Re: [websec] Service auto-configuration and certificate pinning
Marten Gajda <marten@dmfs.org> Thu, 23 June 2016 21:26 UTC
Return-Path: <marten@dmfs.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACF6512D684 for <websec@ietfa.amsl.com>; Thu, 23 Jun 2016 14:26:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dmfs.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tW-WrTH1pCA for <websec@ietfa.amsl.com>; Thu, 23 Jun 2016 14:26:27 -0700 (PDT)
Received: from mailrelay6.public.one.com (mailrelay6.public.one.com [91.198.169.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2A4112D6A7 for <websec@ietf.org>; Thu, 23 Jun 2016 14:26:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dmfs.org; s=20140924; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=FYq8CDoKw44QxSJQ83+bU91Eg3TDHW/KbTC6VXygrkc=; b=m59GgNkKzTDoLQ1p7a22+0Yjd6Eq/clBvsfVz8SBM6VoLI+ddP09WTY+B65ml3+JLsn6MnLTx2WpB a6NHKv9JTKLHKFI5vD8lKTw7sn5nru0i8L4iP2oFmI0fD3HRCyPz8+zO3UgpkC6RExbqz2uRe/maU+ WHlQ3UFBeHJKGdPY=
X-HalOne-Cookie: 645bf10ea3a5c79e05c17d6107329d2a07d6becb
X-HalOne-ID: 2232a7de-3989-11e6-9f37-b82a72d06996
Received: from smtp.dmfs.org (unknown [217.234.108.208]) by smtpfilter3.public.one.com (Halon Mail Gateway) with ESMTPSA; Thu, 23 Jun 2016 21:26:22 +0000 (UTC)
Received: from localhost.localdomain (p5DDABB85.dip0.t-ipconnect.de [93.218.187.133]) by smtp.dmfs.org (Postfix) with ESMTPSA id E0CF534C; Thu, 23 Jun 2016 23:20:43 +0200 (CEST)
Message-ID: <576C53FD.20004@dmfs.org>
Date: Thu, 23 Jun 2016 23:26:21 +0200
From: Marten Gajda <marten@dmfs.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, D.Rogers@gmx.net
References: <576B0541.7040708@dmfs.org> <trinity-75a661ca-5da5-4e1f-a92c-5b52f3402490-1466672071054@3capp-gmx-bs77> <576BA85A.6000507@cs.tcd.ie>
In-Reply-To: <576BA85A.6000507@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/vCfcjMaNBw4bUys-1uvmKCK_N0U>
Cc: websec@ietf.org
Subject: Re: [websec] Service auto-configuration and certificate pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 21:26:30 -0000
Thanks to the both of you. I'll have a closer look into that. On a first glance it looks indeed very interesting. Cheers, Marten Am 23.06.2016 um 11:14 schrieb Stephen Farrell: > > On 23/06/16 09:54, D.Rogers@gmx.net wrote: >> Hello Marten, >> it might be of interest to check out the 'Unbearable' group. they are working on >> pinning bearer certficates. > For info: unbearable@ietf.org is the WG mailing list. The working > group is more prosaically named tokbind. [1] :-) > > S. > > [1] https://tools.ietf.org/wg/tokbind > >> Regards >> Dean Rogers >> *Gesendet:* Mittwoch, 22. Juni 2016 um 23:38 Uhr >> *Von:* "Marten Gajda" <marten@dmfs.org> >> *An:* "websec@ietf.org" <websec@ietf.org> >> *Betreff:* [websec] Service auto-configuration and certificate pinning >> Hi list, >> >> I'm currently working on an update of a draft that specifies a way for >> clients to configure themselves with a minimum of user-provided >> information. The current draft is available at >> https://tools.ietf.org/html/draft-daboo-aggregated-service-discovery-03 >> (it's a bit outdated, but we're working on it). >> This draft specifies a member to contain a server certificate, which >> presumably was meant to support some sort of certificate pinning. >> >> During my research on how to improve this I came across RFC 7469 and >> https://tools.ietf.org/html/draft-hallambaker-webseccaa-00 >> >> I'd like to ask the members of this list whether they think that >> "bootstrapping" certificate pinning for individual services (like so: >> https://github.com/CalConnect/AUTODISCOVERY/issues/8#issuecomment-227857982) >> would be useful to have in a service configuration document or if they >> have any concerns or other comments about this. >> >> I'd also like to hear about opinions if this could be an acceptable >> solution for certificate pinning with non-HTTP based protocols, i.e. for >> protocols that don't have an in-band pinning mechanism the client would >> reload the service configuration document whenever the cached pinning >> information is outdated (i.e. <max-age> seconds have passed since it was >> downloaded). >> >> Any comments (whether in response to this post or at GitHub) are very >> welcome. >> >> Regards, >> >> Marten Gajda >> >> -- >> Marten Gajda >> CEO >> >> dmfs GmbH >> Schandauer Straße 34 >> 01309 Dresden >> GERMANY >> >> phone: +49 177 4427167 >> email: marten@dmfs.org >> >> Managing Director: Marten Gajda >> Registered address: Dresden >> Registered No.: AG Dresden HRB 34881 >> VAT Reg. No.: DE303248743 >> >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec >> >> >> >> _______________________________________________ >> websec mailing list >> websec@ietf.org >> https://www.ietf.org/mailman/listinfo/websec >> -- Marten Gajda CEO dmfs GmbH Schandauer Straße 34 01309 Dresden GERMANY phone: +49 177 4427167 email: marten@dmfs.org Managing Director: Marten Gajda Registered address: Dresden Registered No.: AG Dresden HRB 34881 VAT Reg. No.: DE303248743
- Re: [websec] Service auto-configuration and certi… Yaron Sheffer
- Re: [websec] Service auto-configuration and certi… Marten Gajda
- Re: [websec] Service auto-configuration and certi… Stephen Farrell
- Re: [websec] Service auto-configuration and certi… D.Rogers
- [websec] Service auto-configuration and certifica… Marten Gajda