IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Yoav Nir <ynir@checkpoint.com> Thu, 08 August 2013 21:08 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDCC321E8089 for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 14:08:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.518
X-Spam-Level:
X-Spam-Status: No, score=-10.518 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhpDlpv7wFoO for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 14:08:46 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id ED06621F9D4F for <websec@ietf.org>; Thu, 8 Aug 2013 14:08:26 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r78L84L3010866; Fri, 9 Aug 2013 00:08:04 +0300
X-CheckPoint: {520408B4-9-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Fri, 9 Aug 2013 00:08:03 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Chris Palmer <palmer@google.com>
Thread-Topic: [websec] #58: Should we pin only SPKI, or also names
Thread-Index: AQHOjHagv3/BmvZ4wU6WrbkIw+Bd/ZmAXZOAgAADk4CAAHu6gIAIRDGAgAA0tQCAAAIEgIAAAsgAgAACowCAAAVKAIAAXsaAgADFHACAARdCAIAABpsAgAAEaYCAAALdAA==
Date: Thu, 08 Aug 2013 21:08:03 +0000
Message-ID: <C408BB52-7581-4A18-AEFA-45E38343A404@checkpoint.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org> <CAGZ8ZG2N7NBUvjYQVw=CKgnq1KG5JfeN9hZU2-DSKT6OFmBVFg@mail.gmail.com> <52021982.8030108@mozilla.org> <CAGZ8ZG2OCCziSn-WtFGdCGnFEVTFz=9truK6kkFkF3pq1TEyNA@mail.gmail.com> <CB91CFAD-5C75-42C1-9A04-89D55E5E669C@checkpoint.com> <CAGZ8ZG3hmQL4+Jnt-vA7OU=tVpGJ9JXE2eR+Pwr=cyLDg7HfYw@mail.gmail.com> <5203FD0E.40506@gondrom.org> <2B676EE1-AF70-4905-B184-0CABEFCB7C71@checkpoint.com> <CAOuvq205dUTiduLC8bNM95qB+Tnv5-Xeg4xZVn80+1DLWoVROA@mail.gmail.com>
In-Reply-To: <CAOuvq205dUTiduLC8bNM95qB+Tnv5-Xeg4xZVn80+1DLWoVROA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.237]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11eab6979cfda638275ef7dab90af920757f64435a
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <C9D624ED14166743821CD3725D28344D@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 21:08:52 -0000

On Aug 8, 2013, at 11:57 PM, Chris Palmer <palmer@google.com> wrote:

> On Thu, Aug 8, 2013 at 1:42 PM, Yoav Nir <ynir@checkpoint.com> wrote:
> 
>> If you go to https://www.iana.org, you get the following certificate chain:
>> - *.iana.org
>> - Go Daddy Secure Certification Authority
>> - Go Daddy Class 2 Certification Authority
>> 
>> So without any registry, you can pin to "Go Daddy Class 2 Certification Authority". But the next time IANA needs to get a certificate (August 2016), even if they get it from Go Daddy, they might get it from the other root CA ("Go Daddy Root Certificate Authority - G2"), which signs with SHA-256, and who knows, by then they might have a new one, perhaps with ECDSA. As a customer, you talk to a vendor. Most customers don't know which TA is actually going to be used. In some cases (Symantec) there are very many of them.
>> 
>> Someone needs to map "Symantec" to a list of pins, and IMO that someone is neither the IETF nor IANA.
> 
> Insane idea (yes, I know it is insane): What if we chose not to have a
> registry, and let people use substrings of issuer certificate
> CNs/OUs/whatevers as trust anchor set names?

Substring???  RegExp!!  :-)

> Obvious problems:
> 
> * character set encoding in the HTTP header vs. in the X.509
> certificate: Welcome To Fun-Land, Where Fun Is Not Very Fun(TM)
> * silly substrings, like "Go" matching both "...Go Daddy..." and
> "...Google Internet Authority..." and "...Evil Bad People (Goats)..."
> * substitution characters: should "Securite" match "...Sécurité Réseau..." ?
> 
> I'm sure we can all think of more problems…

Sure.

Symantec has done a lot of mergers and acquisitions, including of Verisign, which also did its share of mergers and acquisitions. So that now, Symantec has root CAs with brand names Symantec, Verisign, Thawte, and probably several others that I have forgotten. The chances of misconfiguration and bricking yourself with a new certificate are rather high.

Yoav

v2.23.0 | Report a Bug | By Email