Re: [websec] separate pinning header (was: Pinning and beyond...)
Phillip Hallam-Baker <hallam@gmail.com> Sun, 16 October 2011 01:22 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBCEA21F85B1 for <websec@ietfa.amsl.com>; Sat, 15 Oct 2011 18:22:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X62pd34H+5Qs for <websec@ietfa.amsl.com>; Sat, 15 Oct 2011 18:22:33 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id E877721F84CB for <websec@ietf.org>; Sat, 15 Oct 2011 18:22:32 -0700 (PDT)
Received: by gyh20 with SMTP id 20so2554023gyh.31 for <websec@ietf.org>; Sat, 15 Oct 2011 18:22:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=493cuZYjtDPHQiC10vBOH5OHdaw9xeH4K363e+Wjbmk=; b=vKPysnLccgdCySF2+G/in0zDlDasO/2W8h595+w91ZvL9rNLKGm41RnTHxBCS2U6No RCGPEluDuipBzPt7LJmELFmqJqUDBdYpZz9/EagBSPtkoS2CAGgxTqre0hLe5V+S5yLn W577zw3go0iQS+445BPoAOx5NWLNqzmDTIGV8=
MIME-Version: 1.0
Received: by 10.101.22.6 with SMTP id z6mr2920851ani.140.1318728151765; Sat, 15 Oct 2011 18:22:31 -0700 (PDT)
Received: by 10.100.212.14 with HTTP; Sat, 15 Oct 2011 18:22:31 -0700 (PDT)
In-Reply-To: <CA+cU71mAwZpUXjPHD3m0Dvh3Ty-0=DH4hUp1CyeYtjp_SmuV2g@mail.gmail.com>
References: <4E98B219.2050609@KingsMountain.com> <CA+cU71mAwZpUXjPHD3m0Dvh3Ty-0=DH4hUp1CyeYtjp_SmuV2g@mail.gmail.com>
Date: Sat, 15 Oct 2011 21:22:31 -0400
Message-ID: <CAMm+LwhmcxZbaUuuqhhje6cUr7WRCR401CErTxS6s+1en+UxLw@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary="00504502957f0a92b104af6053e4"
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] separate pinning header (was: Pinning and beyond...)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Oct 2011 01:22:33 -0000
A big use case that we want to support for our apps is to be able to push out security policy for domains that we know are being targeted. We can't push out security policy for every site on the Web into clients but we can easily cover the top 95% of targeted sites with a pretty short list of policy statements. And a huge sub case here would be to pull up security policy for an employer's site for a company machine. This is done today with real utility but its all proprietary. But that really should be agile across multiple protocols. So for example, HTTP, IMAP, POP3 On Fri, Oct 14, 2011 at 8:56 PM, Tom Ritter <tom@ritter.vg> wrote: > On 14 October 2011 18:05, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > > from <https://tools.ietf.org/html/draft-evans-palmer-hsts-pinning-00> : > > > > Thoughts? > > I agree. Separating it into a header may also enable it to find its > way into other protocols that travel over TLS, and reuse some of the > same parsing/validation code. > > -tom > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > -- Website: http://hallambaker.com/
- [websec] separate pinning header (was: Pinning an… =JeffH
- Re: [websec] separate pinning header (was: Pinnin… Tom Ritter
- Re: [websec] separate pinning header (was: Pinnin… Phillip Hallam-Baker
- Re: [websec] separate pinning header (was: Pinnin… Chris Palmer