Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
Chris Palmer <palmer@google.com> Mon, 25 August 2014 20:24 UTC
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0656B1A0320 for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 13:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.653
X-Spam-Level:
X-Spam-Status: No, score=0.653 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2aEP_oP22fqF for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 13:23:58 -0700 (PDT)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 302011A0314 for <websec@ietf.org>; Mon, 25 Aug 2014 13:23:58 -0700 (PDT)
Received: by mail-qg0-f49.google.com with SMTP id j107so13602338qga.36 for <websec@ietf.org>; Mon, 25 Aug 2014 13:23:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4/X6JcmsEBPyvyxqNLvDa/CTH+GWid5Ewri12S6YRIc=; b=H6D67x+VS9bjq2FWC0xVQaobavdH669AD6XVswiDceIJrK3/OwS/1+79va4bsaHiHu JBz913WZ5JP1fpmLs03eMzwrj5pz703l7FaC6cCG+q0M99f99vPIhqquMPf+Hn8hJ0JV 9BHKT3BpLhT5A4kXkiWI8HrhqRTUAqYnMjk5WSOvn0VRK7DjBeKdHNiVz9maJ5Ervvsj OfDcUbgVrOQXr8w9sZlJ98d0WYUxSRwXEiObByWjZIXG6lxSs94QGVMMQCq3motVHXxX 0pziYknZPxpLb3T1ViRRPlw4VSyzperO46izMVPdUCdNY4QppOIJihZo4hFyou5lh40O beKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=4/X6JcmsEBPyvyxqNLvDa/CTH+GWid5Ewri12S6YRIc=; b=jpu5J3gtIWjTnw27mRo956gRvSKSKCfnDb2UvGtKQroLsmHV8pQgu4ZAaRQMknVanH hcI36wqKpdlaznCdYloPAm6tP6F2iQXfN/uMMQ3LauXLSJtQ47UCaJG+/5Gwi4WeUUiO gzGi/yNAhrreliV6FThGMgMOVBihnkqLokAoRk84vectWoVUPitSsXDcGAklhw2u1Lpw UdWgdO8B8Lhl34AFmzupc016O3tlLM97XdOwzWrj54M0Q7Vk9SDr8Rik/rVPoHieLNt9 qw8wq2UaB9z58k8kcPROU5vPSFXYObvEtkTZIPqF4auyadpaCnVJzw593TFfzJ2KoFeU M9JA==
X-Gm-Message-State: ALoCoQkvHqIzwMxl3vPCFakT1+MvNWv/YaTvyBKw04C1gKm7T73G+coFqW7I0nBWka9dcDciir7I
MIME-Version: 1.0
X-Received: by 10.140.97.117 with SMTP id l108mr36202786qge.29.1408998237177; Mon, 25 Aug 2014 13:23:57 -0700 (PDT)
Received: by 10.229.165.2 with HTTP; Mon, 25 Aug 2014 13:23:57 -0700 (PDT)
In-Reply-To: <53E8DC68.5010803@dial.pipex.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com> <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com> <53E8DC68.5010803@dial.pipex.com>
Date: Mon, 25 Aug 2014 13:23:57 -0700
Message-ID: <CAOuvq23AF3NFGg2HRhWgcg70GaZmQ=ArL-NfUCepN0QGuGEqDQ@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Elwyn Davies <elwynd@dial.pipex.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/tZQIDF-QK2_x60BPz5jJWleWlus
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 20:24:00 -0000
On Mon, Aug 11, 2014 at 8:08 AM, Elwyn Davies <elwynd@dial.pipex.com> wrote: >>>> s2.1.1: I'm not sure if this could be an issue.. should a maximum >>>> possible value for max_age >>>> be specified to avoid UA's being cluttered up with old Pins - this might >>>> possible be a DoS >>>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3 >>>> talks about limits. >>>> A pointer to this discussion would be useful here > > A pointer to the discussion in s2.3.3 would still help. Added. > Ok. Accepting that the host is expected normally to send the headers on all > responses, when SHOULD it not send the headers? (from the previous comments > a server that knows it is not multiplexed might be a candidate - or if it > knows it has already responded on this connection?) I think it's easiest and simplest for servers to simply always send the headers. >>>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in >>>> future. Presumably a >>>> deprecated algorithm should be treated as an unrecognized directive or >>>> some such to avoid >>>> downgrade attacks. Probably worth being explicit about this. Also this >>>> is potentially >>>> incompatible with the statement that 'UAs MUST recognize "sha256"' (Para >>>> 3 of s2.4). >>>> This results in a potential downgrade attack when and if SHA256 is >>>> deemed to be no longer >>>> cryptographically effective. I think this statement can be removed as >>>> presently a UA >>>> has no other option if it is to implement the specification. > > Not addressed as yet. At least the statement in s2.4 needs to be removed. Removed. >>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need >>>> specific answers. > > There are still some of the questions that ought to be explicitly answered. To me, the only questions that might not have obvious answers are: o Whether the header field is useful or allowable in trailers (see Section 4.1 of [RFC7230]). Surely not? For the same reason we don't want it in meta http-equiv. o Whether the header field ought to be preserved across redirects. Surely not? Any others? > One extra nit: > s2, para after bullets: s/reistry/registry/ Fixed. Changes visible at https://code.google.com/p/key-pinning-draft/source/list. I won't push a version 21 until I've gone through the rest of the incoming email. Thank you!
- Re: [websec] Gen-art LC review of draft-ietf-webs… Yoav Nir
- Re: [websec] Gen-art LC review of draft-ietf-webs… Barry Leiba
- Re: [websec] Gen-art LC review of draft-ietf-webs… Yoav Nir
- Re: [websec] Gen-art LC review of draft-ietf-webs… Tobias Gondrom
- Re: [websec] Gen-art LC review of draft-ietf-webs… Chris Palmer
- Re: [websec] Gen-art LC review of draft-ietf-webs… Elwyn Davies
- Re: [websec] Gen-art LC review of draft-ietf-webs… Chris Palmer
- Re: [websec] Gen-art LC review of draft-ietf-webs… Elwyn Davies
- Re: [websec] Gen-art LC review of draft-ietf-webs… Ryan Sleevi