IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

=JeffH <Jeff.Hodges@KingsMountain.com> Tue, 13 September 2011 01:40 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7120121F8C94 for <websec@ietfa.amsl.com>; Mon, 12 Sep 2011 18:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.652
X-Spam-Level:
X-Spam-Status: No, score=-100.652 tagged_above=-999 required=5 tests=[AWL=-0.157, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CUTd9bmU5eIu for <websec@ietfa.amsl.com>; Mon, 12 Sep 2011 18:40:39 -0700 (PDT)
Received: from oproxy3-pub.bluehost.com (oproxy3.bluehost.com [IPv6:2605:dc00:100:2::a3]) by ietfa.amsl.com (Postfix) with SMTP id BD1B921F8C92 for <websec@ietf.org>; Mon, 12 Sep 2011 18:40:39 -0700 (PDT)
Received: (qmail 27633 invoked by uid 0); 13 Sep 2011 01:42:44 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy3.bluehost.com with SMTP; 13 Sep 2011 01:42:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=+7Ay+hPe93KnBY3CboIXTnNmh/Di4v6XmHJVKQeacVs=; b=jaSCbe97jnMxLGUQYGcAgLg1l4Y4v2902Y0MeskaEieDzJaRz9fQ3zwt2IG/fXQe/OYqhHm1Q7wM6JPjks4jhBmJghHZ4ZwkCEMiM0vQbXEslL4C0V4ubHhu8EB5dIT7;
Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1R3I1M-00045E-6S for websec@ietf.org; Mon, 12 Sep 2011 19:42:44 -0600
Message-ID: <4E6EB513.1070704@KingsMountain.com>
Date: Mon, 12 Sep 2011 18:42:43 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 01:40:40 -0000

rbarnes@bbn.com said:
 >
 > This seems like a useful near-term approach, but also probably something that
 > might want to migrate to DANE over time.

sure, tho it's going to take a while (eg before browsers hard-fail on 
assurances sourced via Secure DNS). See..

[dane] A browser's myopic view
https://www.ietf.org/mail-archive/web/dane/current/msg02354.html


 > Is there any particular reason you're using key fingerprints instead of cert
 > fingerprints?  It seems like the latter might be slightly easier to
 > implement, since you don't have to parse the cert.

I assume it's because the certificates public keys are embedded within, in 
practice, can change without the key pairs themselves changing.

The rationale ought to of course be noted in the spec.

=JeffH

v2.23.0 | Report a Bug | By Email