IETF Logo Mail Archive

Re: [websec] #58: Should we pin only SPKI, or also names

Gervase Markham <gerv@mozilla.org> Wed, 14 August 2013 23:44 UTC

Return-Path: <gerv@mozilla.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D0621F8F4A for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 16:44:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDHqWno6j1Fw for <websec@ietfa.amsl.com>; Wed, 14 Aug 2013 16:44:49 -0700 (PDT)
Received: from smtp.mozilla.org (mx2.corp.phx1.mozilla.com [63.245.216.70]) by ietfa.amsl.com (Postfix) with ESMTP id 9346121F8F2E for <websec@ietf.org>; Wed, 14 Aug 2013 16:44:49 -0700 (PDT)
Received: from [192.168.1.138] (host86-146-213-39.range86-146.btcentralplus.com [86.146.213.39]) (Authenticated sender: gerv@mozilla.org) by mx2.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 60F62F24D8; Wed, 14 Aug 2013 16:44:48 -0700 (PDT)
Message-ID: <520C166E.7000202@mozilla.org>
Date: Thu, 15 Aug 2013 00:44:46 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>
References: <060.be9b0009dc0350ca543f553042673944@trac.tools.ietf.org> <073501ce8c6e$f6c17d90$e44478b0$@digicert.com> <CAMm+LwjdGJC4FHCJ_OAYGRqCGGc0Nz1pLV=yVGK9M9E7drfujQ@mail.gmail.com> <CAOuvq200e9HnPX1w9sZ+e7ipBmdgZdPL5xzKDgcaDpSxz1N=gg@mail.gmail.com> <CAMm+Lwh384YBMXw-BDoxJw+AN4qv8x6GQpF9YK4PW1gQRnadpg@mail.gmail.com> <6125A841-6C85-4858-B37F-C021067F0CFA@checkpoint.com> <2035FF99-A079-4F2F-B4DE-962FE1C1B964@checkpoint.com> <CAOuvq20O9bqHGR-5eKPmasNnWEuNW7ACL7PxM09yoTmmyt1UUg@mail.gmail.com> <CAGZ8ZG2C4uB=4vgH325TWeNW89ne4E_DN0j9ZV0t2AKa1o+x9g@mail.gmail.com> <52089A35.9040103@mozilla.org> <CAGZ8ZG3HUUsQJ63mCqHd_LOq+KSdsVpG7Gibdif5dS4oGLywpA@mail.gmail.com> <52091598.7000306@mozilla.org> <faac23b0797219a618f8ffee1932f7e2.squirrel@webmail.dreamhost.com> <CAGZ8ZG1zRJ3fWsK7+Zd_CWjZKTms_YjAxFWzQ+=yrn_VTW+s4g@mail.gmail.com> <5209FF9D.1080208@mozilla.org> <CAGZ8ZG3-WgKuRCWSsB8U_Y72J9TYU83tsmY-QZ8=-8bOoxkj+A@mail.gmail.com>
In-Reply-To: <CAGZ8ZG3-WgKuRCWSsB8U_Y72J9TYU83tsmY-QZ8=-8bOoxkj+A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: websec <websec@ietf.org>
Subject: Re: [websec] #58: Should we pin only SPKI, or also names
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 23:44:55 -0000

On 14/08/13 18:20, Trevor Perrin wrote:
> My point is that changes like CAs issuing new intermediates or
> deprecating old roots MUST get incorporated into website pins somehow.

Perhaps this is the point of disagreement.

I would expect CAs to offer appropriate pinning advice with
certificates, probably in the form of "paste this into your HPKP
header". Once a cert is in use and pinned, no further changes to those
pins need to be made. No matter what happens to the CA's business, as
long as the root and intermediate you are using are still valid (and,
absent a CA breach, they will be - no CA sells certs which use roots and
intermediates which expire before the cert finishes its lifetime), you
don't have to worry. When you get a new cert (renewal), you'll get
updated pinning advice.

If you have pinned a backup provider, you will no doubt have sought
similar pinning advice from them. There is more of a risk that this
advice will need to change at a different time from you changing your
cert, but that's OK, because you can change this stuff as much as you
like and all you have to do is wait for caches to empty (30 days?).

Gerv

v2.23.0 | Report a Bug | By Email