Re: [websec] #58: Should we pin only SPKI, or also names
Gervase Markham <gerv@mozilla.org> Mon, 12 August 2013 10:05 UTC
Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEDD111E8156 for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 03:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.177
X-Spam-Level:
X-Spam-Status: No, score=-2.177 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, J_BACKHAIR_23=1, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oc-eCk6MAMnG for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 03:05:24 -0700 (PDT)
Received: from smtp.mozilla.org (mx2.corp.phx1.mozilla.com [63.245.216.70]) by ietfa.amsl.com (Postfix) with ESMTP id D820711E80F6 for <websec@ietf.org>; Mon, 12 Aug 2013 01:17:58 -0700 (PDT)
Received: from [192.168.0.101] (93.243.187.81.in-addr.arpa [81.187.243.93]) (Authenticated sender: gerv@mozilla.org) by mx2.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 8FADAF22FA; Mon, 12 Aug 2013 01:17:57 -0700 (PDT)
Message-ID: <52089A35.9040103@mozilla.org>
Date: Mon, 12 Aug 2013 09:17:57 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com>
In-Reply-To: <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 10:05:43 -0000
On 11/08/13 05:25, Trevor Perrin wrote: > Could we just say: > - The holder of a domain name is responsible for specifying the SPKIs > that it maps to. > - How the domain holder communicates this to the UA is out of scope. In other words "Don't set up a registry; just punt the problem and hope something works itself out organically"? > So it seems best to separate this from HPKP, and advance HPKP now in a > way that lets us experiment with named pinning. The hard work of > building a scaleable system for CA<->key mapping can be postponed > until it's necessary and we have a better understanding of > requirements. I think there will be problems with people not being protected who expect to be, if you allow this sort of pinning into the spec but leave entirely undefined the mechanisms for communicating what it actually should mean when someone pins to a name. Gerv
- [websec] #58: Should we pin only SPKI, or also na… websec issue tracker
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Rob Stradling
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… websec issue tracker