Re: [websec] Service auto-configuration and certificate pinning
D.Rogers@gmx.net Thu, 23 June 2016 08:54 UTC
Return-Path: <D.Rogers@gmx.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D10112DF80 for <websec@ietfa.amsl.com>; Thu, 23 Jun 2016 01:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.303
X-Spam-Level:
X-Spam-Status: No, score=-3.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9_fC_6OPhy4R for <websec@ietfa.amsl.com>; Thu, 23 Jun 2016 01:54:35 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC78A12DF7D for <websec@ietf.org>; Thu, 23 Jun 2016 01:54:34 -0700 (PDT)
Received: from [194.53.161.129] by 3capp-gmx-bs77.server.lan (via HTTP); Thu, 23 Jun 2016 10:54:31 +0200
MIME-Version: 1.0
Message-ID: <trinity-75a661ca-5da5-4e1f-a92c-5b52f3402490-1466672071054@3capp-gmx-bs77>
From: D.Rogers@gmx.net
To: Marten Gajda <marten@dmfs.org>
Content-Type: text/html; charset="UTF-8"
Date: Thu, 23 Jun 2016 10:54:31 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <576B0541.7040708@dmfs.org>
References: <576B0541.7040708@dmfs.org>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:C1ux6Rdo7gBwk+JuFYwTukXOEUt/uJZSDoEI5bXffil pIRtYykjH94bi9mPqumz+2ovs2ibmAoEW6+7o5Izdho3j2xzGz 9hb3sLaZDmOrebsD1tqK8wCCYGDd1bmUFv3KHfpc/V8F7bzjzu V/K3GzF2LA9Q5UB5EGSPTlfuFNxVFGtK/zAEmvdoYc9YWPxS4W sjB/d7zUBR2YvSAfZUZ9EbmEpua14HYJUPEmn3HjmtrEy7ExfR irk6oUwXb6FMTPkUGMk+TQoIOsS3mTPs7B+qumyIXLc0VUI09p yZyFq4=
X-UI-Out-Filterresults: notjunk:1;V01:K0:TJABIOueuYM=:VWv6zLsKP148XD0iBPQJAL wrVxVGQNyMvTsUmEJLy518L57+pIhLqIWqgMf88ZrPH9udThos4pVgF196KcTFToc2NatRr0a dYOSEXZcF3NZvQNF0tEfTE9JdNriWkJhqJY3WDybnqLzzuSghE9KweKYrpc7oNkBwkMyMVPzy nhuOaWDGBEAG02+lInBLyuglvKjsVKyJQQn+T8HSXhKYpDmV+2CQu5nuNgOygWFhMjy1tQcFh 7oju5pXPXydVBkwogZkFBRVbuQdVt1VL4N5I4Y4hbD3IKEg8ppkOu9CZEfSRZ30cMg6ACM/UK a2o4dZbkOov0J1CASZijQ++6LhN1yqTzwT5Yn8NoiI9uc8MYfChJep0yB5rQwqhWoOZshFh0q mOsiGc/1efAyPdfanfqsRGIwsV08dWmGspZuAcjINosVsfhlQ7RgFe0W2uxWElazTJvwFCFg5 H2kjZziZGw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/websec/vny_JLsisX8izyB7gXjmBoMSbSA>
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Service auto-configuration and certificate pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 08:54:37 -0000
Von: "Marten Gajda" <marten@dmfs.org>
An: "websec@ietf.org" <websec@ietf.org>
Betreff: [websec] Service auto-configuration and certificate pinning
I'm currently working on an update of a draft that specifies a way for
clients to configure themselves with a minimum of user-provided
information. The current draft is available at
https://tools.ietf.org/html/draft-daboo-aggregated-service-discovery-03" target="_blank" rel="nofollow">https://tools.ietf.org/html/draft-daboo-aggregated-service-discovery-03
(it's a bit outdated, but we're working on it).
This draft specifies a member to contain a server certificate, which
presumably was meant to support some sort of certificate pinning.
During my research on how to improve this I came across RFC 7469 and
https://tools.ietf.org/html/draft-hallambaker-webseccaa-00" target="_blank" rel="nofollow">https://tools.ietf.org/html/draft-hallambaker-webseccaa-00
I'd like to ask the members of this list whether they think that
"bootstrapping" certificate pinning for individual services (like so:
https://github.com/CalConnect/AUTODISCOVERY/issues/8#issuecomment-227857982" target="_blank" rel="nofollow">https://github.com/CalConnect/AUTODISCOVERY/issues/8#issuecomment-227857982)
would be useful to have in a service configuration document or if they
have any concerns or other comments about this.
I'd also like to hear about opinions if this could be an acceptable
solution for certificate pinning with non-HTTP based protocols, i.e. for
protocols that don't have an in-band pinning mechanism the client would
reload the service configuration document whenever the cached pinning
information is outdated (i.e. <max-age> seconds have passed since it was
downloaded).
Any comments (whether in response to this post or at GitHub) are very
welcome.
Regards,
Marten Gajda
--
Marten Gajda
CEO
dmfs GmbH
Schandauer Straße 34
01309 Dresden
GERMANY
phone: +49 177 4427167
email: marten@dmfs.org
Managing Director: Marten Gajda
Registered address: Dresden
Registered No.: AG Dresden HRB 34881
VAT Reg. No.: DE303248743
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/websec
- Re: [websec] Service auto-configuration and certi… Yaron Sheffer
- Re: [websec] Service auto-configuration and certi… Marten Gajda
- Re: [websec] Service auto-configuration and certi… Stephen Farrell
- Re: [websec] Service auto-configuration and certi… D.Rogers
- [websec] Service auto-configuration and certifica… Marten Gajda