Re: [websec] #58: Should we pin only SPKI, or also names

Trevor Perrin <trevp@trevp.net> Tue, 13 August 2013 06:43 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E126921E80B9 for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 23:43:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giOcWyfmnBtx for <websec@ietfa.amsl.com>; Mon, 12 Aug 2013 23:43:18 -0700 (PDT)
Received: from mail-we0-f178.google.com (mail-we0-f178.google.com [74.125.82.178]) by ietfa.amsl.com (Postfix) with ESMTP id D203F11E80C5 for <websec@ietf.org>; Mon, 12 Aug 2013 23:43:17 -0700 (PDT)
Received: by mail-we0-f178.google.com with SMTP id u57so6111340wes.23 for <websec@ietf.org>; Mon, 12 Aug 2013 23:43:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dbKHvS63ORdxpZ914McCnevb6cpQg6aovqy74SqiQG8=; b=HOR8RA/Q5aAPHAalWsLbbGW/ily9dpJQie2a+SxiRNneM7p4CkAnGUSQ2iQLIiyyLX YYFAqBtTKtj2YvFD23bfEVfekHXNyQhwv9lpNrtg77WvjHGR0i9jBr7oeG5r9ZbKrKXq Q+otDgLmo6HczEe0lvyuPz6VwSRacI0SItpjNv8ZlVrfbqNd8GjBwlX6Eh0eKr5rdEbJ Sv/+3E4RanF+9VK35qVcMIQfcC+yRpXQui0jy72dObxRE6QFXY1+6slF5SOHJmTOMQAD TkOvPn9x/LEFK2jLKywmd63kLl1e4nDF0RA4KLh4eWHaU6NbRdySMF7d+b1IBlP8egk0 V2MA==
X-Gm-Message-State: ALoCoQlf2VzC8xm6r53m8IM2rulOoSaKPe7OBHRB6FKGV4hnUcXaZY9ry2SlpV50hM+9+bf7R/mA
MIME-Version: 1.0
X-Received: by 10.180.205.236 with SMTP id lj12mr1379005wic.22.1376376196948; Mon, 12 Aug 2013 23:43:16 -0700 (PDT)
Received: by 10.216.212.9 with HTTP; Mon, 12 Aug 2013 23:43:16 -0700 (PDT)
X-Originating-IP: [166.137.187.101]
In-Reply-To: <05e001ce97dc$c9d5bbb0$5d813310$@digicert.com>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com> <52091598.7000306@mozilla.org> <CAGZ8ZG1GPxOFP-v=kjGVj=7qLv-hYsbfwYweU7k3E3FoyRF-eg@mail.gmail.com> <05e001ce97dc$c9d5bbb0$5d813310$@digicert.com>
Date: Mon, 12 Aug 2013 23:43:16 -0700
Message-ID: <CAGZ8ZG2D6BgC629HFNNwq-U8D2SDz54_0BhF+MRdNq0a7jKrRQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: jeremy.rowley@digicert.com
Content-Type: text/plain; charset="ISO-8859-1"
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 06:43:24 -0000

On Mon, Aug 12, 2013 at 9:22 PM, Jeremy Rowley
<jeremy.rowley@digicert.com> wrote:
> The problems with pinning a CA are similar to problems with pinning a SPKI.
> Eventually, the browser needs updated pinned information.  CA pinning shifts
> coordination of this update from the Website-Browser to a CA-Browser
> communication.
>
> Permitting CA pinning allows an entity to essentially delegate certificate
> decisions to single CA entity.

Or multiple CAs.

I think many sites would be well-served by pinning to several CAs.
This would yield a very safe pin with minimal vendor lock-in and with
protection from catastrophes like a CA being delisted or going out of
business.

With SPKI pinning, this multiplies the size of the HPKP header and the
number of CA key lists the site has to track.  That's a big reason I'm
pushing for a more manageable approach.


Trevor