Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
Elwyn Davies <elwynd@dial.pipex.com> Sat, 30 August 2014 18:43 UTC
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 919671A06E3; Sat, 30 Aug 2014 11:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.502
X-Spam-Level:
X-Spam-Status: No, score=-100.502 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qY5gE21Wt9xU; Sat, 30 Aug 2014 11:42:59 -0700 (PDT)
Received: from mk-outboundfilter-1.mail.uk.tiscali.com (mk-outboundfilter-1.mail.uk.tiscali.com [212.74.114.37]) by ietfa.amsl.com (Postfix) with ESMTP id 0726C1A06DA; Sat, 30 Aug 2014 11:42:58 -0700 (PDT)
X-Trace: 121199994/mk-outboundfilter-1.mail.uk.tiscali.com/PIPEX/$OFF_NET_AUTH_ACCEPTED/TUK-OFF-NET-SMTP-AUTH-PIPEX-Customers/81.187.254.252/None/elwynd@dial.pipex.com
X-SBRS: None
X-RemoteIP: 81.187.254.252
X-IP-MAIL-FROM: elwynd@dial.pipex.com
X-SMTP-AUTH: elwynd@dial.pipex.com
X-MUA: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aq4EANYZAlRRu/78/2dsb2JhbABag2BXgnzEe4dMAYElhHoBAQQBIxVAAQULCxgCAgUWCwICCQMCAQIBRQYNAQUCAQGINgwJplCUWwETBIEsjT8RAVAHgnmBUwWFBQKQWIZ9hx+Nf4Nia4EPgUABAQE
X-IPAS-Result: Aq4EANYZAlRRu/78/2dsb2JhbABag2BXgnzEe4dMAYElhHoBAQQBIxVAAQULCxgCAgUWCwICCQMCAQIBRQYNAQUCAQGINgwJplCUWwETBIEsjT8RAVAHgnmBUwWFBQKQWIZ9hx+Nf4Nia4EPgUABAQE
X-IronPort-AV: E=Sophos;i="5.04,432,1406588400"; d="scan'208";a="121199994"
X-IP-Direction: OUT
Received: from neut-r.netinf.eu (HELO [81.187.254.252]) ([81.187.254.252]) by smtp.pipex.tiscali.co.uk with ESMTP/TLS/DHE-RSA-AES128-SHA; 30 Aug 2014 19:42:58 +0100
Message-ID: <54021B2F.7000108@dial.pipex.com>
Date: Sat, 30 Aug 2014 19:42:55 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Chris Palmer <palmer@google.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com> <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com> <53E8DC68.5010803@dial.pipex.com> <CAOuvq23AF3NFGg2HRhWgcg70GaZmQ=ArL-NfUCepN0QGuGEqDQ@mail.gmail.com>
In-Reply-To: <CAOuvq23AF3NFGg2HRhWgcg70GaZmQ=ArL-NfUCepN0QGuGEqDQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/sPbcZCxslktOoOuKAep2hu4itbs
X-Mailman-Approved-At: Sat, 30 Aug 2014 14:34:26 -0700
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 18:43:02 -0000
Hi, Chris. A couple of remaining points and a couple of nits/queries in the fixes. I have deleted the items that we are agreed on below and added comments in line. New nits: s2.6, next to last para: s/previous/previously/ s4, lasta para: > and indeed MUST pin to issuers not in the chain Is this a requirements MUST? The protocol will be quite happy and implementers can't (at least I don't think) they can check if the host leaves it out. This is operational advice (admittedly highly relevant) but still advice I think. On 25/08/14 21:23, Chris Palmer wrote: > On Mon, Aug 11, 2014 at 8:08 AM, Elwyn Davies <elwynd@dial.pipex.com> wrote: > <<snip>> >> Ok. Accepting that the host is expected normally to send the headers on all >> responses, when SHOULD it not send the headers? (from the previous comments >> a server that knows it is not multiplexed might be a candidate - or if it >> knows it has already responded on this connection?) > > I think it's easiest and simplest for servers to simply always send the headers. > Having thought about this a bit, I don't think this text fully reflects what is going on in the server. If I understand correctly, we have: - Server has a policy that it wants to be pinned if it can be (presumably this ought to be configurable in the server). - When a client sends a request over a new secure connection and the policy says 'be pinned', the server sends back pinning header(s) in the response. - Thereafter, it MAY for simplicity send pinning headers in all subsequent responses on the connection. Alternatively it can do something intelligent and not bother sending the headers if it is the same connection - but of course this probably means a layer violation. Thought: Does it make any difference if the client doesn't accept the pin? Should success or failure be logged? Should the host always keep sending the headers if the client didn't accept the pin on the first exchange (is this a possible symptom of a MITM?)? Suggestion: OLD: 2.2.1. HTTP-over-Secure-Transport Request Type When replying to an HTTP request that was conveyed over a secure transport, a Pinned Host SHOULD include in its response exactly one PKP header field, exactly one PKP-RO header field, or one of each. NEW: 2.2.1. HTTP-over-Secure-Transport Request Type If a host has a policy of becoming a Pinned Host whenever possible, then on replying to an initial HTTP request that was conveyed over a secure transport, a host intending to become Pinned Host includes in its response exactly one PKP header field, exactly one PKP-RO header field, or one of each. The host MAY include the same header(s) with any subsequent responses using the same connection. <<snip>> >>>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need >>>>> specific answers. >> >> There are still some of the questions that ought to be explicitly answered. > > To me, the only questions that might not have obvious answers are: > > o Whether the header field is useful or allowable in trailers (see > Section 4.1 of [RFC7230]). > > Surely not? For the same reason we don't want it in meta http-equiv. > > o Whether the header field ought to be preserved across redirects. > > Surely not? > > Any others? The point was that I guess you ought to explicitly say "not" in each case. > <<snip>> > Changes visible at > https://code.google.com/p/key-pinning-draft/source/list. I won't push > a version 21 until I've gone through the rest of the incoming email. > > Thank you! > Cheers, Elwyn
- Re: [websec] Gen-art LC review of draft-ietf-webs… Yoav Nir
- Re: [websec] Gen-art LC review of draft-ietf-webs… Barry Leiba
- Re: [websec] Gen-art LC review of draft-ietf-webs… Yoav Nir
- Re: [websec] Gen-art LC review of draft-ietf-webs… Tobias Gondrom
- Re: [websec] Gen-art LC review of draft-ietf-webs… Chris Palmer
- Re: [websec] Gen-art LC review of draft-ietf-webs… Elwyn Davies
- Re: [websec] Gen-art LC review of draft-ietf-webs… Chris Palmer
- Re: [websec] Gen-art LC review of draft-ietf-webs… Elwyn Davies
- Re: [websec] Gen-art LC review of draft-ietf-webs… Ryan Sleevi