IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Chris Palmer <palmer@google.com> Thu, 01 August 2013 16:30 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 504E921E819C for <websec@ietfa.amsl.com>; Thu, 1 Aug 2013 09:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFKU3SsTcn21 for <websec@ietfa.amsl.com>; Thu, 1 Aug 2013 09:30:35 -0700 (PDT)
Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 509B021E818D for <websec@ietf.org>; Thu, 1 Aug 2013 09:30:15 -0700 (PDT)
Received: by mail-ob0-f175.google.com with SMTP id xn12so4243354obc.20 for <websec@ietf.org>; Thu, 01 Aug 2013 09:30:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pOrX/QdhxZ8CA9r8FuTOHzNurmT55uOS27Y+xV18lSE=; b=Fh+Pl47P8iL7qElBjcj5ijip49BLHUQG2+3rY6xP0pvn/Rgv3N1sK5Wln135tF1UKy sIQVF+iGTPoTXybad3WZBkl9aQ3WwPupJGhmkHgbMftLk694KfsRiwGbb9bs0f1v8GXc HuxYXhZT14gL5UMYpxidEvoJjThccnW2ylwRDUoqr0OvIgnVgOU/N0GKl3IHe96YY9xT rnW2qe+ghjgWTY1i2Z7+LCTiLA7yrSYi71X3GKL+VnHyKG6//I/KgEVruNcxMyiiOEGr A2a8vGUQe7DFxBVoTvP2jJSksspabsVNUdBcMYKDoDgwxf0nmajHA1wHThLcmxedlOdX lRWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=pOrX/QdhxZ8CA9r8FuTOHzNurmT55uOS27Y+xV18lSE=; b=QqHdFyS7H7/aYga1NWWj5D+KEW5RhRkXM4A1B85qsCsZ8QXLogq93pXXRr2A+meo9Z 5IH5uhnTruiR+mlnmYpSVOYuCnYafynG+ISD+iuPaoxhEeCIOoLV8cVsZqgusA3lN3Jf cZ+ljAooDNGgRpQPzH5BlIC7NJZdZBtx84beB2qNCqvimu2S9tHn4KwYLJfmMBh3Txs2 s9SurjgUkN8Fy5AvKzp+gVaGZbskmYJZ7Xvttr5ID4mIlEmhjj43RckGTfmfqqnwk252 AUC+19yyk4CwgpKTfOU6WuKicGaluEdhNBYAmQnvez8z1oUba8Mzc4eMo3LnG2TH4723 8ulw==
MIME-Version: 1.0
X-Received: by 10.50.128.19 with SMTP id nk19mr1369417igb.1.1375374613973; Thu, 01 Aug 2013 09:30:13 -0700 (PDT)
Received: by 10.64.240.71 with HTTP; Thu, 1 Aug 2013 09:30:13 -0700 (PDT)
In-Reply-To: <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com>
Date: Thu, 01 Aug 2013 09:30:13 -0700
Message-ID: <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQnwQUfPm3jQG20hYJLiXAVUuAjViL4/PFN7731jvMmRjImCKwezVrZZFOehuiBhfx2s/SP1LKF0vybRVYMxmNLWajwaaJEui5pPbN/d3SXfG5PFOPmApjD9NbG5V8W/zEEEfJ8xNLZ9p+F0SrRYMHf9NJuccGbaWZmkc3ReUCa6uAmu3GEXll6yfXaQ20YL7gRxJL3c
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 16:30:36 -0000

On Mon, Jul 29, 2013 at 9:13 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:

> If we have a diginotar type situation again (FSM forefend), we want the pins
> to a root to be broken at the same time the root is unloaded, yes?

If the root of a site's cert chain --- really, any signer --- is
blacklisted or even just removed from the trust anchor store, pins and
Pin Validation are irrelevant since the chain won't validate. Pin
Validation happens only *after* all other certificate chain checks are
performed.

> The trust anchor data structures are outside the PKIX model but they browser
> providers do need to track them regardless. I would rather tie pins to the
> actual entity we want to pin to (the CA) rather than attempt pinning to some
> sort of proxy.

Allowing sites to pin to any point in the certificate chain is a
feature, not a bug. However, it will almost always make the most sense
to pin to one or more CAs. Thus, making that easy is a good goal.

> There are CAs that are not represented in CABForum but CABForum is a place
> where we can get a requirement of the form 'every CA must pick a DNS name as
> a unique identifier for their service and report it to the browser
> providers'. And that requirement will quickly become universal.
>
> While we could choose a different string, Paul H.'s argument for using DNS
> names in CAA was a good one and I can't see any advantage to inconsistency.
> It also makes it much easier to make any scheme work with a private CA.

Agreed.

v2.23.0 | Report a Bug | By Email