Re: [websec] #58: Should we pin only SPKI, or also names

"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 07 August 2013 13:25 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4441121F9AE7 for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 06:25:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UqPBuUxVABtN for <websec@ietfa.amsl.com>; Wed, 7 Aug 2013 06:25:09 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 6522F11E812C for <websec@ietf.org>; Wed, 7 Aug 2013 06:24:44 -0700 (PDT)
Received: from JROWLEYL1 (unknown [67.137.52.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id ABDB28FA089 for <websec@ietf.org>; Wed, 7 Aug 2013 07:24:40 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1375881880; bh=DR9DwgTtIuaGkId7Wrwv3b6JosoiNUr7UhpqWL5sih8=; h=Reply-To:From:To:References:In-Reply-To:Subject:Date; b=bJiASJbm+lSccIah39R2IBBzgQMbg3aKNBcGoTZc+GcVSZnG0RtuaeDLfvyVbDkq7 fusB2hUiKxmHLaD+K46bOWDwEnrvbeiuiDla8Lo2VIOGQM0b1tTm9kBbNYSlFvRHAC CSx8Z4uVikFV6cJHPqTRNXQ/suikxFvZk/mNMBx4=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'websec' <websec@ietf.org>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <520225B3.5040701@mozilla.org> <CAGZ8ZG227CBrQ4dm0msHpFw7Xbo-ezzbDtA0j7rOFoK=Y4KU+Q@mail.gmail.com> <52023941.8010602@mozilla.org>
In-Reply-To: <52023941.8010602@mozilla.org>
Date: Wed, 07 Aug 2013 07:24:44 -0600
Organization: DigiCert
Message-ID: <001b01ce9371$7bd90210$738b0630$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJoJKS5/1/Jv2JXKWhm99jqPYGDVAJNKJejAdJQI9sCGoZA7wM5pAdUAiWKukcBIDPIBwKEztKWA317OekB69JZTwJi9YGoAc8A35ECm3ZRowHLcgZ4AnEkISmXWQ1eEA==
Content-Language: en-us
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: jeremy.rowley@digicert.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 13:25:16 -0000

For pinning to a specific CA, the end user doesn't care which root they are
trusting.  They are indicating trust in an entire PKI.  In this case, I
think they expect the set of certificates to change, but have delegated this
trust to a set entity.  This is important for two reasons: 1) CAs can partly
mitigate the "too big to fail" routinely cited as a major weakness in the
industry by liming the number of certs signed to each intermediate/root and
2) enterprises utilizing a completely managed PKI solution can gain the
benefits of pinning, increasing the potential for adoption and use of
pinning.  

Jeremy

-----Original Message-----
From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of
Gervase Markham
Sent: Wednesday, August 07, 2013 6:11 AM
To: Trevor Perrin
Cc: websec
Subject: Re: [websec] #58: Should we pin only SPKI, or also names

On 07/08/13 12:12, Trevor Perrin wrote:
> Hmm..  Not sure what you mean, specifically.

I mean, I think people who want to use pinning will expect the set of
certificates (and associated security practices) they are pinning to not to
change under their feet. This scheme means that they will. They might also
expect to define a pin and have it work everywhere HPKP is supported, in
exactly the same way. This scheme (due to client version
skew) means that it may not.

Gerv
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec