Re: [websec] HSTS: pinning certs, other changes to TLS server authentication
Adam Barth <ietf@adambarth.com> Thu, 24 March 2011 03:35 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E2FF3A67DA for <websec@core3.amsl.com>; Wed, 23 Mar 2011 20:35:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.811
X-Spam-Level:
X-Spam-Status: No, score=-2.811 tagged_above=-999 required=5 tests=[AWL=0.166, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bx6esrHIauRU for <websec@core3.amsl.com>; Wed, 23 Mar 2011 20:35:55 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 2A5583A67D9 for <websec@ietf.org>; Wed, 23 Mar 2011 20:35:55 -0700 (PDT)
Received: by vws12 with SMTP id 12so7245127vws.31 for <websec@ietf.org>; Wed, 23 Mar 2011 20:37:29 -0700 (PDT)
Received: by 10.52.70.134 with SMTP id m6mr8037070vdu.86.1300937847234; Wed, 23 Mar 2011 20:37:27 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by mx.google.com with ESMTPS id g2sm4739157vbz.0.2011.03.23.20.37.25 (version=SSLv3 cipher=OTHER); Wed, 23 Mar 2011 20:37:25 -0700 (PDT)
Received: by qyk7 with SMTP id 7so6905306qyk.10 for <websec@ietf.org>; Wed, 23 Mar 2011 20:37:25 -0700 (PDT)
Received: by 10.224.173.73 with SMTP id o9mr6743852qaz.64.1300937845179; Wed, 23 Mar 2011 20:37:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.45.85 with HTTP; Wed, 23 Mar 2011 20:36:32 -0700 (PDT)
In-Reply-To: <1300937463.2117.224.camel@localhost>
References: <1300937463.2117.224.camel@localhost>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 23 Mar 2011 20:36:32 -0700
Message-ID: <AANLkTikdUn8sfLs18oUmBk4oeB13MLstn+Fgi5BbSRNM@mail.gmail.com>
To: Matt McCutchen <matt@mattmccutchen.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] HSTS: pinning certs, other changes to TLS server authentication
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2011 03:35:56 -0000
On Wed, Mar 23, 2011 at 8:31 PM, Matt McCutchen <matt@mattmccutchen.net> wrote: > The following observations were made on EFF's SSL Observatory list > (https://mail1.eff.org/pipermail/observatory/2011-March/000086.html): > > On Wed, 2011-03-23 at 12:56 -0400, Matt McCutchen wrote: >> HTTP Strict Transport Security does not pin the cert (it only >> prevents the user from accepting bad certs), so it is exposed to CA >> compromises. SSH is not. > > On Wed, 2011-03-23 at 12:00 -0600, Hodges, Jeff wrote: >> Yes, as presently specified and implemented in it's _draft_ form. >> >> This could change. [...] >> >> Also, HSTS is arguably an intermediate-term (and specific-to-http) >> approach to the more general issue of network application >> advertisement of security policy. I.e. future work may supplant it. > > On Wed, 2011-03-23 at 14:08 -0400, Matt McCutchen wrote: >> Understood. But I wouldn't propose to change that. HSTS is the wrong >> place to fundamentally change the TLS server authentication model. > > On Wed, 2011-03-23 at 12:24 -0600, Hodges, Jeff wrote: >> I nominally disagree with the latter for various reasons, but we >> should discuss on websec@ > > Jeff, if you had something more to say, I invite you to say it. Thanks for forwarding the thread. There have been a bunch of people asking for the ability to pin a certificate (or a CA certificate) using HSTS. In light of recent events, that's sounding more and more like something we should consider. Adam
- [websec] HSTS: pinning certs, other changes to TL… Matt McCutchen
- Re: [websec] HSTS: pinning certs, other changes t… Adam Barth
- Re: [websec] HSTS: pinning certs, other changes t… Matt McCutchen
- Re: [websec] HSTS: pinning certs, other changes t… Thomas Roessler
- Re: [websec] HSTS: pinning certs, other changes t… Tobias Gondrom
- Re: [websec] HSTS: pinning certs, other changes t… Adam Barth
- Re: [websec] HSTS: pinning certs, other changes t… =JeffH
- Re: [websec] HSTS: pinning certs, other changes t… Thomas Roessler
- Re: [websec] HSTS: pinning certs, other changes t… Adam Barth
- Re: [websec] HSTS: pinning certs, other changes t… =JeffH