Re: [websec] #39: appropriately acknowlege and accommodate DANE
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 20 April 2012 17:50 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4D321F85C5 for <websec@ietfa.amsl.com>; Fri, 20 Apr 2012 10:50:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.937
X-Spam-Level:
X-Spam-Status: No, score=-99.937 tagged_above=-999 required=5 tests=[AWL=0.558, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzdLJCTyWLmL for <websec@ietfa.amsl.com>; Fri, 20 Apr 2012 10:50:55 -0700 (PDT)
Received: from oproxy7-pub.bluehost.com (oproxy7.bluehost.com [IPv6:2605:dc00:100:2::a7]) by ietfa.amsl.com (Postfix) with SMTP id 41CA721F85D0 for <websec@ietf.org>; Fri, 20 Apr 2012 10:50:52 -0700 (PDT)
Received: (qmail 7913 invoked by uid 0); 20 Apr 2012 17:50:50 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy7.bluehost.com with SMTP; 20 Apr 2012 17:50:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=YMK4Vn7HLrvnF8ScbUPQjz9Z19WOcfk3kNXtKybaXPU=; b=Jk1GMUIjOa7h/CpnmYPMloDaWI97fwINUcM0HjTIjrV3hxfORUf0yaDiB1ZvM7nrw7P1is7qKxAIEeMToq/nChksNsIR2kDqzeocEGobNO/KcX1sPR/+HzWnuwdsWVpa;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.216]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1SLHyr-0001oX-SL; Fri, 20 Apr 2012 11:50:49 -0600
Message-ID: <4F91A1F8.4090501@KingsMountain.com>
Date: Fri, 20 Apr 2012 10:50:48 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.28) Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>, IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [websec] #39: appropriately acknowlege and accommodate DANE
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 17:50:56 -0000
> #39: appropriately acknowlege and accommodate DANE http://trac.tools.ietf.org/wg/websec/trac/ticket/39 fyi & comment, the text I presently have in my working copy of -07 is.. . . . 2.2. HTTP Strict Transport Security Policy Effects The effects of the HTTP Strict Transport Security (HSTS) Policy, as applied by a UA in interactions with a web resource host wielding such policy (known as a HSTS Host), are summarized as follows: . . 2. The UA terminates any secure transport connection attempts upon any and all secure transport errors or warnings, including those caused by a web application presenting a certificate matching a trusted certificate association as denoted via the DANE protocol [I-D.ietf-dane-protocol], or any other form of self-signed certificate that does not chain to a trust anchor in the UA or operating system CA root certificate store. . . . 10.2. Using HSTS in conjunction with self-signed public-key certificates If a web site/organization/enterprise is generating their own secure transport public-key certificates for web sites, and that organization's root certification authority (CA) certificate is not typically embedded by default in browser and/or operating system CA certificate stores, and if HSTS Policy is enabled on a host identifying itself using a certificate signed by the organization's CA (i.e., a "self-signed certificate"), and this certificate does not match a trusted certificate association (as denoted via the DANE protocol [I-D.ietf-dane-protocol]), then secure connections to that site will fail, per the HSTS design. This is to protect against various active attacks, as discussed above. However, if said organization strongly wishes to employ self-signed certificates, and their own CA in concert with HSTS, they can do so by deploying their root CA certificate to their users' browsers or operating system CA root certificate stores. They can also, in addition or instead, distribute to their users' browsers the end- entity certificate(s) for specific hosts. There are various ways in which this can be accomplished (details are out of scope for this specification). Once their root CA certificate is installed in the browsers, they may employ HSTS Policy on their site(s). Alternately, that organization can deploy the DANE protocol; all browsers that also use DANE will then be able to trust the certificates identified by trusted certificate associations as denoted via DANE. Note: Interactively distributing root CA certificates to users, e.g., via email, and having the users install them, is arguably training the users to be susceptible to a possible form of phishing attack, see Section 14.6 "Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack". Thus care should be taken in the manner in which such certificates are distributed and installed on users' systems and browsers. . . . --- end
- [websec] #39: appropriately acknowlege and accomm… websec issue tracker
- Re: [websec] #39: appropriately acknowlege and ac… =JeffH
- Re: [websec] #39: appropriately acknowlege and ac… Paul Hoffman
- Re: [websec] #39: appropriately acknowlege and ac… =JeffH
- Re: [websec] #39: appropriately acknowlege and ac… Paul Hoffman
- Re: [websec] #39: appropriately acknowlege and ac… websec issue tracker