Re: [websec] #58: Should we pin only SPKI, or also names
Chris Palmer <palmer@google.com> Thu, 08 August 2013 20:33 UTC
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4B4311E821E for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:33:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.965
X-Spam-Level:
X-Spam-Status: No, score=-1.965 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqJty8KoG1hi for <websec@ietfa.amsl.com>; Thu, 8 Aug 2013 13:33:09 -0700 (PDT)
Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id A064411E820E for <websec@ietf.org>; Thu, 8 Aug 2013 13:33:07 -0700 (PDT)
Received: by mail-ie0-f171.google.com with SMTP id 10so2753252ied.16 for <websec@ietf.org>; Thu, 08 Aug 2013 13:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=F9K9bgHxasb0CenAEf+0idBva4OFL5T9xQuTGrzmqwM=; b=lLhz810Ljv5WMrQsw5xYlgDd3MY5sAPk4Bt0ncStJ0c7vTH1zdNhpPYs1zdiAQEX5d ADGRprmPcZcmzTFknp2Q6wQqRQUxP3ApMcqyvyTrW9CaeiZM3K6//hLIKDTrU6dQot11 wMYgH0HQT2EVifCTE7A6iOARXsS4xDWAZjN4dKFNVJ3PTAltwpRw+mijq4KQnrg6hobT SYdph3etcLBLJurweH3bkkQeLEytYyGQrV193DqIjHctwzFEN9vtUCJLB80wf8cDeZkg HEdIW5Q49X12GDImu1DYpm7l4/GUkoFMeaaAUOy4Y6Pb7kdb5TmgNCUeFHLTis6NDtS5 QT7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=F9K9bgHxasb0CenAEf+0idBva4OFL5T9xQuTGrzmqwM=; b=KZLz3aevj45j892JSQWJUmsdZ4kbMXV0tZn93TKp9LWpKC6kMyDSMMrfm5lIUrwxa/ hkeCyJCsjGmWbYw5dg8WHrqyF6it8L+nF0DGze7QTV4RriebYVCx5YZheqsS/4JmreLG cB/qcogt3sWPPRMnMxskfVzcnZVyEsuXJra+Z/VloJ4CaX5Vw02Auu2KZ/DI3+sJuwn9 fTv8tK6YfFNajRUQ75sJQgNqlIozcNdxsXfL/EHo5A+oFBSgwaOWiklXTJya8S1gI3el KVJ4GRANP86VoTFtl7ffOyea4aoDq221ioBKeIJ8JEQKg5ZFcS0Wd62BamjWzQjKvyia 2tQQ==
X-Gm-Message-State: ALoCoQk/S0nGvSO8aSibzBlqgvCmW3bJk/s3mvO/M20xaiyY/jRrVrsHCdpJ15MWak0RhmZ/57lCZliTS8+E6ypSbxOHeLZrcdW/w1HtCLr6u6Q0hJMQn9Ro7QUdzQ0vmP7Gw1BP379l3lLUzd4BLwa2CCHkvWcsmb84/MbMfmfMomBmjRQZ227v+/6oSSNCCVWUg55PWddK
MIME-Version: 1.0
X-Received: by 10.50.134.162 with SMTP id pl2mr371607igb.55.1375993987084; Thu, 08 Aug 2013 13:33:07 -0700 (PDT)
Received: by 10.64.240.71 with HTTP; Thu, 8 Aug 2013 13:33:06 -0700 (PDT)
In-Reply-To: <520214F7.8020308@mozilla.org>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAGZ8ZG2Ex9Cvft38zSQX5Hcu3hU40HOjpAM+9fCG=JgBJM55Qg@mail.gmail.com> <520214F7.8020308@mozilla.org>
Date: Thu, 08 Aug 2013 13:33:06 -0700
Message-ID: <CAOuvq23egQHnfFdepjFYEXiFKqtvbmyWYWxY5H57qjmVS8nOXg@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Gervase Markham <gerv@mozilla.org>
Content-Type: text/plain; charset="UTF-8"
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 20:33:10 -0000
On Wed, Aug 7, 2013 at 2:35 AM, Gervase Markham <gerv@mozilla.org> wrote: > Surely it would also significantly reduce flexibility? > > At the moment, I can pin to a particular leaf, or a particular > intermediate, or a particular root, or to a set of any of the above. I > can decide where in the chain to pin depending on my analysis of the > cost/benefit. If we instead pinned to CA names, I would lose that > flexibility. Wouldn't I? No, we could allow people to pin to either SPKIs or trust anchor set names or any combination of the two. I don't think anyone has said that it should be trust anchor set names *only*.
- [websec] #58: Should we pin only SPKI, or also na… websec issue tracker
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Chris Palmer
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Phillip Hallam-Baker
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Rob Stradling
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Jeremy Rowley
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Gervase Markham
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Trevor Perrin
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Tobias Gondrom
- Re: [websec] #58: Should we pin only SPKI, or als… Yoav Nir
- Re: [websec] #58: Should we pin only SPKI, or als… Ryan Sleevi
- Re: [websec] #58: Should we pin only SPKI, or als… websec issue tracker