Re: [websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)
Chris Palmer <palmer@google.com> Mon, 17 October 2011 22:21 UTC
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBF6511E8082 for <websec@ietfa.amsl.com>; Mon, 17 Oct 2011 15:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXyEvYO8Md4D for <websec@ietfa.amsl.com>; Mon, 17 Oct 2011 15:21:16 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id BF7DA1F0C42 for <websec@ietf.org>; Mon, 17 Oct 2011 15:21:12 -0700 (PDT)
Received: from hpaq14.eem.corp.google.com (hpaq14.eem.corp.google.com [172.25.149.14]) by smtp-out.google.com with ESMTP id p9HMLAWq004843 for <websec@ietf.org>; Mon, 17 Oct 2011 15:21:10 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1318890071; bh=Qr3CQlLdLNIXKCazxXYGza4vBxc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=CfV9sjdnVB7GvtQWEzScD1emCe9sUhDDIt01nd2sbo87zhNV3gC0gmKoxsg2T6UyL rg9tnHzjMgjncW6XTfkOQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type:x-system-of-record; b=hzR7d4AExwQK0sXd/Fp1+9/dDJmEdqYeTxXQsJnITO0blfvXUtEsVbSaPxx3iUvvi LFh00Em3IwTHnIA4diZLw==
Received: from wwn22 (wwn22.prod.google.com [10.241.244.86]) by hpaq14.eem.corp.google.com with ESMTP id p9HMIKbg010806 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <websec@ietf.org>; Mon, 17 Oct 2011 15:21:10 -0700
Received: by wwn22 with SMTP id 22so1695146wwn.5 for <websec@ietf.org>; Mon, 17 Oct 2011 15:21:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=5DuTpWMUDA5Wg8rRh2Yb26BBlBBKSl/KKJsZUv6Z9w0=; b=EP/wdCFrAYIwiA3O4VkzEvCJ+iyWit0PiRYRrnqC4QFcD/bsCEK8b/dCQ82Tf+uNyj zf2bNBt5cLLBkdHYm1kQ==
Received: by 10.216.135.31 with SMTP id t31mr404617wei.4.1318890069792; Mon, 17 Oct 2011 15:21:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.135.31 with SMTP id t31mr404606wei.4.1318890069620; Mon, 17 Oct 2011 15:21:09 -0700 (PDT)
Received: by 10.216.216.205 with HTTP; Mon, 17 Oct 2011 15:21:09 -0700 (PDT)
In-Reply-To: <4E9CA78C.5050805@KingsMountain.com>
References: <4E9CA78C.5050805@KingsMountain.com>
Date: Mon, 17 Oct 2011 15:21:09 -0700
Message-ID: <CAOuvq20WgodTnW9sfbBHbvzUuwuae1H=+uzzYnne2p20wp43+g@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: =JeffH <Jeff.Hodges@kingsmountain.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: Chris Evans <cevans@google.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2011 22:21:20 -0000
On Mon, Oct 17, 2011 at 3:09 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: > Tho, getting TLS extensions actually implemented and deployed seems to take > a few forevers. Quite so. > I wonder about hacking it (conveyance of pinning/unpinning info), for the > nearer-term, into a cert extension. Then just modifying client apps (e.g. > browsers) is what's necessary. Your average sys admin is more comfortable telling Apache to send a particular header with particular text than wrangling openssl(1) to add various extensions to a certificate. I don't see a security problem with using the application layer (e.g. HTTP) to inform the transport layer (TLS), as long as the transport layer correctly uses the information to exercise policy on subsequent connections. That's easier said than done in UA implementation code, of course, but I'm willing to (try to) write that code. I'm not willing to make sys admins wrangle with X.509 and the openssl command line. (For example, can anyone here tell me the command line to add a custom certificate extension to an existing certificate?) It would be cleaner to have it all in the TLS layer, but ease-of-deployment concerns dominate. People have a hard enough time with X.509 as it is.
- [websec] wrt "breaking pins" aka "un-pinning" (br… =JeffH
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Trevor Perrin
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Chris Palmer
- Re: [websec] wrt "breaking pins" aka "un-pinning"… =JeffH
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Chris Palmer
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Marsh Ray
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Phillip Hallam-Baker