IETF Logo Mail Archive

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 25 June 2013 01:30 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E7A21E814A for <websec@ietfa.amsl.com>; Mon, 24 Jun 2013 18:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.361
X-Spam-Level:
X-Spam-Status: No, score=-95.361 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NiabyMeD2z79 for <websec@ietfa.amsl.com>; Mon, 24 Jun 2013 18:30:26 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id D0C4921E812C for <websec@ietf.org>; Mon, 24 Jun 2013 18:30:24 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=uAjOMAc9/TUc0NJln/sObNrmHnecI3V9zGauQGJyg+qC5Zr+ggfE6dgMiz2UPxM83TSTf2/9clsrag+QGf5l+KazIn+BlSdTVVHQUHVxAX1FRiHv1CqMPCYo/nfk08y1; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
Received: (qmail 32482 invoked from network); 25 Jun 2013 03:30:23 +0200
Received: from 191.82.247.60.static.bjtelecom.net (HELO ?172.31.8.200?) (60.247.82.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 25 Jun 2013 03:30:23 +0200
Message-ID: <51C8F2AE.5040101@gondrom.org>
Date: Tue, 25 Jun 2013 09:30:22 +0800
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: trevp@trevp.net
References: <8c03997da80b4e8da7100491011b8c12@BN1PR03MB039.namprd03.prod.outlook.com> <6F2FE5F2-D02C-4B09-A6CA-7C3B63722E34@checkpoint.com> <CAGZ8ZG32cRRU3rQ31cN0ZB78_Oxn7E4LpyTpYi0bT59jhzNuiw@mail.gmail.com> <51C7EECC.3020108@gondrom.org> <CAGZ8ZG0UiE9PJgscA+6yOqJxY_UWmjZfexdj+5w12wt=ChhziA@mail.gmail.com>
In-Reply-To: <CAGZ8ZG0UiE9PJgscA+6yOqJxY_UWmjZfexdj+5w12wt=ChhziA@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative; boundary="------------020201030501090708080402"
Cc: websec@ietf.org, dmatson@microsoft.com
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning-06
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 01:30:30 -0000

On 25/06/13 05:06, Trevor Perrin wrote:
>
> On Mon, Jun 24, 2013 at 12:01 AM, Tobias Gondrom
> <tobias.gondrom@gondrom.org <mailto:tobias.gondrom@gondrom.org>> wrote:
>
>
>     On 24/06/13 09:13, Trevor Perrin wrote:
>>     Depends on the number of pinned keys.  Chrome's existing preloads
>>     [1] have 9, 5, 19, 36, 2, and 2 keys.  That's a mean of 12, which
>>     would be >500 bytes with SHA256.
>>
>     IMHO the expected session will be 2 keys with SHA-160 to SHA-512
>     per host.
>
>
> I don't know what the common case would be.  The numbers I cited are
> from the Chromium's preloaded key pins:
>
> https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
>
> Note that a commercial CA might have several subordinate and root
> certificates, with different keys.  To pin yourself to this CA, you
> may need to list several of these keys, and to be conservative a site
> might pin multiple CAs.
>
> (Are you suggesting that sites would list both a SHA256 and SHA1 hash
> for each pinned key?  That seems unnecessary.)

No I am not suggesting to send both hashes. That would be unnecessary
and of very use.
So that means: 2 keys (the main key and the backup key) with one hash
each (SHA-160 OR SHA-256 OR SHA-512 OR ...)
Looking back at the discussions my perception is that in the case of
many (though not all) implementations the server will have only one key
active at the point of entry and then use a reverse proxy.
(with a caveat: I remember one large bank that seems due to whatever
historic reason is actually using different certificates for every
singly server instance, which obviously could then go into the 100s or
1000s.... - but I don't worry about this too much as AFAIK this was more
duet to misunderstanding regulation and a stupid architecture - so will
just need to clean up before they can go to pinning - which is fair in
my eyes.)



>
>  
>
>     Just for my understanding: Do you think this will create too much
>     header overhead and there want to the reference to the pin?
>
>
> I don't know how much data a site could add to every HTTP Response
> before it starts becoming a problem.  But that's the issue David raised.  
>
> If it's a real problem, the idea of putting pin assertions in, say, a
> JSON file at a "well-known" URI seems reasonable.  E.g.:
>
> http://www.example.com/.well-known/public-key-pins

I see. From my humble experience, I would agree with Chris (in his later
email) and don't see a performance problem with this. So I don't think
we need to consider the URI option.

Best regards, Tobias


>
>
> Trevor

v2.30.2 | Report a Bug | By Email | System Status