IETF Logo Mail Archive

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Trevor Perrin <trevp@trevp.net> Fri, 28 June 2013 20:32 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A62B21F9C8E for <websec@ietfa.amsl.com>; Fri, 28 Jun 2013 13:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KYggNE2CfCQz for <websec@ietfa.amsl.com>; Fri, 28 Jun 2013 13:32:47 -0700 (PDT)
Received: from mail-we0-f176.google.com (mail-we0-f176.google.com [74.125.82.176]) by ietfa.amsl.com (Postfix) with ESMTP id 5B65421F9C8D for <websec@ietf.org>; Fri, 28 Jun 2013 13:32:43 -0700 (PDT)
Received: by mail-we0-f176.google.com with SMTP id t56so1547262wes.7 for <websec@ietf.org>; Fri, 28 Jun 2013 13:32:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=cov/MbdQ/XpW9L7gSRCI++7WakU/R0GftKpKu4/pyXQ=; b=fX7/vveFEBVue7lMt2GawuhXsRJXZZiSEwVRODIpwFZxWW5zdl/dFty1EmTVcYPA32 mrcIrdvGrs2HMxqQZH281q7jcBOJ/+bsHMFR+t/Z+ohN8gxoGwWQvNimxd3rm4P1SRiw C2Dfk7e/y5lpgBsRagj9FFE6ROB1AcIXONxFP18Rxz6Qly7Xa7YT+WnTdPqaI8EqMXxX TVDboDQZwLnnIxVcsBzqdnWfnydzMqcUaV1gbdy4LpghO3IZ1e+/y0bt7+rmwSyfTZQ3 P2PUXC36Yw3SnA/x1G1gGO/VJTdE0p9VX56S04XJrysZTdyjRZ6hOzkf84swh4W12Ol6 roZA==
MIME-Version: 1.0
X-Received: by 10.194.93.74 with SMTP id cs10mr11386034wjb.9.1372451563140; Fri, 28 Jun 2013 13:32:43 -0700 (PDT)
Received: by 10.216.212.9 with HTTP; Fri, 28 Jun 2013 13:32:43 -0700 (PDT)
X-Originating-IP: [208.184.35.186]
In-Reply-To: <CAMm+LwhRm7dCk=Q=mQAWtOQ5hosjyngSWjVbQ454Tj+ocVDqrQ@mail.gmail.com>
References: <8c03997da80b4e8da7100491011b8c12@BN1PR03MB039.namprd03.prod.outlook.com> <6F2FE5F2-D02C-4B09-A6CA-7C3B63722E34@checkpoint.com> <CAOuvq203V8LNjkimfd2m+aTX7-gKr=J62jmUqz-PDQEN6O9Lvg@mail.gmail.com> <CAOuvq20_KZPcBWyPgpGj=K5gy=1BGGRv11Zuxmcw_wBmzBhgUA@mail.gmail.com> <CAGZ8ZG1uHYxxh9q+z7767zW4=HWTa19EJGiu4oyERhTyM0KQBw@mail.gmail.com> <51CD39D9.1040801@gondrom.org> <CAMm+LwhRm7dCk=Q=mQAWtOQ5hosjyngSWjVbQ454Tj+ocVDqrQ@mail.gmail.com>
Date: Fri, 28 Jun 2013 13:32:43 -0700
Message-ID: <CAGZ8ZG0PT-=WPK07wpOVzGNKzu1-Z3iUpe9DZBPPJyjNo-MOZQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bf0c86ce48c2704e03cc7e2"
X-Gm-Message-State: ALoCoQmYIkWxi35czrdTD+NxMPKHSkyz6rUTBJFhYergtP7A/a9knPvio1InkLA+Yi8/LRgSFq/R
Cc: David Matson <dmatson@microsoft.com>, websec <websec@ietf.org>
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning-06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2013 20:32:51 -0000

On Fri, Jun 28, 2013 at 8:00 AM, Phillip Hallam-Baker <hallam@gmail.com>wrote:

> CAA faced the problem of identifying a CA.
>
> During the evolution of the draft we went through pretty much every scheme
> mentioned in this thread. In the end we decided to go with a domain name
> that is asserted for that purpose by the CA. So symantec.com / comodo.com/ etc.
>

Makes sense.

How do CAs assert the domain name they'd like to be referenced by?  Are
these domain names something that could be tracked by the CAB Forum,
browser root stores, or some other party?


HPKP still needs to map the declared domain name to a set of keys.  Perhaps
CAs could maintain a list at a "well-known" URI derived from the domain
name?

https://comodo.com/.well-known/hpkp-keys.json

Browser vendors could scan this list periodically and keep their browsers
in sync with the latest keys from the major CAs.  CAs would make sure to
publish new keys in advance of issuing certs under a new root.

If a browser encounters an unknown domain name, it could contact the URI
itself, so this doesn't disenfanchise private CAs.

Anyways, I rather like this.  I think it's a much easier route to CA
pinning than expecting websites to maintain key lists themselves.

Others?


Trevor

v2.30.2 | Report a Bug | By Email | System Status