Re: [websec] #56: Specify includeSubdomains directive for HPKP

Chris Palmer <palmer@google.com> Mon, 10 December 2012 19:20 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B47121F85D5 for <websec@ietfa.amsl.com>; Mon, 10 Dec 2012 11:20:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lA4V+qc+V-F2 for <websec@ietfa.amsl.com>; Mon, 10 Dec 2012 11:20:52 -0800 (PST)
Received: from mail-ea0-f172.google.com (mail-ea0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 28F2221F85AA for <websec@ietf.org>; Mon, 10 Dec 2012 11:20:50 -0800 (PST)
Received: by mail-ea0-f172.google.com with SMTP id a1so1324494eaa.31 for <websec@ietf.org>; Mon, 10 Dec 2012 11:20:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NPv6yREkyJHTTa3rrvDxhCCQ4E/zik3agG103Ts3ReA=; b=RKC/lyLQXx0xv5tSz0HQWmKlgTVKqXMUZR0cneLLj7Bca9a0xw4wrjm6rHtwe8PC/j tOirDV5HCCh6CPsU0i/uPzQwF4Kjw8VakOt8vbkvv3hGeObEnc5+AMqdNw9IlFNMm0QZ Y/+2WpW8PonjGB5cVqAHayv2kz000uwG8QASu2CJ6Ni29SmlI2Y1y+q84HxMMy0HDylU sm4wGVVT4BN/VVVS6SnVSGWuxcbgeNl8IyKRptWS2pSR2/SFmwO63xOQIlBl4W06dBeq hPXeY2sDSq/Ck8xNZeSAoCfPh7qWPiY5j+vgnRjqH4jahzkDJMd6vlM3pjecAY/U7poq VOLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=NPv6yREkyJHTTa3rrvDxhCCQ4E/zik3agG103Ts3ReA=; b=JjgkR0KlkC5TbQgdEo4qeccRrubcUYl+zO0p3ehktsPIuCEQ5KeocqMD9irl2ppo1m izeMtqDvlcxkyZyBdS3WwVQvmXTXb5fq+AWiurjm7sSELr6S7aXI1PS8YwkaTGM2m6oq Vns2cvG7AVHHk77FPUcW1JyGENvXA+cL7X4MWLytLUN2zEC2fagl1Piyot+N1qU7vuNN 9A+mRs1oB3x/5EIacbsKOoVQocGDej0t+dnglCPicaW1LtjgoAYxetJU3PcAtkGQBmVx xSbVdTvFZjyDoexhtEaUBN+m3Mg4h3x98Gm21nL+BeB62nUJmn8jdnFz5mQmjay3CSgk qFcw==
MIME-Version: 1.0
Received: by 10.14.174.198 with SMTP id x46mr52660633eel.23.1355167250262; Mon, 10 Dec 2012 11:20:50 -0800 (PST)
Received: by 10.223.157.143 with HTTP; Mon, 10 Dec 2012 11:20:50 -0800 (PST)
In-Reply-To: <727f8e6f1f34de7a08381f04a1f076fc.squirrel@webmail.dreamhost.com>
References: <058.f40b082eeef2f8676dd01f9fbb11ca5b@trac.tools.ietf.org> <073.d40b91d81cbf3caf09f91a3f886f6120@trac.tools.ietf.org> <CAOuvq21_v1Povw32R=qu5okz7RNxYjbavduuAfKWX5cNRyiTrg@mail.gmail.com> <4613980CFC78314ABFD7F85CC30277210EDD6872@IL-EX10.ad.checkpoint.com> <727f8e6f1f34de7a08381f04a1f076fc.squirrel@webmail.dreamhost.com>
Date: Mon, 10 Dec 2012 11:20:50 -0800
Message-ID: <CAOuvq21MRuNEcv=dnQq5hTA3KejP0kYXgMvzBC+MmTUr6bTa-A@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: ryan-ietfhasmat@sleevi.com
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQmNwgKo2UVZfOEIJP9qcZphRmln0JhxWdL2/qLpSOXJ2AfDiCEO8Y6SXr2voA4ubwF+CbeS2+pFRHw8KskQ7/Ognm5nR4pHDOWReGjSyT+P8dDnMfiLXh83GkcZmoY+jbmXR6xqD4G8uH4xz8W0DvBySRkQX5Gz3Js1b4tLnFYubh1rL0D3JqSKqEQGIGwkzpBsEmN7
Cc: websec@ietf.org
Subject: Re: [websec] #56: Specify includeSubdomains directive for HPKP
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 19:20:53 -0000

On Fri, Dec 7, 2012 at 9:58 PM, Ryan Sleevi <ryan-ietfhasmat@sleevi.com> wrote:

> So, let's say the workflow is:
> You first visit "google.com" (or, through whatever U-A specific means
> exist, you have a pre-loaded pin for "google.com").
> It has a PKP directive that asserts Pin(A) and Pin(B), along with
> includeSubDomains.
> The validated cert chain contains Pin(A), so the PKP is accepted, and
> google.com (and all of its subdomains through all levels) are set to
> Pin(A) and Pin(B)
>
> You now visit www.google.com
>
> IF www.google.com is not valid for Pin(A), fail the connection. That is
> the only acceptable path.

Quick clarification: Pin(B) would also be acceptable.