IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 15 August 2013 15:38 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6962A11E81B7 for <websec@ietfa.amsl.com>; Thu, 15 Aug 2013 08:38:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.362
X-Spam-Level:
X-Spam-Status: No, score=-95.362 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgGjSKkoB95W for <websec@ietfa.amsl.com>; Thu, 15 Aug 2013 08:38:16 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 8C78E11E81D2 for <websec@ietf.org>; Thu, 15 Aug 2013 08:38:00 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=CNtMVibHBr+lVvc7PeMhfvqgrAJ6397FyP9iQs1qwBKq1CCLJMvSN/cqMqvfQ10ZiXLpf5qEwl6SzQBpNUm3pLxu0TS+dkMyOvRHBUgoqhj8mjKFljXQvJzahh0hkvxg; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 26448 invoked from network); 15 Aug 2013 17:37:58 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.64?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 15 Aug 2013 17:37:58 +0200
Message-ID: <520CF5D5.20008@gondrom.org>
Date: Thu, 15 Aug 2013 16:37:57 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: ynir@checkpoint.com
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com> <52091598.7000306@mozilla.org> <faac23b0797219a618f8ffee1932f7e2.squirrel@webmail.dreamhost.com> <CAGZ8ZG1zRJ3fWsK7+Zd_CWjZKTms_YjAxFWzQ+=yrn_VTW+s4g@mail.gmail.com> <5209FF9D.1080208@mozilla.org> <CAGZ8ZG3-WgKuRCWSsB8U_Y72J9TYU83tsmY-QZ8=-8bOoxkj+A@mail.gmail.com> <520C166E.7000202@mozilla.org> <CAGZ8ZG0SHHFWkx-uQGAzCXXBijZw_PnsChfQ0zbmx5AWg6T2Vg@mail.gmail.com> <520C91B3.20402@mozilla.org> <CAGZ8ZG37s3RoL+TO33JBwuniQXJtV=cGvNrzARGUp9A9w3rn8g@mail.gmail.com> <D3C42FFE-C17E-440B-80BE-FB989AD5E1A4@checkpoint.com>
In-Reply-To: <D3C42FFE-C17E-440B-80BE-FB989AD5E1A4@checkpoint.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 15:38:21 -0000

On 15/08/13 16:19, Yoav Nir wrote:
> On Aug 15, 2013, at 12:08 PM, Trevor Perrin <trevp@trevp.net> wrote:
>
>> On Thu, Aug 15, 2013 at 1:30 AM, Gervase Markham <gerv@mozilla.org> wrote:
>>> On 15/08/13 09:20, Trevor Perrin wrote:
>>>> So you're expecting sites to edit their HPKP header on every cert
>>>> change?
>>> No; it's quite possible that the advice on renew would be "keep the same
>>> pins".
>> OK.  So you're expecting sites to request a new cert at least T days
>> prior to their existing cert expiring (where T is the length of time
>> needed for extant pins to expire).
> That would require either the sites to buy more certs than they need (and have overlapping certs) or the CAs to issue future certs (notBefore date T days in the future) and commit to the pinning data being valid for (validity_period + T). Not rocket science, but somewhat error prone.
>
> OTOH if the site administrator pins the EE public key, they don't need to involve the CA at all. They just need to generate the key pair (or the certificate request) T days in advance, and add the new pin to the HPKP header/resource.
>
> If someone were to ask me what a good pinning policy would be, I would say that they need three pins most of the time:
>  1. for the EE certificate
>  2. for the current root CA
>  3. for some other root CA (that you trust)
>
> If the EE certificate is compromised, you issue a new one from the current root CA, and update the pin.
> If the CA gets compromised, you issue a new cert from the backup root CA and update the pin (also with a new backup)
> T days before expiry, you generate a certreq, and add the new public key as a fourth pin until you change the certificate. 
>
> The pinning idea became cool because static pinning caught the Diginotar breach. A policy like this would detect fake certificates (as long as Diginotar was not your primary or backup CA).
>
> If CAs publish pin data on their website and guarantee that they will put any change on their website at least x days before the change takes place (90 days?) this kind of policy would work, but it would require administrators to check monthly both their primary and backup pins, otherwise the recovery plan above won't work.
Actually the CA could also use an email push service instead of or in
addition to the website publication.

> Yoav
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

v2.23.0 | Report a Bug | By Email