Re: [websec] [saag] Pinning

Yoav Nir <> Sat, 11 August 2012 20:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8E0FB21F8549 for <>; Sat, 11 Aug 2012 13:38:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.407
X-Spam-Status: No, score=-10.407 tagged_above=-999 required=5 tests=[AWL=0.192, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RwU1t1bMeT4z for <>; Sat, 11 Aug 2012 13:38:10 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 94BDD21F8535 for <>; Sat, 11 Aug 2012 13:38:09 -0700 (PDT)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id q7BKbs7S003179; Sat, 11 Aug 2012 23:37:54 +0300
X-CheckPoint: {5026BF95-0-1B221DC2-4FFFF}
Received: from ([]) by ([]) with mapi; Sat, 11 Aug 2012 23:37:54 +0300
From: Yoav Nir <>
To: Chris Palmer <>
Date: Sat, 11 Aug 2012 23:37:52 +0300
Thread-Topic: [saag] [websec] Pinning
Thread-Index: Ac14AS5KvY5+O10lTRm44RvftP/6Qg==
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Chris Evans <>, IETF WebSec WG <>, Paul Hoffman <>, Sean Turner <>, Moxie Marlinspike <>
Subject: Re: [websec] [saag] Pinning
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 11 Aug 2012 20:38:10 -0000

Hi Chris

I've removed SAAG from CC, trimmed most of your message, and re-arranged the rest. Hope you don't mind…

On Aug 11, 2012, at 1:20 AM, Chris Palmer wrote:

> Additionally, HPKP and TACK might converge, more or less. I have plans
> to publish a new HPKP I-D that borrows some of TACK's pin activation
> and expiration ideas, for example.

<hat type="chair">

Just as a reminder, HPKP is now a working group draft. As such, change control is with the WG. Changes that change the rules for activation and expiration should be proposed and discussed on the list first. 

Having said that, we are pretty far from last call on key-pinning, so I think it would be OK to publish a version -03 with such proposed changes, as long as those changes are clearly marked as not being the result of WG consensus.

As an individual, I understand the limitations of the "spare public key" approach of the current HPKP. It's an administrative hassle to generate n spare keys and keep them safe, and if you have n+1 key compromise events within the max-age time, your site is blocked. But it does have the big advantage that the server side can be deployed *now* with no additional software. Until I see how those borrowed ideas can help with these issues, I prefer HPKP.

> So ultimately I do think we should decide on either HPKP or TACK, but
> that we should make that decision after there has been some real-world
> deployment experience with both (or, sadly, real-world non-deployment
> of one or both).

Well, there's WG deciding, and there's the market deciding. The IETF can publish both approaches (as either proposed standard or experimental) and the one (if any) that the market prefers can later be upgraded to standard (or it can stay at proposed anyway)