGL
- [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS SM
- Re: [websec] Certificate Pinning via HSTS =JeffH
- Re: [websec] Certificate Pinning via HSTS Richard L. Barnes
- Re: [websec] Certificate Pinning via HSTS Marsh Ray
- Re: [websec] Certificate Pinning via HSTS Yoav Nir
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS James Nicoll
- Re: [websec] Certificate Pinning via HSTS Adam Langley
- Re: [websec] Certificate Pinning via HSTS Tobias Gondrom
- Re: [websec] Certificate Pinning via HSTS Tom Ritter
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Philip Gladstone
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Chris Palmer
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker
- Re: [websec] Certificate Pinning via HSTS Daniel Kahn Gillmor
- Re: [websec] Certificate Pinning via HSTS Phillip Hallam-Baker