IETF Logo Mail Archive

Re: [websec] #56: Specify includeSubdomains directive for HPKP

Yoav Nir <ynir@checkpoint.com> Fri, 07 December 2012 22:17 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2969121F8635 for <websec@ietfa.amsl.com>; Fri, 7 Dec 2012 14:17:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.483
X-Spam-Level:
X-Spam-Status: No, score=-10.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsKnM8DaHigV for <websec@ietfa.amsl.com>; Fri, 7 Dec 2012 14:17:07 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 37CAC21F8554 for <websec@ietf.org>; Fri, 7 Dec 2012 14:17:06 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id qB7MH3N5014122; Sat, 8 Dec 2012 00:17:03 +0200
X-CheckPoint: {50C26A77-0-1B221DC2-2FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.14]) by IL-EX10.ad.checkpoint.com ([169.254.2.14]) with mapi id 14.02.0318.004; Sat, 8 Dec 2012 00:17:02 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Chris Palmer <palmer@google.com>
Thread-Topic: [websec] #56: Specify includeSubdomains directive for HPKP
Thread-Index: Ac29/KFqbNwecIobRmigYbSjgVG+YAWtOHUAAAGTOgA=
Date: Fri, 07 Dec 2012 22:17:02 +0000
Message-ID: <4613980CFC78314ABFD7F85CC30277210EDD6872@IL-EX10.ad.checkpoint.com>
References: <058.f40b082eeef2f8676dd01f9fbb11ca5b@trac.tools.ietf.org> <073.d40b91d81cbf3caf09f91a3f886f6120@trac.tools.ietf.org> <CAOuvq21_v1Povw32R=qu5okz7RNxYjbavduuAfKWX5cNRyiTrg@mail.gmail.com>
In-Reply-To: <CAOuvq21_v1Povw32R=qu5okz7RNxYjbavduuAfKWX5cNRyiTrg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.199]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11c08715ba730164c69a35807b6668c38162ea6dea
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9EC43DF6A277F748B1E88FD186EB1498@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] #56: Specify includeSubdomains directive for HPKP
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2012 22:17:08 -0000

On Dec 7, 2012, at 11:31 PM, Chris Palmer <palmer@google.com> wrote:

> On Thu, Nov 8, 2012 at 2:01 PM, websec issue tracker
> <trac+websec@trac.tools.ietf.org> wrote:
> 
>> #56: Specify includeSubdomains directive for HPKP
>> 
>> Ticket URL: <http://tools.ietf.org/wg/websec/trac/ticket/56#comment:1>
> 
> Do people agree that draft -04 resolves this issue?

Sort of. I see that includeSubdomains is included, but I couldn't find the discussion about resolving conflicts between a superdomain (such as google.com) that has the includeSubdomain directive, and a subdomain (such as www.google.com) that has a different key in its PKP directive. This question is asked in the ticket.

I'm also not sure how that could ever work.  Suppose I go to google.com, and get the pin with the includeSubdomain directive.

Next, I go to www.google.com, and the pin doesn't match the TLS handshake. Wouldn't the UA immediately terminate the connection, with no opportunity to ever receive any HTTP header? How will the more specific pin ever get set?

Yoav

v2.23.0 | Report a Bug | By Email