From nobody Fri Aug  1 00:09:13 2014
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1869E1A041F; Fri,  1 Aug 2014 00:09:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxKt1QRfXint; Fri,  1 Aug 2014 00:09:08 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BB79C1A00B9; Fri,  1 Aug 2014 00:09:07 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: DraftTracker Mail System <iesg-secretary@ietf.org>
To: iesg@ietf.org, websec-chairs@tools.ietf.org, draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140801070907.13242.4595.idtracker@ietfa.amsl.com>
Date: Fri, 01 Aug 2014 00:09:07 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/kzTlpwzZ0knat1D1KQ5GXMt6IU4
Cc: iesg-secretary@ietf.org
Subject: [websec] Last Call Expired: <draft-ietf-websec-key-pinning-19.txt>
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Aug 2014 07:09:10 -0000

Please DO NOT reply to this email.

I-D: <draft-ietf-websec-key-pinning-19.txt>
ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/

IETF Last Call has ended, and the state has been changed to
Waiting for AD Go-Ahead.


From nobody Mon Aug  4 08:06:26 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8A8C1A035E; Mon,  4 Aug 2014 08:06:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZvpzg4BOJCV; Mon,  4 Aug 2014 08:06:22 -0700 (PDT)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E741B2B40; Mon,  4 Aug 2014 08:06:13 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id e16so5595606lan.3 for <multiple recipients>; Mon, 04 Aug 2014 08:06:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=+xu1mTNVIESD2OKiIDSIHdPsdECo/N6YzVEdSI9DGg4=; b=lnRNnS+NozkOpO6pkzFQQPlxPPYjW9x364HZwvFCKjuutYvy7nmq7XqPmkNKfB6b0V Qs8HodBZYAFxpsAu+Scf2AycuFvGmKVTvHBfaz8Ow7WjaVqvaFmF0mofbCQvbLhP5GrJ /d2pQ1uTgau8giiL3xL11lc+K4msvsuT60af3C7qrIH2NnilXCB+2DHSNNUx0SfijeVS NcgZ2JOMXAw/iyZxBU5EGsa4SvbgyBgIben4wNPNWE+9d/+RHzyTkWnrcq03qcY0lkGG pxKr13SeKP2wnS+k8zOrJia2DsxCxjha+744FeiJFJVv+7ljoh4hXGneCMQ+Xwlxohod OTkg==
MIME-Version: 1.0
X-Received: by 10.112.137.136 with SMTP id qi8mr22543078lbb.41.1407164772049;  Mon, 04 Aug 2014 08:06:12 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Mon, 4 Aug 2014 08:06:11 -0700 (PDT)
In-Reply-To: <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com>
Date: Mon, 4 Aug 2014 11:06:12 -0400
X-Google-Sender-Auth: S-0ka3lwigOVB3bVSSe5NlezORw
Message-ID: <CALaySJJrUq-uEQFmTo5FUuTrbcV3BvQtEtVo88NEvuaFXDpjJA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/tiXoh9ilQrW0W0PVGv4XydT3RNc
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, Elwyn Davies <elwynd@dial.pipex.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 15:06:25 -0000

Yoav, is a revised I-D forthcoming?  Are there further comments about
Elwyn's review?

Barry

On Thu, Jul 31, 2014 at 3:27 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Hi, Elwyn
>
> [ adding the WebSec mailing list ]
>
> Thanks for the review. I think the editorial comments and the un-expanded=
 initialisms are not controversial. The text in section 4.1 contains our ha=
rd-earned consensus about maximum max-age. Perhaps your comment about secti=
on 2.1.1 can be accommodated by pointing to section 4.1 from section 2.1.1.
>
> As for the rest, I will leave up to the group, but I might also comment a=
s an individual.
>
> To the WebSec group: please send in comments about this. A GenArt review =
(just like *Dir reviews that are likely to come in the next few days) shoul=
d be addressed just like any other comments. Pushing back is fine if we thi=
nk they are inappropriate, but comments about lack of clarity tend to be co=
rrect when they're made by someone outside the working group - someone who =
reads the document without having participated in the discussion on-list an=
d at meetings. Making changes is still up to the working group, so please g=
o over Elwyn's comments.
>
> Yoav
> As co-chair and document shepherd.
>
> On Jul 31, 2014, at 4:05 PM, Elwyn Davies <elwynd@dial.pipex.com> wrote:
>
>> I am the assigned Gen-ART reviewer for this draft. For background on
>> Gen-ART, please see the FAQ at
>>
>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>
>> Please resolve these comments along with any other Last Call comments
>> you may receive.
>>
>> Document: draft-ietf-websec-key-pinning-19.txt
>> Reviewer: Elwyn Davies
>> Review Date: 31 July 2014
>> IETF LC End Date: 1 August 2014
>> IESG Telechat date: (if known) -
>>
>> Summary:
>> Almost ready.  There are some minor issues some of which may be as a res=
ult of some
>> misunderstanding on my part.  The descriptive text in the early part of =
s2 is missing
>> some definitions that make it unclear until they appear later on.  This =
makes the early
>> descriptions more confusing that illuminating in places.  Suggestions in=
 the detailed
>> comments below.
>>
>> One thing that is not fully clear to me and could probably be explained =
to help others
>> is the start up of the pinning mechanisms for a given host domain.  AFAI=
CS Pin validation
>> would possibly not be carried out on a first connection to a domain when=
 there are no
>> preconfigured Pins.  I am not clear if this adds anything to the risk of=
 a MITM attack or
>> does it in any way negate the value of the whole pinning process?  I was=
 not clear if
>> an effective Pin validation should be carried out during the first conne=
ction when the
>> UA receives the host's Pins for the first time and decides that it is no=
w a Pinned Host,
>> in that the document doesn't state that the connection is terminated if =
the setting up
>> of the Pinned host fails because the certs don't validate.
>>
>> Major issues:
>> None
>>
>> Minor issues:
>> s1: The term "Pin" (as a noun) is not explicitly defined. The definition=
 doesn't appear
>> until s2.4.
>>
>> s2.1.1: I'm not sure if this could be an issue.. should a maximum possib=
le value for max_age
>> be specified to avoid UA's being cluttered up with old Pins - this might=
 possible be a DoS
>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3 ta=
lks about limits.
>> A pointer to this discussion would be useful here
>>
>> s2.2.1: Does this response behaviour apply to all possible request types=
? Once a server has sent a
>> Pin header should it send it again on all subsequent requests on the sam=
e TLS connection or is
>> that a choice?  Given the "SHOULD" in s2.2.1, what are the circumstances=
 in which the server should
>> refrain from sending the Pins? [I first thought about 'Redirects' but re=
alized that that was probably
>> a really good time to send Pins!]
>>
>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in fut=
ure.  Presumably a
>> deprecated algorithm should be treated as an unrecognized directive or s=
ome such to avoid
>> downgrade attacks.  Probably worth being explicit about this.  Also this=
 is potentially
>> incompatible with the statement that 'UAs MUST recognize "sha256"' (Para=
 3 of s2.4).
>> This results in a potential downgrade attack when and if SHA256 is deeme=
d to be no longer
>> cryptographically effective. I think this statement can be removed as pr=
esently a UA
>> has no other option if it is to implement the specification.
>>
>> s2.6:
>>>    Note that the UA MUST perform Pin Validation when setting up the TLS
>>>    session, before beginning an HTTP conversation over the TLS channel.
>> I suspect I am confused: If a UA is making its first connection to a hos=
t for which it doesn't
>> have a preconfigured Pin, then it won't get the Pin(s) from the host unt=
il it has set up the
>> TLS connection and received the response to the request at the HTTP prot=
ocol level.  In that case
>> Pin validation will pass by default (subject to local policy perhaps) si=
nce the cache doesn't have
>> entries for the host.  Presumably the UA should then perform Pin validat=
ion if it has passed by
>> default during TLS setup (assuming that this is possible given the layer=
ing) or does the UA have to
>> terminate the session and restart it so that Pin validation can be perfo=
rmed?  The second case may
>> give scope for a DoS attack.  Or is it the case that Pin validation is n=
ot needed on the first
>> connection... I don't see why this shouldn't be done but I may not under=
stand the problem.  I think
>> some clarification about the startup of the process is needed.
>> Nits/editorial comments:
>>
>> s1, last para: s/toegether/together/, s/but is possible/but it is possib=
le/
>> s2.1: It would be good to expand the term OWS.
>>
>> s2.1, Figure 1 caption: The acronym HPKP needs expanding.
>>
>> s2.1, 2nd para after numbered bullets:
>> It is not the definition of hash algorithms that is relevant, but allowi=
ng them to be
>> used in pin-directives thus:
>> OLD:
>> additional algorithms may be defined in the future
>> NEW:
>> additional algorithms may be allowed for use in this context in future
>>
>> Also the implication of the "sha256" name should be explained precisely =
-
>> i.e, that the SHA256 hash algorithm will be used, and a suitable referen=
ce
>> for SHA256 should be given. (Again this doesn't happen until s2.4).
>>
>> And finally the "Fingerprint" of what SPKI? Defining Pin formally as not=
ed above would help!
>>
>> s2.1, last para: s/hahs/hash/
>>
>> s4.2/Figure 8: The first line of text is too wide.
>>
>> s5, para 1: Is it really "HSTS or HPKP"?  I thought it would be "HSTS co=
mbined with HPKP".
>>
>> s6: Needs to be more precise about *which* message headers repository is=
 to be updated! Presumably
>> the permanent one at http://www.iana.org/assignments/message-headers/mes=
sage-headers.xml#perm-headers.
>>
>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need =
specific answers.
>>
>> s5, 2nd top level bullet: Expand SNI acronym.
>>
>


From nobody Mon Aug  4 08:36:43 2014
Return-Path: <ietf-secretariat-reply@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 219071A0ACB for <websec@ietfa.amsl.com>; Tue, 29 Jul 2014 12:06:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9RnMdZqM6lWk; Tue, 29 Jul 2014 12:06:27 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3107D1A0ADC; Tue, 29 Jul 2014 12:06:27 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: websec-chairs@tools.ietf.org, draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140729190627.21417.68799.idtracker@ietfa.amsl.com>
Date: Tue, 29 Jul 2014 12:06:27 -0700
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/WIH5wqAikTkm4H4b4eCvQsX_RaU
X-Mailman-Approved-At: Mon, 04 Aug 2014 08:36:42 -0700
Subject: [websec] ID Tracker State Update Notice: <draft-ietf-websec-key-pinning-19.txt>
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 19:06:30 -0000

IANA review state changed to IANA - Not OK
ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/


From nobody Mon Aug  4 08:36:45 2014
Return-Path: <ietf-secretariat-reply@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F5B1B2B17 for <websec@ietfa.amsl.com>; Mon,  4 Aug 2014 07:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3EgegNsSlC1; Mon,  4 Aug 2014 07:17:31 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 17DEA1B2B1F; Mon,  4 Aug 2014 07:17:27 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: websec-chairs@tools.ietf.org, draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140804141727.17979.57151.idtracker@ietfa.amsl.com>
Date: Mon, 04 Aug 2014 07:17:27 -0700
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/9OxDK6zad9KNLZBUlusX-J-M7T8
X-Mailman-Approved-At: Mon, 04 Aug 2014 08:36:42 -0700
Subject: [websec] ID Tracker State Update Notice: <draft-ietf-websec-key-pinning-19.txt>
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 14:17:32 -0000

IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead
ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/


From nobody Mon Aug  4 08:50:15 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9236A1B2B63; Mon,  4 Aug 2014 08:50:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCjfACkXgFbS; Mon,  4 Aug 2014 08:50:10 -0700 (PDT)
Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com [IPv6:2a00:1450:400c:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37AC71A014D; Mon,  4 Aug 2014 08:50:09 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id k14so7919783wgh.8 for <multiple recipients>; Mon, 04 Aug 2014 08:50:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VdKks9IskYLxKkqPwsAszxidlA7gYx51ideX/0Xr+Gc=; b=MzOJd/7pPxufa+Ef9cXJ0wD/9XtWklYx0Ct9Q24VnLipFAm/otWLooMaRR4OFNWFip 8LSthUuz6xWImL+wO5xhx6E1wShgG6EEvDiP/lug4Rj+nr8r5ubBWcBZQ1+yVOWP0OKz wQ4mzNehK0ClzhuTdsmFYif4RYIQ2d5eegE9vs8LnMgSdlyt2KPikn9oDMNb0/CJ7vdV ih+Zh3A4997jAN3bjYWzvKzutgAqOUoB6G4bHl1IEI7FvELIFv/kpxvCgDpzLXgSK1EJ JF/Vo7Sx7kW+Texua02gXzua4n1KSbRW1LuozIfYcVWghcfMxXQIO2y1bWT4WSQa+sQc /V6g==
X-Received: by 10.194.187.4 with SMTP id fo4mr32874271wjc.35.1407167405547; Mon, 04 Aug 2014 08:50:05 -0700 (PDT)
Received: from [10.4.23.8] ([80.179.9.115]) by mx.google.com with ESMTPSA id lg7sm44407803wjb.9.2014.08.04.08.50.01 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 04 Aug 2014 08:50:05 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com>
Date: Mon, 4 Aug 2014 18:49:55 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com>
To: Elwyn Davies <elwynd@dial.pipex.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/jqP8a6GzXFm7DS6Q1H7_pwUodWQ
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Aug 2014 15:50:12 -0000

[ with no hats on ]

inline

On Jul 31, 2014, at 10:27 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> On Jul 31, 2014, at 4:05 PM, Elwyn Davies <elwynd@dial.pipex.com> =
wrote:
>=20
>> I am the assigned Gen-ART reviewer for this draft. For background on
>> Gen-ART, please see the FAQ at
>>=20
>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>=20
>> Please resolve these comments along with any other Last Call comments
>> you may receive.
>>=20
>> Document: draft-ietf-websec-key-pinning-19.txt
>> Reviewer: Elwyn Davies
>> Review Date: 31 July 2014
>> IETF LC End Date: 1 August 2014
>> IESG Telechat date: (if known) -
>>=20
>> Summary:
>> Almost ready.  There are some minor issues some of which may be as a =
result of some
>> misunderstanding on my part.  The descriptive text in the early part =
of s2 is missing
>> some definitions that make it unclear until they appear later on.  =
This makes the early
>> descriptions more confusing that illuminating in places.  Suggestions =
in the detailed
>> comments below.

[YN] I believe the missing definitions you=92re talking about are Pin, =
Pin Validation. I think anyone who reads this specification is familiar =
enough with HTTP to know what request, response, UA and directive mean. =
If so, I suggest that these can be defined in 1-2 sentences in section =
1, even if they=92re better explained later on.

>> One thing that is not fully clear to me and could probably be =
explained to help others
>> is the start up of the pinning mechanisms for a given host domain.  =
AFAICS Pin validation
>> would possibly not be carried out on a first connection to a domain =
when there are no
>> preconfigured Pins.  I am not clear if this adds anything to the risk =
of a MITM attack or
>> does it in any way negate the value of the whole pinning process?  I =
was not clear if
>> an effective Pin validation should be carried out during the first =
connection when the
>> UA receives the host's Pins for the first time and decides that it is =
now a Pinned Host,
>> in that the document doesn't state that the connection is terminated =
if the setting up
>> of the Pinned host fails because the certs don't validate.

Key pinning is a TOFU (trust on first use) mechanism. As such, the first =
time a UA connects to a domain there is no validation. A MitM attacking =
such a first connection will not be discovered. Worse, such a MitM can =
inject its own PKP header into the HTTP stream, and pin the UA to its =
own keys. Note that in order to pin false information, the attacker =
would have to be able to produce an error-free connection. Without =
compromising a trusted CA, this should not be possible, and the best =
that attackers can accomplish is to use an invalid TLS certificate, =
leading to an interstitial warning page.

This is apparent from section 2.3.1, but perhaps deserves a short =
paragraph in the introduction.

>> Major issues:
>> None
>>=20
>> Minor issues:
>> s1: The term "Pin" (as a noun) is not explicitly defined. The =
definition doesn't appear
>> until s2.4.
>>=20
>> s2.1.1: I'm not sure if this could be an issue.. should a maximum =
possible value for max_age
>> be specified to avoid UA's being cluttered up with old Pins - this =
might possible be a DoS
>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3 =
talks about limits.
>> A pointer to this discussion would be useful here
>>=20
>> s2.2.1: Does this response behaviour apply to all possible request =
types? Once a server has sent a
>> Pin header should it send it again on all subsequent requests on the =
same TLS connection or is
>> that a choice?  Given the "SHOULD" in s2.2.1, what are the =
circumstances in which the server should
>> refrain from sending the Pins? [I first thought about 'Redirects' but =
realized that that was probably
>> a really good time to send Pins!]

This has been discussed, and because of all kinds of weird deployments, =
such as with multiplexed servers behind a load-balancer the only viable =
way was to send the PKP in every response. Some (me!) were concerned =
about the overhead of these large-ish headers, but we heard from people =
who actually run servers that a header this small is inconsequential. =
The draft for HTTP/2 makes this less of an issue, as repeated headers =
are efficiently encoded by referring back to previous header sets.=20

>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in =
future.  Presumably a
>> deprecated algorithm should be treated as an unrecognized directive =
or some such to avoid
>> downgrade attacks.  Probably worth being explicit about this.  Also =
this is potentially
>> incompatible with the statement that 'UAs MUST recognize "sha256"' =
(Para 3 of s2.4).
>> This results in a potential downgrade attack when and if SHA256 is =
deemed to be no longer
>> cryptographically effective. I think this statement can be removed as =
presently a UA
>> has no other option if it is to implement the specification.
>>=20
>> s2.6:
>>>   Note that the UA MUST perform Pin Validation when setting up the =
TLS
>>>   session, before beginning an HTTP conversation over the TLS =
channel.
>> I suspect I am confused: If a UA is making its first connection to a =
host for which it doesn't
>> have a preconfigured Pin, then it won't get the Pin(s) from the host =
until it has set up the
>> TLS connection and received the response to the request at the HTTP =
protocol level.  In that case
>> Pin validation will pass by default (subject to local policy perhaps) =
since the cache doesn't have
>> entries for the host.  Presumably the UA should then perform Pin =
validation if it has passed by
>> default during TLS setup (assuming that this is possible given the =
layering) or does the UA have to
>> terminate the session and restart it so that Pin validation can be =
performed?  The second case may
>> give scope for a DoS attack.  Or is it the case that Pin validation =
is not needed on the first
>> connection... I don't see why this shouldn't be done but I may not =
understand the problem.  I think
>> some clarification about the startup of the process is needed.
>> Nits/editorial comments:
>>=20
>> s1, last para: s/toegether/together/, s/but is possible/but it is =
possible/
>> s2.1: It would be good to expand the term OWS.
>>=20
>> s2.1, Figure 1 caption: The acronym HPKP needs expanding.
>>=20
>> s2.1, 2nd para after numbered bullets:
>> It is not the definition of hash algorithms that is relevant, but =
allowing them to be
>> used in pin-directives thus:
>> OLD:
>> additional algorithms may be defined in the future
>> NEW:
>> additional algorithms may be allowed for use in this context in =
future
>>=20
>> Also the implication of the "sha256" name should be explained =
precisely -
>> i.e, that the SHA256 hash algorithm will be used, and a suitable =
reference
>> for SHA256 should be given. (Again this doesn't happen until s2.4).
>>=20
>> And finally the "Fingerprint" of what SPKI? Defining Pin formally as =
noted above would help!
>>=20
>> s2.1, last para: s/hahs/hash/
>>=20
>> s4.2/Figure 8: The first line of text is too wide.
>>=20
>> s5, para 1: Is it really "HSTS or HPKP"?  I thought it would be "HSTS =
combined with HPKP".
>>=20
>> s6: Needs to be more precise about *which* message headers repository =
is to be updated! Presumably
>> the permanent one at =
http://www.iana.org/assignments/message-headers/message-headers.xml#perm-h=
eaders.
>>=20
>> Also there may be some of the questions in s8.3.1 of RFC 7231 that =
need specific answers.
>>=20
>> s5, 2nd top level bullet: Expand SNI acronym.
>>=20
>=20


From nobody Mon Aug  4 17:49:56 2014
Return-Path: <presnick@qti.qualcomm.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A0AE1A0AC4; Mon,  4 Aug 2014 17:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OIrJsPTFYiH; Mon,  4 Aug 2014 17:49:50 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A50C61A0ACA; Mon,  4 Aug 2014 17:49:50 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Pete Resnick" <presnick@qti.qualcomm.com>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140805004950.9059.81409.idtracker@ietfa.amsl.com>
Date: Mon, 04 Aug 2014 17:49:50 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/_gpa3VwHcrd_D2ku-gB49qzzyRc
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, websec-chairs@tools.ietf.org
Subject: [websec] Pete Resnick's No Objection on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 00:49:52 -0000

Pete Resnick has entered the following ballot position for
draft-ietf-websec-key-pinning-19: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

1: The first sentence is quite confusing. Might I suggest instead:

   This document defines a new HTTP header that enables user agents
   (UAs) to determine which Subject Public Key Info (SPKI) structures
   will be present in the web host's certificate chain in future TLS
   [RFC5246] connections.

2.1:

   Public-Key-Directives = [ directive ] *( OWS ";" OWS [ directive ] )

Are you sure that's correct? First of all, it may be completely empty.
That seems like something you wouldn't want. Second of all, it allows for
semicolons without directives between them, which may or may not be what
you want. It's not clear to me why you made this semicolon-delimited
instead of comma-delimited, which would be much more in line with the
rest of HTTP. Then you'd simply get:

   Public-Key-Directives = 1#directive

But if you insist on semicolons, you want either:

   Public-Key-Directives = directive *( OWS ";" OWS directive )

or if you want to allow for empty elements:

   Public-Key-Directives = *( ";" OWS ) directive *( OWS ";" [ OWS
    directive ] )
    
If the following is acceptable:

   Public-Key-Directives: ;;;;;

then your original is fine.

s/hahs/hash

10.1:

Update 4627 to 7159

I think W3C.REC-html401-19991224 is informative. This document says that
you MUST NOT do what's in that document.



From nobody Tue Aug  5 13:24:00 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C89111B2B21 for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 12:14:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vM3XTqYiHuG for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 12:14:46 -0700 (PDT)
Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50C2D1B2B24 for <websec@ietf.org>; Tue,  5 Aug 2014 12:14:21 -0700 (PDT)
Received: by mail-vc0-f174.google.com with SMTP id la4so2373605vcb.19 for <websec@ietf.org>; Tue, 05 Aug 2014 12:14:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=hfQ66eNp5qSnJQ5wUm+1frCvIPXMnoiHDuYBe80DSIA=; b=fIjqfX8F0AZGbI8yTpHNO+VSJkn0p4apmab9EiapPKxLIBC4MVL9+8+cXalTeuT3sL J3jqKNJHwF21Unc7AsBmDGah0rJuWvYvFma+mulWzpZz5WYMtfVKcx6UlRvqg2rvSzwx z5W3EpEv32GsD7MgBTcBp5DwWwTBEmASdc0+fK7lTH+UYOwyy9wgHfJut5ubHUzPyuze r3WmRm7CXaA0R0wd6hofnuXx8p0sv3YN/AUqENPo0bfaWrNC3y9fi2q/blduc+USK/gg j86DVKqWzT8ddeh28b0MES6YY14AjOnaFx5CdifVXc6y8Z09C7nO2gKGl95fdqSLx2X+ 7hbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hfQ66eNp5qSnJQ5wUm+1frCvIPXMnoiHDuYBe80DSIA=; b=YvB2dEGjPfjJGWcZFPMbR2GksKnWaZqJpGSQuaGRr+NXKJcSe1HgtqfzoKFsryKMOO x7EAUEA3ORm9D074WgoPXrX80y3swKMSqRjTK2UuW9jRZR+aYFuT/z+jNJPMXiH7gpMB 81y7thbBGJ224QzQabHM2IeN0d/qpYd9ExzCDo/XUe9rSrFE+cbpZcX+aLcY14DuQQiF kEL1x1e6JwZmLqJSjFEXTZWN9TXFwxqgogGUSbTQwW2+TYW37wzSnEZIQTa/E9im78Ux s4mYlpFDCtRrw5wmTP6LXHX2iYJx2CTbXl9H75BdY8E4r1F+p4lIicKzJhLymmjIP4nf 0qwA==
X-Gm-Message-State: ALoCoQkJZK8zITr+cOyZmYMpDICg9VLwU3BX/dBXPTYi7yycljtxyfblOInqB+IL+nEjgoe2rq1L
MIME-Version: 1.0
X-Received: by 10.220.5.1 with SMTP id 1mr3790361vct.73.1407266060423; Tue, 05 Aug 2014 12:14:20 -0700 (PDT)
Received: by 10.52.139.78 with HTTP; Tue, 5 Aug 2014 12:14:20 -0700 (PDT)
In-Reply-To: <20140805004950.9059.81409.idtracker@ietfa.amsl.com>
References: <20140805004950.9059.81409.idtracker@ietfa.amsl.com>
Date: Tue, 5 Aug 2014 12:14:20 -0700
Message-ID: <CACvaWvYVQk0U8KGBY2VkMHhyp=BZ6a4smRtv+JDtVRUVt-r2aw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Pete Resnick <presnick@qti.qualcomm.com>
Content-Type: multipart/alternative; boundary=001a11c3ec42a2ef8c04ffe6a921
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/10ush-IZ-lX_D_J7KwoMBr94_wI
X-Mailman-Approved-At: Tue, 05 Aug 2014 13:23:59 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Pete Resnick's No Objection on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 19:14:51 -0000

--001a11c3ec42a2ef8c04ffe6a921
Content-Type: text/plain; charset=UTF-8

On Mon, Aug 4, 2014 at 5:49 PM, Pete Resnick <presnick@qti.qualcomm.com>
wrote:

> Pete Resnick has entered the following ballot position for
> draft-ietf-websec-key-pinning-19: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> 1: The first sentence is quite confusing. Might I suggest instead:
>
>    This document defines a new HTTP header that enables user agents
>    (UAs) to determine which Subject Public Key Info (SPKI) structures
>    will be present in the web host's certificate chain in future TLS
>    [RFC5246] connections.
>
> 2.1:
>
>    Public-Key-Directives = [ directive ] *( OWS ";" OWS [ directive ] )
>
> Are you sure that's correct? First of all, it may be completely empty.
> That seems like something you wouldn't want. Second of all, it allows for
> semicolons without directives between them, which may or may not be what
> you want. It's not clear to me why you made this semicolon-delimited
> instead of comma-delimited, which would be much more in line with the
> rest of HTTP. Then you'd simply get:
>
>    Public-Key-Directives = 1#directive
>

Correct. Supporting the #rule directive is NOT desired, because
intermediaries are allowed to perform coalescing of such headers, per RFC
7230 3.2.2

That is, as noted in
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-19#section-2.3.1 ,
third paragraph, only the first PKP header field or PKP-RO header field
MUST be processed.

The concern here is header injection (from hostile script on a host), and
to provide a consistent declaration of directive processing. For example,
if multiple instances of the Public-Key-Directives headers were processed,
a hostile script (such as through obtaining code exploitation on the
server) would be able to set additional pins to a certificate/set of
certificates under the attacker's control.


>
> But if you insist on semicolons, you want either:
>
>    Public-Key-Directives = directive *( OWS ";" OWS directive )
>
> or if you want to allow for empty elements:
>
>    Public-Key-Directives = *( ";" OWS ) directive *( OWS ";" [ OWS
>     directive ] )
>
> If the following is acceptable:
>
>    Public-Key-Directives: ;;;;;
>
> then your original is fine.
>

Correct. The ABNF here is the functionally same as Section 6.1 of RFC 6797.
However, 6797 predates the HTTPBis work, in particular, the work in Section
7 of RFC 7230 to specify better semantics for #rule.

Compared to 2616 (which allowed ",,," #rule combinations), 7230 Section 7
adopts language similar to what you've proposed.

This would be a breaking change to existing implementations (in that
headers previously declared valid would not be), but I think it would be
good (for consistency with 7230). Before making this change, I think it
would be good to get some feedback from the WG members to see if they also
agree.


>
> s/hahs/hash
>
> 10.1:
>
> Update 4627 to 7159
>
> I think W3C.REC-html401-19991224 is informative. This document says that
> you MUST NOT do what's in that document.
>
>
>

--001a11c3ec42a2ef8c04ffe6a921
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Mon, Aug 4, 2014 at 5:49 PM, Pete Resnick <span dir=3D"ltr">&lt;=
<a href=3D"mailto:presnick@qti.qualcomm.com" target=3D"_blank">presnick@qti=
.qualcomm.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Pete Resnick has entered the following ballot position for=
<br>

draft-ietf-websec-key-pinning-19: No Objection<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br>
<br>
1: The first sentence is quite confusing. Might I suggest instead:<br>
<br>
=C2=A0 =C2=A0This document defines a new HTTP header that enables user agen=
ts<br>
=C2=A0 =C2=A0(UAs) to determine which Subject Public Key Info (SPKI) struct=
ures<br>
=C2=A0 =C2=A0will be present in the web host&#39;s certificate chain in fut=
ure TLS<br>
=C2=A0 =C2=A0[RFC5246] connections.<br>
<br>
2.1:<br>
<br>
=C2=A0 =C2=A0Public-Key-Directives =3D [ directive ] *( OWS &quot;;&quot; O=
WS [ directive ] )<br>
<br>
Are you sure that&#39;s correct? First of all, it may be completely empty.<=
br>
That seems like something you wouldn&#39;t want. Second of all, it allows f=
or<br>
semicolons without directives between them, which may or may not be what<br=
>
you want. It&#39;s not clear to me why you made this semicolon-delimited<br=
>
instead of comma-delimited, which would be much more in line with the<br>
rest of HTTP. Then you&#39;d simply get:<br>
<br>
=C2=A0 =C2=A0Public-Key-Directives =3D 1#directive<br></blockquote><div><br=
></div><div>Correct. Supporting the #rule directive is NOT desired, because=
 intermediaries are allowed to perform coalescing of such headers, per RFC =
7230 3.2.2=C2=A0</div>
<div><br></div><div>That is, as noted in=C2=A0<a href=3D"http://tools.ietf.=
org/html/draft-ietf-websec-key-pinning-19#section-2.3.1">http://tools.ietf.=
org/html/draft-ietf-websec-key-pinning-19#section-2.3.1</a> , third paragra=
ph, only the first PKP header field or PKP-RO header field MUST be processe=
d.</div>
<div><br></div><div>The concern here is header injection (from hostile scri=
pt on a host), and to provide a consistent declaration of directive process=
ing. For example, if multiple instances of the Public-Key-Directives header=
s were processed, a hostile script (such as through obtaining code exploita=
tion on the server) would be able to set additional pins to a certificate/s=
et of certificates under the attacker&#39;s control.</div>
<div>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);bord=
er-left-style:solid;padding-left:1ex">
<br>
But if you insist on semicolons, you want either:<br>
<br>
=C2=A0 =C2=A0Public-Key-Directives =3D directive *( OWS &quot;;&quot; OWS d=
irective )<br>
<br>
or if you want to allow for empty elements:<br>
<br>
=C2=A0 =C2=A0Public-Key-Directives =3D *( &quot;;&quot; OWS ) directive *( =
OWS &quot;;&quot; [ OWS<br>
=C2=A0 =C2=A0 directive ] )<br>
<br>
If the following is acceptable:<br>
<br>
=C2=A0 =C2=A0Public-Key-Directives: ;;;;;<br>
<br>
then your original is fine.<br></blockquote><div><br></div><div>Correct. Th=
e ABNF here is the functionally same as Section 6.1 of RFC 6797. However, 6=
797 predates the HTTPBis work, in particular, the work in Section 7 of RFC =
7230 to specify better semantics for #rule.</div>
<div><br></div><div>Compared to 2616 (which allowed &quot;,,,&quot; #rule c=
ombinations), 7230 Section 7 adopts language similar to what you&#39;ve pro=
posed.</div><div><br></div><div>This would be a breaking change to existing=
 implementations (in that headers previously declared valid would not be), =
but I think it would be good (for consistency with 7230). Before making thi=
s change, I think it would be good to get some feedback from the WG members=
 to see if they also agree.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
<br>
s/hahs/hash<br>
<br>
10.1:<br>
<br>
Update 4627 to 7159<br>
<br>
I think W3C.REC-html401-19991224 is informative. This document says that<br=
>
you MUST NOT do what&#39;s in that document.<br>
<br>
<br>
</blockquote></div><br></div></div>

--001a11c3ec42a2ef8c04ffe6a921--


From nobody Tue Aug  5 13:55:25 2014
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D847E1B2B78; Tue,  5 Aug 2014 13:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.002
X-Spam-Level: 
X-Spam-Status: No, score=-102.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2e1oByVTLqoh; Tue,  5 Aug 2014 13:55:16 -0700 (PDT)
Received: from www.gondrom.org (www.gondrom.org [91.250.114.153]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F24C21B2BB3; Tue,  5 Aug 2014 13:55:15 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=EnieVM7SstArUIcn3/vjyJMxqXnfDltL7RA74vw2U5zF5VCLlYqXttADLBucuY42mwSXIttr9X3ZH1kRTvTrf3JHjlTsuT2zDQz8wnMmx5zHZG5HkK9tPIovK8zTlQvppjR6+7ervWIoPkAd0bdyaSj9FHezY8Vy8HH8Bb8AHRQ=; h=X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.0.6] (5ec20b19.skybroadband.com [94.194.11.25]) by www.gondrom.org (Postfix) with ESMTPSA id E2CF71539000F; Tue,  5 Aug 2014 22:55:13 +0200 (CEST)
Message-ID: <53E144B1.80404@gondrom.org>
Date: Tue, 05 Aug 2014 21:55:13 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ynir.ietf@gmail.com, elwynd@dial.pipex.com
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com> <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
In-Reply-To: <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/CGbpsuhfG5LMYDX00CjC_Lv_VNQ
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, gen-art@ietf.org, websec@ietf.org
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 20:55:21 -0000

<no hats>
comments inline

On 04/08/14 16:49, Yoav Nir wrote:
> [ with no hats on ]
>
> inline
>
> On Jul 31, 2014, at 10:27 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> On Jul 31, 2014, at 4:05 PM, Elwyn Davies <elwynd@dial.pipex.com> wrote:
>>
>>> I am the assigned Gen-ART reviewer for this draft. For background on
>>> Gen-ART, please see the FAQ at
>>>
>>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>>
>>> Please resolve these comments along with any other Last Call comments
>>> you may receive.
>>>
>>> Document: draft-ietf-websec-key-pinning-19.txt
>>> Reviewer: Elwyn Davies
>>> Review Date: 31 July 2014
>>> IETF LC End Date: 1 August 2014
>>> IESG Telechat date: (if known) -
>>>
>>> Summary:
>>> Almost ready.  There are some minor issues some of which may be as a result of some
>>> misunderstanding on my part.  The descriptive text in the early part of s2 is missing
>>> some definitions that make it unclear until they appear later on.  This makes the early
>>> descriptions more confusing that illuminating in places.  Suggestions in the detailed
>>> comments below.
> [YN] I believe the missing definitions you’re talking about are Pin, Pin Validation. I think anyone who reads this specification is familiar enough with HTTP to know what request, response, UA and directive mean. If so, I suggest that these can be defined in 1-2 sentences in section 1, even if they’re better explained later on.

I agree with Yoav.

>>> One thing that is not fully clear to me and could probably be explained to help others
>>> is the start up of the pinning mechanisms for a given host domain.  AFAICS Pin validation
>>> would possibly not be carried out on a first connection to a domain when there are no
>>> preconfigured Pins.  I am not clear if this adds anything to the risk of a MITM attack or
>>> does it in any way negate the value of the whole pinning process?  I was not clear if
>>> an effective Pin validation should be carried out during the first connection when the
>>> UA receives the host's Pins for the first time and decides that it is now a Pinned Host,
>>> in that the document doesn't state that the connection is terminated if the setting up
>>> of the Pinned host fails because the certs don't validate.
> Key pinning is a TOFU (trust on first use) mechanism. As such, the first time a UA connects to a domain there is no validation. A MitM attacking such a first connection will not be discovered. Worse, such a MitM can inject its own PKP header into the HTTP stream, and pin the UA to its own keys. Note that in order to pin false information, the attacker would have to be able to produce an error-free connection. Without compromising a trusted CA, this should not be possible, and the best that attackers can accomplish is to use an invalid TLS certificate, leading to an interstitial warning page.
>
> This is apparent from section 2.3.1, but perhaps deserves a short paragraph in the introduction.
>
>>> Major issues:
>>> None
>>>
>>> Minor issues:
>>> s1: The term "Pin" (as a noun) is not explicitly defined. The definition doesn't appear
>>> until s2.4.
>>>
>>> s2.1.1: I'm not sure if this could be an issue.. should a maximum possible value for max_age
>>> be specified to avoid UA's being cluttered up with old Pins - this might possible be a DoS
>>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3 talks about limits.
>>> A pointer to this discussion would be useful here
>>>
>>> s2.2.1: Does this response behaviour apply to all possible request types? Once a server has sent a
>>> Pin header should it send it again on all subsequent requests on the same TLS connection or is
>>> that a choice?  Given the "SHOULD" in s2.2.1, what are the circumstances in which the server should
>>> refrain from sending the Pins? [I first thought about 'Redirects' but realized that that was probably
>>> a really good time to send Pins!]
> This has been discussed, and because of all kinds of weird deployments, such as with multiplexed servers behind a load-balancer the only viable way was to send the PKP in every response. Some (me!) were concerned about the overhead of these large-ish headers, but we heard from people who actually run servers that a header this small is inconsequential. The draft for HTTP/2 makes this less of an issue, as repeated headers are efficiently encoded by referring back to previous header sets. 

I agree with Yoav's answer.

>
>>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in future.  Presumably a
>>> deprecated algorithm should be treated as an unrecognized directive or some such to avoid
>>> downgrade attacks.  Probably worth being explicit about this.  Also this is potentially
>>> incompatible with the statement that 'UAs MUST recognize "sha256"' (Para 3 of s2.4).
>>> This results in a potential downgrade attack when and if SHA256 is deemed to be no longer
>>> cryptographically effective. I think this statement can be removed as presently a UA
>>> has no other option if it is to implement the specification.
>>>
>>> s2.6:
>>>>   Note that the UA MUST perform Pin Validation when setting up the TLS
>>>>   session, before beginning an HTTP conversation over the TLS channel.
>>> I suspect I am confused: If a UA is making its first connection to a host for which it doesn't
>>> have a preconfigured Pin, then it won't get the Pin(s) from the host until it has set up the
>>> TLS connection and received the response to the request at the HTTP protocol level.  In that case
>>> Pin validation will pass by default (subject to local policy perhaps) since the cache doesn't have
>>> entries for the host.  Presumably the UA should then perform Pin validation if it has passed by
>>> default during TLS setup (assuming that this is possible given the layering) or does the UA have to
>>> terminate the session and restart it so that Pin validation can be performed?  The second case may
>>> give scope for a DoS attack.  Or is it the case that Pin validation is not needed on the first
>>> connection... I don't see why this shouldn't be done but I may not understand the problem.  I think
>>> some clarification about the startup of the process is needed.
>>> Nits/editorial comments:
>>>
>>> s1, last para: s/toegether/together/, s/but is possible/but it is possible/
>>> s2.1: It would be good to expand the term OWS.
>>>
>>> s2.1, Figure 1 caption: The acronym HPKP needs expanding.
>>>
>>> s2.1, 2nd para after numbered bullets:
>>> It is not the definition of hash algorithms that is relevant, but allowing them to be
>>> used in pin-directives thus:
>>> OLD:
>>> additional algorithms may be defined in the future
>>> NEW:
>>> additional algorithms may be allowed for use in this context in future
>>>
>>> Also the implication of the "sha256" name should be explained precisely -
>>> i.e, that the SHA256 hash algorithm will be used, and a suitable reference
>>> for SHA256 should be given. (Again this doesn't happen until s2.4).
>>>
>>> And finally the "Fingerprint" of what SPKI? Defining Pin formally as noted above would help!
>>>
>>> s2.1, last para: s/hahs/hash/
>>>
>>> s4.2/Figure 8: The first line of text is too wide.
>>>
>>> s5, para 1: Is it really "HSTS or HPKP"?  I thought it would be "HSTS combined with HPKP".
>>>
>>> s6: Needs to be more precise about *which* message headers repository is to be updated! Presumably
>>> the permanent one at http://www.iana.org/assignments/message-headers/message-headers.xml#perm-headers.
>>>
>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need specific answers.
>>>
>>> s5, 2nd top level bullet: Expand SNI acronym.
>>>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From nobody Tue Aug  5 14:27:40 2014
Return-Path: <alissa@cooperw.in>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ADD31A033D; Tue,  5 Aug 2014 14:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8r3Papoi3Hn; Tue,  5 Aug 2014 14:27:36 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0CB1A0317; Tue,  5 Aug 2014 14:27:36 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Alissa Cooper" <alissa@cooperw.in>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140805212736.4347.37060.idtracker@ietfa.amsl.com>
Date: Tue, 05 Aug 2014 14:27:36 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/L6N_OoA84MML3mwKCvaK27rTAzk
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, websec-chairs@tools.ietf.org
Subject: [websec] Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:27:37 -0000

Alissa Cooper has entered the following ballot position for
draft-ietf-websec-key-pinning-19: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I agree with Pete's comment about the first sentence.

It would be nice if in Section 5 or 7 some suggestion could be made for
UAs to consider the relationship between the functionality they provide
to clear pins/pinned hosts and the functionality they provide to clear
(or prevent the storage of) other UA state. E.g., upon clearing one's
browsing history or entering private browsing mode, it seems like having
the option to clear pins/pinned hosts or not pin would make sense. This
is alluded to in Section 7 but not really tied to the threat described in
Section 5.

I'm also curious about whether there is any reason to retain expired
pins? (Other than the fact that flushing them requires the UA to actively
check which ones are expired.)



From nobody Tue Aug  5 14:37:25 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2411B2BF0 for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 14:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.38
X-Spam-Level: 
X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yo1j3n3Jxz_h for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 14:37:18 -0700 (PDT)
Received: from mail-qa0-x229.google.com (mail-qa0-x229.google.com [IPv6:2607:f8b0:400d:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 967CF1B2BEE for <websec@ietf.org>; Tue,  5 Aug 2014 14:37:18 -0700 (PDT)
Received: by mail-qa0-f41.google.com with SMTP id j7so1624767qaq.0 for <websec@ietf.org>; Tue, 05 Aug 2014 14:37:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=EGvPiM6x+O/ylXFtS9vqkLySGbJYSRl1PItKQjgotq0=; b=oDR2epvkiOw3W56jjUtaLV6b+U8UXSXSQyDHOkTC7tD2xyvPEDPAaYoXVDerZUlTt3 3PvgmfTVj8uKEbXEelW12/JooO5BqPUjXLj8tYwDXYUBTrwsjYNRW+YlW5vMYvmP+scl hIGc7LL3AXUZVVMe0Q8l9WtTRLTquzFM6Kbyj5ml8d14tc+Dcp7L/VpOq6vCzlln+/Jw mzqXUqATwdLESitKHcM6YuQMr8kY+JYi6tODlBcebNC4WQqtDGRmO94UWeRNwlEhnaRR 5td/9qBWUWtvg9f8X+pVCLq2VzrK7E5pq7vF/PEyJe0YiwCOSuxpvqht+U/yKxJjYbFq 1P9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=EGvPiM6x+O/ylXFtS9vqkLySGbJYSRl1PItKQjgotq0=; b=Fa1MW944WeuCT0sHVeModBTK6oZf+Wbzi533NeX+fT9yfObB8RnLTRMFXuCh0Yb9q0 fR9pXI7x2H+LfLEQHResHont8EJqrfgWshtcvFk3EoLW/UExrckjvuCD/mH82uxXK3De 1Cnn5Cq+RvpxM/9N50mVE2FsLGPASLABnwKts/9BvsmZr+vZnxhE13SoLasdPubvFuJV bsnO5HC50HnLS89aMIkGLZItjiRZNNzkk3BJy7TPXygFn9VSGgodliYPkl9nf/0R7F+x ObXU+T6ihaHVDH4s1u+xN2rDfv1Y+bAXbsndiGFW/Df8kUrZByUuH13bKc6Sb5Ft6R8P zOqA==
X-Gm-Message-State: ALoCoQkxsb07eAb2JpuQvNZQ70nnzrq0eBFjmph+9j+wDZeru1MZqlfiuK4N2m+g2WHvIEAD7wLT
MIME-Version: 1.0
X-Received: by 10.140.47.80 with SMTP id l74mr9811543qga.24.1407274636719; Tue, 05 Aug 2014 14:37:16 -0700 (PDT)
Received: by 10.229.162.3 with HTTP; Tue, 5 Aug 2014 14:37:16 -0700 (PDT)
In-Reply-To: <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com> <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
Date: Tue, 5 Aug 2014 14:37:16 -0700
Message-ID: <CAOuvq21Py2bK_Q=Zcb2c=ht8htmX930dpvSfS-KxMuKwL7VJyg@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/rGqY5Bc2lqAICcZEkaAW3dUuqpQ
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, Elwyn Davies <elwynd@dial.pipex.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:37:21 -0000

These fixes are now available in a new version. You can see the changes at:

https://code.google.com/p/key-pinning-draft/source/list

On Mon, Aug 4, 2014 at 8:49 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> [ with no hats on ]
>
> inline
>
> On Jul 31, 2014, at 10:27 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> On Jul 31, 2014, at 4:05 PM, Elwyn Davies <elwynd@dial.pipex.com> wrote:
>>
>>> I am the assigned Gen-ART reviewer for this draft. For background on
>>> Gen-ART, please see the FAQ at
>>>
>>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>>
>>> Please resolve these comments along with any other Last Call comments
>>> you may receive.
>>>
>>> Document: draft-ietf-websec-key-pinning-19.txt
>>> Reviewer: Elwyn Davies
>>> Review Date: 31 July 2014
>>> IETF LC End Date: 1 August 2014
>>> IESG Telechat date: (if known) -
>>>
>>> Summary:
>>> Almost ready.  There are some minor issues some of which may be as a re=
sult of some
>>> misunderstanding on my part.  The descriptive text in the early part of=
 s2 is missing
>>> some definitions that make it unclear until they appear later on.  This=
 makes the early
>>> descriptions more confusing that illuminating in places.  Suggestions i=
n the detailed
>>> comments below.
>
> [YN] I believe the missing definitions you=E2=80=99re talking about are P=
in, Pin Validation. I think anyone who reads this specification is familiar=
 enough with HTTP to know what request, response, UA and directive mean. If=
 so, I suggest that these can be defined in 1-2 sentences in section 1, eve=
n if they=E2=80=99re better explained later on.
>
>>> One thing that is not fully clear to me and could probably be explained=
 to help others
>>> is the start up of the pinning mechanisms for a given host domain.  AFA=
ICS Pin validation
>>> would possibly not be carried out on a first connection to a domain whe=
n there are no
>>> preconfigured Pins.  I am not clear if this adds anything to the risk o=
f a MITM attack or
>>> does it in any way negate the value of the whole pinning process?  I wa=
s not clear if
>>> an effective Pin validation should be carried out during the first conn=
ection when the
>>> UA receives the host's Pins for the first time and decides that it is n=
ow a Pinned Host,
>>> in that the document doesn't state that the connection is terminated if=
 the setting up
>>> of the Pinned host fails because the certs don't validate.
>
> Key pinning is a TOFU (trust on first use) mechanism. As such, the first =
time a UA connects to a domain there is no validation. A MitM attacking suc=
h a first connection will not be discovered. Worse, such a MitM can inject =
its own PKP header into the HTTP stream, and pin the UA to its own keys. No=
te that in order to pin false information, the attacker would have to be ab=
le to produce an error-free connection. Without compromising a trusted CA, =
this should not be possible, and the best that attackers can accomplish is =
to use an invalid TLS certificate, leading to an interstitial warning page.
>
> This is apparent from section 2.3.1, but perhaps deserves a short paragra=
ph in the introduction.
>
>>> Major issues:
>>> None
>>>
>>> Minor issues:
>>> s1: The term "Pin" (as a noun) is not explicitly defined. The definitio=
n doesn't appear
>>> until s2.4.
>>>
>>> s2.1.1: I'm not sure if this could be an issue.. should a maximum possi=
ble value for max_age
>>> be specified to avoid UA's being cluttered up with old Pins - this migh=
t possible be a DoS
>>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3 t=
alks about limits.
>>> A pointer to this discussion would be useful here
>>>
>>> s2.2.1: Does this response behaviour apply to all possible request type=
s? Once a server has sent a
>>> Pin header should it send it again on all subsequent requests on the sa=
me TLS connection or is
>>> that a choice?  Given the "SHOULD" in s2.2.1, what are the circumstance=
s in which the server should
>>> refrain from sending the Pins? [I first thought about 'Redirects' but r=
ealized that that was probably
>>> a really good time to send Pins!]
>
> This has been discussed, and because of all kinds of weird deployments, s=
uch as with multiplexed servers behind a load-balancer the only viable way =
was to send the PKP in every response. Some (me!) were concerned about the =
overhead of these large-ish headers, but we heard from people who actually =
run servers that a header this small is inconsequential. The draft for HTTP=
/2 makes this less of an issue, as repeated headers are efficiently encoded=
 by referring back to previous header sets.
>
>>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in fu=
ture.  Presumably a
>>> deprecated algorithm should be treated as an unrecognized directive or =
some such to avoid
>>> downgrade attacks.  Probably worth being explicit about this.  Also thi=
s is potentially
>>> incompatible with the statement that 'UAs MUST recognize "sha256"' (Par=
a 3 of s2.4).
>>> This results in a potential downgrade attack when and if SHA256 is deem=
ed to be no longer
>>> cryptographically effective. I think this statement can be removed as p=
resently a UA
>>> has no other option if it is to implement the specification.
>>>
>>> s2.6:
>>>>   Note that the UA MUST perform Pin Validation when setting up the TLS
>>>>   session, before beginning an HTTP conversation over the TLS channel.
>>> I suspect I am confused: If a UA is making its first connection to a ho=
st for which it doesn't
>>> have a preconfigured Pin, then it won't get the Pin(s) from the host un=
til it has set up the
>>> TLS connection and received the response to the request at the HTTP pro=
tocol level.  In that case
>>> Pin validation will pass by default (subject to local policy perhaps) s=
ince the cache doesn't have
>>> entries for the host.  Presumably the UA should then perform Pin valida=
tion if it has passed by
>>> default during TLS setup (assuming that this is possible given the laye=
ring) or does the UA have to
>>> terminate the session and restart it so that Pin validation can be perf=
ormed?  The second case may
>>> give scope for a DoS attack.  Or is it the case that Pin validation is =
not needed on the first
>>> connection... I don't see why this shouldn't be done but I may not unde=
rstand the problem.  I think
>>> some clarification about the startup of the process is needed.
>>> Nits/editorial comments:
>>>
>>> s1, last para: s/toegether/together/, s/but is possible/but it is possi=
ble/
>>> s2.1: It would be good to expand the term OWS.
>>>
>>> s2.1, Figure 1 caption: The acronym HPKP needs expanding.
>>>
>>> s2.1, 2nd para after numbered bullets:
>>> It is not the definition of hash algorithms that is relevant, but allow=
ing them to be
>>> used in pin-directives thus:
>>> OLD:
>>> additional algorithms may be defined in the future
>>> NEW:
>>> additional algorithms may be allowed for use in this context in future
>>>
>>> Also the implication of the "sha256" name should be explained precisely=
 -
>>> i.e, that the SHA256 hash algorithm will be used, and a suitable refere=
nce
>>> for SHA256 should be given. (Again this doesn't happen until s2.4).
>>>
>>> And finally the "Fingerprint" of what SPKI? Defining Pin formally as no=
ted above would help!
>>>
>>> s2.1, last para: s/hahs/hash/
>>>
>>> s4.2/Figure 8: The first line of text is too wide.
>>>
>>> s5, para 1: Is it really "HSTS or HPKP"?  I thought it would be "HSTS c=
ombined with HPKP".
>>>
>>> s6: Needs to be more precise about *which* message headers repository i=
s to be updated! Presumably
>>> the permanent one at http://www.iana.org/assignments/message-headers/me=
ssage-headers.xml#perm-headers.
>>>
>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need=
 specific answers.
>>>
>>> s5, 2nd top level bullet: Expand SNI acronym.
>>>
>>
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From nobody Tue Aug  5 14:44:23 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E66F1A0314 for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 14:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkK9T_FTWjG4 for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 14:41:12 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E1F1A0317 for <websec@ietf.org>; Tue,  5 Aug 2014 14:41:12 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id id10so2659114vcb.21 for <websec@ietf.org>; Tue, 05 Aug 2014 14:41:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Yz/dQsUATToVNi8n+BmSab5lBSKAYtLpdej94VnjqDA=; b=XVMQLdz/cy6qyQpLPUOcmpelLRQ5+YK08G/m6O6srFo+aiVlLdUQrn7/EXwr4kyCNy 24jp8Xay2U60AjXpAOLBmf27uHq9QJBUwpuX2kkC6z9Lfs3diUm3B8dW/vuJADPdCAuQ dVuXdRJvAaYWuMcYzWUJeoo81DuL5RB5Vm5GcfX8L5deDXLkjRlWVykZCgBr4UzC+yZO NMOJ5GTgQGWyVpjwiIUiFjKa24pqQ0CggcdaBXxdU1/kZPqST8eyXsq21AELY8sefJms XQbrxqMjyQTF+M80b0t4Sr8wuXF1Deugw6v32MTisEIh2ilVq4PTvHzGbcHe0aUorg7W UnRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Yz/dQsUATToVNi8n+BmSab5lBSKAYtLpdej94VnjqDA=; b=bnTYxVuzpXX8uZJEgxvvBStUStRnjUWZpDrKxsfaDP1kBs1N7Va24Uj7j30m++O1Fv 2TjBxd9Rxkw8Yy2HMH4f6PK9FZBXl/ftjsmt7CwYUSfYfmh59DZQ03GVV9+HOoUjQ6d7 txZiv4snaVPjZ7NmVZDKXJArONVmzux85ZwH6/8qbuFVcFAyW8eNlB1iyIZF0GiLuvZu BH/HpceH3nXrlB5IrO6oHkQfpUngJCS8Nq8KZ06ynxFyjDzYaAj7T2scm2U9mggeVM9n IRAEdi5YraKbDV6tBTExpHsTi0UAHbJshi7Pk9vhuQGgLjsBT50Y6rmcwYx3sx8YomLm uZJg==
X-Gm-Message-State: ALoCoQkn4WHOKujexcWdZQHYnqhqt87vvaFAmUMHtJ+iRs9PY1zjhrts+R6/jFYq0uv39wDJNwbV
MIME-Version: 1.0
X-Received: by 10.220.74.195 with SMTP id v3mr6932285vcj.23.1407274871192; Tue, 05 Aug 2014 14:41:11 -0700 (PDT)
Received: by 10.52.139.78 with HTTP; Tue, 5 Aug 2014 14:41:11 -0700 (PDT)
In-Reply-To: <20140805212736.4347.37060.idtracker@ietfa.amsl.com>
References: <20140805212736.4347.37060.idtracker@ietfa.amsl.com>
Date: Tue, 5 Aug 2014 14:41:11 -0700
Message-ID: <CACvaWvYLx4NBeg9JN6gFH57uDgB_szJvr=eq+Vdv1PihviQ1rA@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Alissa Cooper <alissa@cooperw.in>
Content-Type: multipart/alternative; boundary=089e01634bf0cc9fb304ffe8b673
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/7aX7OxlMA-mvmTIDAVPPuuK93kg
X-Mailman-Approved-At: Tue, 05 Aug 2014 14:44:20 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:41:14 -0000

--089e01634bf0cc9fb304ffe8b673
Content-Type: text/plain; charset=UTF-8

On Tue, Aug 5, 2014 at 2:27 PM, Alissa Cooper <alissa@cooperw.in> wrote:

> Alissa Cooper has entered the following ballot position for
> draft-ietf-websec-key-pinning-19: Yes
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I agree with Pete's comment about the first sentence.
>
> It would be nice if in Section 5 or 7 some suggestion could be made for
> UAs to consider the relationship between the functionality they provide
> to clear pins/pinned hosts and the functionality they provide to clear
> (or prevent the storage of) other UA state. E.g., upon clearing one's
> browsing history or entering private browsing mode, it seems like having
> the option to clear pins/pinned hosts or not pin would make sense. This
> is alluded to in Section 7 but not really tied to the threat described in
> Section 5.
>

Just to confirm, you're looking to see an illustrative (non-normative)
example/discussion of UI controls in Section 5, correct?


>
> I'm also curious about whether there is any reason to retain expired
> pins? (Other than the fact that flushing them requires the UA to actively
> check which ones are expired.)
>

I am having a bit of trouble parsing this question. The draft right now
doesn't normatively say one way or the other how to treat expired pins post
expiration. That is, pins are noted, they expire, but there are no
post-expiration steps, since the behaviour is indistinguishable from an
unpinned host.

One reason to avoid proactively erasing pins would be situations of
temporary clock skew, which is, anecdotally, a depressingly common
occurrence. A user who temporarily experienced clock skew would not be
protected from sites they visited during the skew (as pins would be
expired), but could note new pins (following the pinning logic). If the
clock skew was resolved (either manually or through a delayed
reconcilliation, as many modern OSes now go through), the user's original
pins would become viable again (within the expiration window).

This is a client misconfiguration that can't readily be accomodated or
predicted on the server, and it's a complex one, so it seems non-ideal to
document. The observable behaviour, from a server, is that if Client X
attempts to access the Site Y with an expired pin, it's no different than
if they had no Pin. That invariant is retained regardless of which
behaviour the UA implements.

--089e01634bf0cc9fb304ffe8b673
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Tue, Aug 5, 2014 at 2:27 PM, Alissa Cooper <span dir=3D"ltr">&lt=
;<a href=3D"mailto:alissa@cooperw.in" target=3D"_blank">alissa@cooperw.in</=
a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Alissa Cooper has entered the following ball=
ot position for<br>
draft-ietf-websec-key-pinning-19: Yes<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br>
<br>
I agree with Pete&#39;s comment about the first sentence.<br>
<br>
It would be nice if in Section 5 or 7 some suggestion could be made for<br>
UAs to consider the relationship between the functionality they provide<br>
to clear pins/pinned hosts and the functionality they provide to clear<br>
(or prevent the storage of) other UA state. E.g., upon clearing one&#39;s<b=
r>
browsing history or entering private browsing mode, it seems like having<br=
>
the option to clear pins/pinned hosts or not pin would make sense. This<br>
is alluded to in Section 7 but not really tied to the threat described in<b=
r>
Section 5.<br></blockquote><div><br></div><div>Just to confirm, you&#39;re =
looking to see an illustrative (non-normative) example/discussion of UI con=
trols in Section 5, correct?</div><div>=C2=A0</div><blockquote class=3D"gma=
il_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-lef=
t:1ex">

<br>
I&#39;m also curious about whether there is any reason to retain expired<br=
>
pins? (Other than the fact that flushing them requires the UA to actively<b=
r>
check which ones are expired.)<br></blockquote><div><br></div><div>I am hav=
ing a bit of trouble parsing this question. The draft right now doesn&#39;t=
 normatively say one way or the other how to treat expired pins post expira=
tion. That is, pins are noted, they expire, but there are no post-expiratio=
n steps, since the behaviour is indistinguishable from an unpinned host.<br=
>
</div><div><br></div><div>One reason to avoid proactively erasing pins woul=
d be situations of temporary clock skew, which is, anecdotally, a depressin=
gly common occurrence. A user who temporarily experienced clock skew would =
not be protected from sites they visited during the skew (as pins would be =
expired), but could note new pins (following the pinning logic). If the clo=
ck skew was resolved (either manually or through a delayed reconcilliation,=
 as many modern OSes now go through), the user&#39;s original pins would be=
come viable again (within the expiration window).</div>
<div><br></div><div>This is a client misconfiguration that can&#39;t readil=
y be accomodated or predicted on the server, and it&#39;s a complex one, so=
 it seems non-ideal to document. The observable behaviour, from a server, i=
s that if Client X attempts to access the Site Y with an expired pin, it&#3=
9;s no different than if they had no Pin. That invariant is retained regard=
less of which behaviour the UA implements.</div>
</div><br></div></div>

--089e01634bf0cc9fb304ffe8b673--


From nobody Tue Aug  5 15:57:36 2014
Return-Path: <alissa@cooperw.in>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB73D1B2C2C for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 15:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level: 
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHajCD_a251S for <websec@ietfa.amsl.com>; Tue,  5 Aug 2014 15:57:30 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BE8F1B280A for <websec@ietf.org>; Tue,  5 Aug 2014 15:57:29 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by gateway1.nyi.internal (Postfix) with ESMTP id 51F8922CD1 for <websec@ietf.org>; Tue,  5 Aug 2014 18:57:25 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Tue, 05 Aug 2014 18:57:25 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=date :subject:from:to:cc:message-id:references:in-reply-to :mime-version:content-type; s=mesmtp; bh=qdoTqdkmtWbn0xSkniiir0g 5KTo=; b=jrIfE+KO0/UWAJF8g5IoipxGFWV6klAR+PrHhqSNnFIyO23qlhltdK5 +IwGO5a35IOabhRr8v+/nn4QjOBx4vZLoBvvxa1yIAs+Ytie0H22ED4siTutPrN7 JZS6uQzq7deYFftB7vo0A69voITeW16tL4FwmXhfW7fHCokNg34Y=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=date:subject:from:to:cc:message-id :references:in-reply-to:mime-version:content-type; s=smtpout; bh=qdoTqdkmtWbn0xSkniiir0g5KTo=; b=cSlP4Gwv8kv3bGo/4nP0rx7mzEjF ChDYb2FzhXVW1PVmbopoKlJmMNjjAF0tAXGXENuAf0RpT71X1znAWopXVUYMwyRA qA09uoRaZxBW65gONRNhVj6CBIu1E0tDp6J+sOWNMOCp+o2PgCpWOqqJiC/V7UQ3 rL7+dVCUORFfWZY=
X-Sasl-enc: bLlTk9uY8/4g+ZByLdc0sCf/7B4uYRXUzIclb9BPXjX7 1407279444
Received: from [171.68.18.50] (unknown [171.68.18.50]) by mail.messagingengine.com (Postfix) with ESMTPA id 17DBE680142; Tue,  5 Aug 2014 18:57:21 -0400 (EDT)
User-Agent: Microsoft-MacOutlook/14.3.9.131030
Date: Tue, 05 Aug 2014 15:57:16 -0700
From: Alissa Cooper <alissa@cooperw.in>
To: Ryan Sleevi <sleevi@google.com>
Message-ID: <D006A98B.4D254%alissa@cooperw.in>
Thread-Topic: Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
References: <20140805212736.4347.37060.idtracker@ietfa.amsl.com> <CACvaWvYLx4NBeg9JN6gFH57uDgB_szJvr=eq+Vdv1PihviQ1rA@mail.gmail.com>
In-Reply-To: <CACvaWvYLx4NBeg9JN6gFH57uDgB_szJvr=eq+Vdv1PihviQ1rA@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3490099043_63119988"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/G0H6fjn6J6Qt3ZV6C-AhjS_k_Ks
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Alissa Cooper's Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 22:57:34 -0000

> This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--B_3490099043_63119988
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: quoted-printable

Hi Ryan,

On 8/5/14, 2:41 PM, "Ryan Sleevi" <sleevi@google.com> wrote:

>=20
>=20
>=20
> On Tue, Aug 5, 2014 at 2:27 PM, Alissa Cooper <alissa@cooperw.in> wrote:
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-websec-key-pinning-19: Yes
>>=20
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>=20
>>=20
>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>=20
>>=20
>> The document, along with other ballot positions, can be found here:
>> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>>=20
>>=20
>>=20
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>=20
>> I agree with Pete's comment about the first sentence.
>>=20
>> It would be nice if in Section 5 or 7 some suggestion could be made for
>> UAs to consider the relationship between the functionality they provide
>> to clear pins/pinned hosts and the functionality they provide to clear
>> (or prevent the storage of) other UA state. E.g., upon clearing one's
>> browsing history or entering private browsing mode, it seems like having
>> the option to clear pins/pinned hosts or not pin would make sense. This
>> is alluded to in Section 7 but not really tied to the threat described i=
n
>> Section 5.
>=20
> Just to confirm, you're looking to see an illustrative (non-normative)
> example/discussion of UI controls in Section 5, correct?

Yes, roughly =E2=80=94 a non-normative discussion of the fact that UAs may want t=
o
consider the relationship between pin-clearing and other forms of state
clearing (the same level of detail you already have in Section 7 would be
appropriate I think).

> =20
>>=20
>> I'm also curious about whether there is any reason to retain expired
>> pins? (Other than the fact that flushing them requires the UA to activel=
y
>> check which ones are expired.)
>=20
> I am having a bit of trouble parsing this question. The draft right now
> doesn't normatively say one way or the other how to treat expired pins po=
st
> expiration. That is, pins are noted, they expire, but there are no
> post-expiration steps, since the behaviour is indistinguishable from an
> unpinned host.

Yes, I noted that, which is why I was asking about it. Deleting pins upon
expiry would reduce the amount of state the UA retains about the user=E2=80=99s
browsing history. In practice this might not mean much if the UA retains a
full browsing history anyway. But it could be a small privacy improvement
for a UA that doesn=E2=80=99t otherwise offer a way to clear pins. Then again, I=E2=
=80=99m
not sure that the situation where a UA doesn=E2=80=99t offer pin clearing but doe=
s
check for expired pins and delete them is realistic (what do you think?).
And the case you describe below seems quite compelling, so I=E2=80=99m not sure
there is anything to document here.

Alissa

>=20
>=20
> One reason to avoid proactively erasing pins would be situations of tempo=
rary
> clock skew, which is, anecdotally, a depressingly common occurrence. A us=
er
> who temporarily experienced clock skew would not be protected from sites =
they
> visited during the skew (as pins would be expired), but could note new pi=
ns
> (following the pinning logic). If the clock skew was resolved (either man=
ually
> or through a delayed reconcilliation, as many modern OSes now go through)=
, the
> user's original pins would become viable again (within the expiration win=
dow).
>=20
> This is a client misconfiguration that can't readily be accomodated or
> predicted on the server, and it's a complex one, so it seems non-ideal to
> document. The observable behaviour, from a server, is that if Client X
> attempts to access the Site Y with an expired pin, it's no different than=
 if
> they had no Pin. That invariant is retained regardless of which behaviour=
 the
> UA implements.
>=20



--B_3490099043_63119988
Content-type: text/html;
	charset="UTF-8"
Content-transfer-encoding: quoted-printable

<html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size:=
 14px; font-family: Calibri, sans-serif;"><div>Hi Ryan,</div><div><br></div>=
<span id=3D"OLK_SRC_BODY_SECTION"><div><div>On 8/5/14, 2:41 PM, "Ryan Sleevi" =
&lt;<a href=3D"mailto:sleevi@google.com">sleevi@google.com</a>&gt; wrote:</div=
></div><div><br></div><blockquote id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" st=
yle=3D"BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div di=
r=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Tue=
, Aug 5, 2014 at 2:27 PM, Alissa Cooper <span dir=3D"ltr">&lt;<a href=3D"mailto:=
alissa@cooperw.in" target=3D"_blank">alissa@cooperw.in</a>&gt;</span> wrote:<b=
r><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex">Alissa Cooper has entered the following ballot p=
osition for<br>
draft-ietf-websec-key-pinning-19: Yes<br><br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>=

introductory paragraph, however.)<br><br><br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-criteri=
a.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-criteria.=
html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br><br><br>
The document, along with other ballot positions, can be found here:<br><a h=
ref=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" target=3D=
"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/</a><=
br><br><br><br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br><=
br>
I agree with Pete's comment about the first sentence.<br><br>
It would be nice if in Section 5 or 7 some suggestion could be made for<br>=

UAs to consider the relationship between the functionality they provide<br>=

to clear pins/pinned hosts and the functionality they provide to clear<br>
(or prevent the storage of) other UA state. E.g., upon clearing one's<br>
browsing history or entering private browsing mode, it seems like having<br=
>
the option to clear pins/pinned hosts or not pin would make sense. This<br>=

is alluded to in Section 7 but not really tied to the threat described in<b=
r>
Section 5.<br></blockquote><div><br></div><div>Just to confirm, you're look=
ing to see an illustrative (non-normative) example/discussion of UI controls=
 in Section 5, correct?</div></div></div></div></blockquote></span><div><br>=
</div><div>Yes, roughly &#8212; a non-normative discussion of the fact that =
UAs may want to consider the relationship between pin-clearing and other for=
ms of state clearing (the same level of detail you already have in Section 7=
 would be appropriate I think).</div><div><br></div><span id=3D"OLK_SRC_BODY_S=
ECTION"><blockquote id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style=3D"BORDER-LE=
FT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div dir=3D"ltr"><div c=
lass=3D"gmail_extra"><div class=3D"gmail_quote"><div>&nbsp;</div><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding=
-left:1ex"><br>
I'm also curious about whether there is any reason to retain expired<br>
pins? (Other than the fact that flushing them requires the UA to actively<b=
r>
check which ones are expired.)<br></blockquote><div><br></div><div>I am hav=
ing a bit of trouble parsing this question. The draft right now doesn't norm=
atively say one way or the other how to treat expired pins post expiration. =
That is, pins are noted, they expire, but there are no post-expiration steps=
, since the behaviour is indistinguishable from an unpinned host.</div></div=
></div></div></blockquote></span><div><br></div><div>Yes, I noted that, whic=
h is why I was asking about it. Deleting pins upon expiry would reduce the a=
mount of state the UA retains about the user&#8217;s browsing history. In pr=
actice this might not mean much if the UA retains a full browsing history an=
yway. But it could be a small privacy improvement for a UA that doesn&#8217;=
t otherwise offer a way to clear pins. Then again, I&#8217;m not sure that t=
he situation where a UA doesn&#8217;t offer pin clearing but does check for =
expired pins and delete them is realistic (what do you think?). And the case=
 you describe below seems quite compelling, so I&#8217;m not sure there is a=
nything to document here.</div><div><br></div><div>Alissa</div><div><br></di=
v><span id=3D"OLK_SRC_BODY_SECTION"><blockquote id=3D"MAC_OUTLOOK_ATTRIBUTION_BL=
OCKQUOTE" style=3D"BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0=
 5;"><div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div><=
br></div><div><br></div><div>One reason to avoid proactively erasing pins wo=
uld be situations of temporary clock skew, which is, anecdotally, a depressi=
ngly common occurrence. A user who temporarily experienced clock skew would =
not be protected from sites they visited during the skew (as pins would be e=
xpired), but could note new pins (following the pinning logic). If the clock=
 skew was resolved (either manually or through a delayed reconcilliation, as=
 many modern OSes now go through), the user's original pins would become via=
ble again (within the expiration window).</div><div><br></div><div>This is a=
 client misconfiguration that can't readily be accomodated or predicted on t=
he server, and it's a complex one, so it seems non-ideal to document. The ob=
servable behaviour, from a server, is that if Client X attempts to access th=
e Site Y with an expired pin, it's no different than if they had no Pin. Tha=
t invariant is retained regardless of which behaviour the UA implements.</di=
v></div><br></div></div></blockquote></span></body></html>

--B_3490099043_63119988--



From nobody Wed Aug  6 12:23:12 2014
Return-Path: <rlb@ipv.sx>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18841A00FA; Wed,  6 Aug 2014 12:23:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHCBGWBsP0PH; Wed,  6 Aug 2014 12:23:08 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 52E571A00AD; Wed,  6 Aug 2014 12:23:08 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Richard Barnes" <rlb@ipv.sx>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140806192308.15466.52635.idtracker@ietfa.amsl.com>
Date: Wed, 06 Aug 2014 12:23:08 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/Pj96JVap5_4fL_2SrjlWwm2KyqI
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, websec-chairs@tools.ietf.org
Subject: [websec] Richard Barnes' Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 19:23:10 -0000

Richard Barnes has entered the following ballot position for
draft-ietf-websec-key-pinning-19: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

This is an important document, and overall clearly written.  There are a
few points that it would be good to clean up.


Introduction: "At least one UA..."

FWIW, this is now "At least two UAs..."  Firefox also has a manual pin
list as of version 32, currently in Beta.


Introduction: "but is possible to pin keys without requiring HSTS"

-> "but it is ... and vice versa."


Section 2.2.2. "Pinned Hosts SHOULD NOT include..."

This applies not just to Pinned Hosts, but to any web host, right?


Section 2.3.1. "If a UA receives more than one PKP header field ... only
the first PKP-RO header field (if present)"

This seems problematic in light of the fact that HTTP recipients are
allowed to coalesce the values of multiple header fields.
http://tools.ietf.org/html/rfc7230#section-3.2.2

So, for example, if header coalescing were done at a lower layer in the
HTTP stack than HPKP, then the pinning code wouldn't be able to
distinguish "first" vs. "rest".  On the other hand, maybe this is a use
case for using semicolons as separators, since the combined header field
would not be valid.  In either case, there's a need for updated text.


Section 2.5. "at least one Pin that does NOT refer to an SPKI in the
certificate chain"

I understand the motivation for this, but this doesn't actually force the
site to have a backup pin -- they can just make up a pin value.  It seems
like it would be more effective to make the recommendation in Section 4.3
stronger.


Section 4. "Security Considerations"

Most of these seem more like "Operational Considerations" or
"How-To-Not-Brick-Your-Site Considerations".  :)



From nobody Wed Aug  6 13:03:17 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE4F1B27DB for <websec@ietfa.amsl.com>; Wed,  6 Aug 2014 13:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MPj18DeIAkdp for <websec@ietfa.amsl.com>; Wed,  6 Aug 2014 13:00:46 -0700 (PDT)
Received: from mail-vc0-x231.google.com (mail-vc0-x231.google.com [IPv6:2607:f8b0:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D15B31A00F1 for <websec@ietf.org>; Wed,  6 Aug 2014 13:00:44 -0700 (PDT)
Received: by mail-vc0-f177.google.com with SMTP id hy4so4760712vcb.8 for <websec@ietf.org>; Wed, 06 Aug 2014 13:00:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NQKyHeEztW8//wHfhxaVcnz13w4GhIgqcgoCoj8g920=; b=R48afVc73MwCMGLspPgwOnjscq1omq8rH2HXTmqlAbH6wjtC0M6wwuTvUd0ZiPNf7e w5VCznqcTohfFS+jgPsMChc5vHaDmuc4tqHDYZ+tdcnoDKubG1g9u5YpVs4j5gTf/F9t Kt/g8rkvG8WMlF2tknC+lgCOHxArpc7aHBfABwTX/dRua6aVKOetGQH/0yjWBK1ZUXKI KcNvkCLxdWuzCiAU5EtCeYHn72Mni63pYaRd8W4r7CRJ6gkYWiEtvEcLLbZOFKXx/ArQ XJc0YC9ewooQEmRzPwaJoFNw7TL4tf8XxSUkzbfkedzjLrGtFu0xpz0kJ0Sd/HVBXC5d X7Yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NQKyHeEztW8//wHfhxaVcnz13w4GhIgqcgoCoj8g920=; b=lCONB8uvZnnu90gZ+Pvn081IWGdGV0oc9lQ2cvcvGZD7lDYYGOIpljNryWUL2Y9zTr spK/jeqLJjyR4r8YsO0kIh7hTFCATrof5lG+0QOir2Ub0gEZ64QSqKSMg1+Oo7WdEhux 6uzxFBFturplSKkrHY6ILj8Bp9lugVxHqjp4XooU0HPp/CkEgNJlWlpHoFQjwoEiN1QH Ks9K4HM0ZIuvwH7J7hJgExvYAr2sEUAGA/QzHK5PNT6y7evSLR6wVwvCfcxiM54/3MMQ slBdy06dj2Sm+XTcsginNvqBe6WsCzNWx+GXJbyGI2VFjz9Loe93ecnjvtFpRH6kmu6H RlAw==
X-Gm-Message-State: ALoCoQmIeqAR9J9APmSBQi9uoCE3jYb+RWtGpDhJhHKwN5gJUIFE+vAThzdB3D+cwJu5hvSp2sbC
MIME-Version: 1.0
X-Received: by 10.220.82.202 with SMTP id c10mr12628823vcl.31.1407355243791; Wed, 06 Aug 2014 13:00:43 -0700 (PDT)
Received: by 10.52.139.78 with HTTP; Wed, 6 Aug 2014 13:00:43 -0700 (PDT)
In-Reply-To: <20140806192308.15466.52635.idtracker@ietfa.amsl.com>
References: <20140806192308.15466.52635.idtracker@ietfa.amsl.com>
Date: Wed, 6 Aug 2014 13:00:43 -0700
Message-ID: <CACvaWvapKThsHPQPzoJ0BZVwea8fnm5O+OMAHFxdcZudp=MCjw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary=047d7b339fc161232f04fffb6d04
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/sxQypNVhb2IgN60HuFHaPpYx_yo
X-Mailman-Approved-At: Wed, 06 Aug 2014 13:03:15 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Richard Barnes' Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 20:00:48 -0000

--047d7b339fc161232f04fffb6d04
Content-Type: text/plain; charset=UTF-8

On Wed, Aug 6, 2014 at 12:23 PM, Richard Barnes <rlb@ipv.sx> wrote:

> Richard Barnes has entered the following ballot position for
> draft-ietf-websec-key-pinning-19: Yes
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> This is an important document, and overall clearly written.  There are a
> few points that it would be good to clean up.
>
>
> Introduction: "At least one UA..."
>
> FWIW, this is now "At least two UAs..."  Firefox also has a manual pin
> list as of version 32, currently in Beta.
>
>
> Introduction: "but is possible to pin keys without requiring HSTS"
>
> -> "but it is ... and vice versa."
>
>
> Section 2.2.2. "Pinned Hosts SHOULD NOT include..."
>
> This applies not just to Pinned Hosts, but to any web host, right?
>
>
> Section 2.3.1. "If a UA receives more than one PKP header field ... only
> the first PKP-RO header field (if present)"
>
> This seems problematic in light of the fact that HTTP recipients are
> allowed to coalesce the values of multiple header fields.
> http://tools.ietf.org/html/rfc7230#section-3.2.2
>
> So, for example, if header coalescing were done at a lower layer in the
> HTTP stack than HPKP, then the pinning code wouldn't be able to
> distinguish "first" vs. "rest".  On the other hand, maybe this is a use
> case for using semicolons as separators, since the combined header field
> would not be valid.  In either case, there's a need for updated text.
>

Note, same issue applies to http://tools.ietf.org/html/rfc6797#section-8.1,
which is the source of this language.

This appears to be RFC 7230 changing the rules that RFC 2616 set out,
incompatibly.

RFC 2616 reads
"Multiple message-header fields with the same field-name MAY be present in
a message if and only if the entire field-value for that header field is
defined as a comma-separated list [i.e., #(values)]"

In this respect, both this draft and 6797 are compliant with 2616.

RFC 7230 changes this, incompatibly, to read
"A sender MUST NOT generate ... unless it's defined as a comma-separated
list [i.e., #(values)] or the header field is a well-known exception"
"A recipient MAY combine multiple header fields with the same field name,
..., without changing the semantics of the message, by appending each
subsequent field value to the combined field value in order, separated by
comma."

So this is clearly something that 7230 changed from 2616, in a way that
provides a more liberal interpretation than 2616 allows.

As addressed earlier on review, because semi-colons are used, if a
recipient did coalesce, then such a header injection would cause the
pinning header to be ignored (as invalid), rather than processed. That
still seems to be acceptable behaviour - e.g. no language change required.


>
>
> Section 2.5. "at least one Pin that does NOT refer to an SPKI in the
> certificate chain"
>
> I understand the motivation for this, but this doesn't actually force the
> site to have a backup pin -- they can just make up a pin value.  It seems
> like it would be more effective to make the recommendation in Section 4.3
> stronger.
>

I'm not sure what you see as a viable change. There's no way that a UA can
confirm a Backup Pin is a valid backup pin, short of requiring the key be
online and capable of proving itself, which is precisely what having a
backup pin is to help you avoid.


>
>
> Section 4. "Security Considerations"
>
> Most of these seem more like "Operational Considerations" or
> "How-To-Not-Brick-Your-Site Considerations".  :)
>
>
>

--047d7b339fc161232f04fffb6d04
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Wed, Aug 6, 2014 at 12:23 PM, Richard Barnes <span dir=3D"ltr">&=
lt;<a href=3D"mailto:rlb@ipv.sx" target=3D"_blank">rlb@ipv.sx</a>&gt;</span=
> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Richard Barnes has entered the following ballot position f=
or<br>

draft-ietf-websec-key-pinning-19: Yes<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br>
<br>
This is an important document, and overall clearly written. =C2=A0There are=
 a<br>
few points that it would be good to clean up.<br>
<br>
<br>
Introduction: &quot;At least one UA...&quot;<br>
<br>
FWIW, this is now &quot;At least two UAs...&quot; =C2=A0Firefox also has a =
manual pin<br>
list as of version 32, currently in Beta.<br>
<br>
<br>
Introduction: &quot;but is possible to pin keys without requiring HSTS&quot=
;<br>
<br>
-&gt; &quot;but it is ... and vice versa.&quot;<br>
<br>
<br>
Section 2.2.2. &quot;Pinned Hosts SHOULD NOT include...&quot;<br>
<br>
This applies not just to Pinned Hosts, but to any web host, right?<br>
<br>
<br>
Section 2.3.1. &quot;If a UA receives more than one PKP header field ... on=
ly<br>
the first PKP-RO header field (if present)&quot;<br>
<br>
This seems problematic in light of the fact that HTTP recipients are<br>
allowed to coalesce the values of multiple header fields.<br>
<a href=3D"http://tools.ietf.org/html/rfc7230#section-3.2.2" target=3D"_bla=
nk">http://tools.ietf.org/html/rfc7230#section-3.2.2</a><br>
<br>
So, for example, if header coalescing were done at a lower layer in the<br>
HTTP stack than HPKP, then the pinning code wouldn&#39;t be able to<br>
distinguish &quot;first&quot; vs. &quot;rest&quot;. =C2=A0On the other hand=
, maybe this is a use<br>
case for using semicolons as separators, since the combined header field<br=
>
would not be valid. =C2=A0In either case, there&#39;s a need for updated te=
xt.<br></blockquote><div><br></div><div>Note, same issue applies to=C2=A0<a=
 href=3D"http://tools.ietf.org/html/rfc6797#section-8.1">http://tools.ietf.=
org/html/rfc6797#section-8.1</a>, which is the source of this language.</di=
v>
<div><br></div><div>This appears to be RFC 7230 changing the rules that RFC=
 2616 set out, incompatibly.</div><div><br></div><div>RFC 2616 reads</div><=
div>&quot;Multiple message-header fields with the same field-name MAY be pr=
esent in a message if and only if the entire field-value for that header fi=
eld is defined as a comma-separated list [i.e., #(values)]&quot;</div>
<div><br></div><div>In this respect, both this draft and 6797 are compliant=
 with 2616.</div><div><br></div><div>RFC 7230 changes this, incompatibly, t=
o read</div><div>&quot;A sender MUST NOT generate ... unless it&#39;s defin=
ed as a comma-separated list [i.e., #(values)] or the header field is a wel=
l-known exception&quot;</div>
<div>&quot;A recipient MAY combine multiple header fields with the same fie=
ld name, ..., without changing the semantics of the message, by appending e=
ach subsequent field value to the combined field value in order, separated =
by comma.&quot;</div>
<div><br></div><div>So this is clearly something that 7230 changed from 261=
6, in a way that provides a more liberal interpretation than 2616 allows.</=
div><div><br></div><div>As addressed earlier on review, because semi-colons=
 are used, if a recipient did coalesce, then such a header injection would =
cause the pinning header to be ignored (as invalid), rather than processed.=
 That still seems to be acceptable behaviour - e.g. no language change requ=
ired.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
<br>
<br>
Section 2.5. &quot;at least one Pin that does NOT refer to an SPKI in the<b=
r>
certificate chain&quot;<br>
<br>
I understand the motivation for this, but this doesn&#39;t actually force t=
he<br>
site to have a backup pin -- they can just make up a pin value. =C2=A0It se=
ems<br>
like it would be more effective to make the recommendation in Section 4.3<b=
r>
stronger.<br></blockquote><div><br></div><div>I&#39;m not sure what you see=
 as a viable change. There&#39;s no way that a UA can confirm a Backup Pin =
is a valid backup pin, short of requiring the key be online and capable of =
proving itself, which is precisely what having a backup pin is to help you =
avoid.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
<br>
<br>
Section 4. &quot;Security Considerations&quot;<br>
<br>
Most of these seem more like &quot;Operational Considerations&quot; or<br>
&quot;How-To-Not-Brick-Your-Site Considerations&quot;. =C2=A0:)<br>
<br>
<br>
</blockquote></div><br></div></div>

--047d7b339fc161232f04fffb6d04--


From nobody Wed Aug  6 13:23:04 2014
Return-Path: <rlb@ipv.sx>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72D8A1A00FC for <websec@ietfa.amsl.com>; Wed,  6 Aug 2014 13:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level: 
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id araL0fDwpdkr for <websec@ietfa.amsl.com>; Wed,  6 Aug 2014 13:22:43 -0700 (PDT)
Received: from mail-oi0-f45.google.com (mail-oi0-f45.google.com [209.85.218.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EFA21A00A7 for <websec@ietf.org>; Wed,  6 Aug 2014 13:22:42 -0700 (PDT)
Received: by mail-oi0-f45.google.com with SMTP id e131so2018945oig.4 for <websec@ietf.org>; Wed, 06 Aug 2014 13:22:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=NSKv3buq5HNj8JpSd4OOq3yJutyvXTBuYuiAu+J6msA=; b=hzh8pDjsDK8/q2UoCuCiOU7wsJKBlrHs3LSFKMih/yvMNU10ZRYEKSWi+2SKquBOUC Rq0CSP+S5ebpD7wfahjqvn4ZABrxiSR4bZwgqRjVVZauDTRPUZt7sScBRZJeg3Ke3ODc ichkGGymrJonh94jm+Eboyxs96hUlYe73XYAl4tbjcfUvXL3By2UcmAelSQpsSrvrAWZ 8TpT2yK7+f4f61J8pgbM5OShgyFe4v6E2GvF3kLbMuWgMJDM3D4lMY26csbGCP166NKM hC6Sb8emchRsxW8FHuzI6dmm7UgI+M9wOVm8tw3d9emBIOuXvGPG7NwiyLVeERzuCX91 WfQQ==
X-Gm-Message-State: ALoCoQmHehg73b58L0Uyt9uTqQnN5cuoVEgXnu+gpcgujKnd6VAEB437F2bCNWzceHPhY3Tu3pzx
MIME-Version: 1.0
X-Received: by 10.182.20.241 with SMTP id q17mr18251040obe.83.1407356561985; Wed, 06 Aug 2014 13:22:41 -0700 (PDT)
Received: by 10.76.106.202 with HTTP; Wed, 6 Aug 2014 13:22:41 -0700 (PDT)
In-Reply-To: <CACvaWvapKThsHPQPzoJ0BZVwea8fnm5O+OMAHFxdcZudp=MCjw@mail.gmail.com>
References: <20140806192308.15466.52635.idtracker@ietfa.amsl.com> <CACvaWvapKThsHPQPzoJ0BZVwea8fnm5O+OMAHFxdcZudp=MCjw@mail.gmail.com>
Date: Wed, 6 Aug 2014 16:22:41 -0400
Message-ID: <CAL02cgRgxXmGr52rweaUahGZeC=d-Zk8hptVwPTFXNTmbbJ71A@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Ryan Sleevi <sleevi@google.com>
Content-Type: multipart/alternative; boundary=e89a8f50221cf426f604fffbbbf7
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/zXMdkw8ZqjWn2yc7r8FwdDsDKBk
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>
Subject: Re: [websec] Richard Barnes' Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 20:22:49 -0000

--e89a8f50221cf426f604fffbbbf7
Content-Type: text/plain; charset=UTF-8

On Wed, Aug 6, 2014 at 4:00 PM, Ryan Sleevi <sleevi@google.com> wrote:

>
>
>
> On Wed, Aug 6, 2014 at 12:23 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
>> Richard Barnes has entered the following ballot position for
>> draft-ietf-websec-key-pinning-19: Yes
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> This is an important document, and overall clearly written.  There are a
>> few points that it would be good to clean up.
>>
>>
>> Introduction: "At least one UA..."
>>
>> FWIW, this is now "At least two UAs..."  Firefox also has a manual pin
>> list as of version 32, currently in Beta.
>>
>>
>> Introduction: "but is possible to pin keys without requiring HSTS"
>>
>> -> "but it is ... and vice versa."
>>
>>
>> Section 2.2.2. "Pinned Hosts SHOULD NOT include..."
>>
>> This applies not just to Pinned Hosts, but to any web host, right?
>>
>>
>> Section 2.3.1. "If a UA receives more than one PKP header field ... only
>> the first PKP-RO header field (if present)"
>>
>> This seems problematic in light of the fact that HTTP recipients are
>> allowed to coalesce the values of multiple header fields.
>> http://tools.ietf.org/html/rfc7230#section-3.2.2
>>
>> So, for example, if header coalescing were done at a lower layer in the
>> HTTP stack than HPKP, then the pinning code wouldn't be able to
>> distinguish "first" vs. "rest".  On the other hand, maybe this is a use
>> case for using semicolons as separators, since the combined header field
>> would not be valid.  In either case, there's a need for updated text.
>>
>
> Note, same issue applies to http://tools.ietf.org/html/rfc6797#section-8.1,
> which is the source of this language.
>
> This appears to be RFC 7230 changing the rules that RFC 2616 set out,
> incompatibly.
>
> RFC 2616 reads
> "Multiple message-header fields with the same field-name MAY be present in
> a message if and only if the entire field-value for that header field is
> defined as a comma-separated list [i.e., #(values)]"
>
> In this respect, both this draft and 6797 are compliant with 2616.
>
> RFC 7230 changes this, incompatibly, to read
> "A sender MUST NOT generate ... unless it's defined as a comma-separated
> list [i.e., #(values)] or the header field is a well-known exception"
> "A recipient MAY combine multiple header fields with the same field name,
> ..., without changing the semantics of the message, by appending each
> subsequent field value to the combined field value in order, separated by
> comma."
>
> So this is clearly something that 7230 changed from 2616, in a way that
> provides a more liberal interpretation than 2616 allows.
>
> As addressed earlier on review, because semi-colons are used, if a
> recipient did coalesce, then such a header injection would cause the
> pinning header to be ignored (as invalid), rather than processed. That
> still seems to be acceptable behaviour - e.g. no language change required.
>

Fair enough.  I hadn't seen your response to Pete.




> Section 2.5. "at least one Pin that does NOT refer to an SPKI in the
> certificate chain"
>
> I understand the motivation for this, but this doesn't actually force the
> site to have a backup pin -- they can just make up a pin value.  It seems
> like it would be more effective to make the recommendation in Section 4.3
> stronger.
>

I'm not sure what you see as a viable change. There's no way that a UA can
> confirm a Backup Pin is a valid backup pin, short of requiring the key be
> online and capable of proving itself, which is precisely what having a
> backup pin is to help you avoid.
>

I guess I'm just saying that forcing the server to present a backup pin is
kind of ineffective, precisely because the UA can't verify that it's
actually a backup pin.  So I'm not sure that having this requirement will
result in much more backup pinning than the recommendations in 4.3,
especially if those recommendations were made stronger or more prominent.

But if the WG thinks the requirement for a backup pin is worth the effort,
it is specified interoperably, so I'm not going to stand in the way.

--Richard

--e89a8f50221cf426f604fffbbbf7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Wed, Aug 6, 2014 at 4:00 PM, Ryan Sleevi <span dir=3D"ltr">&lt;<=
a href=3D"mailto:sleevi@google.com" target=3D"_blank">sleevi@google.com</a>=
&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><br><div class=3D"gmail_ext=
ra"><br><br><div class=3D"gmail_quote"><div><div class=3D"h5">On Wed, Aug 6=
, 2014 at 12:23 PM, Richard Barnes <span dir=3D"ltr">&lt;<a href=3D"mailto:=
rlb@ipv.sx" target=3D"_blank">rlb@ipv.sx</a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Richard Barnes has entered the following ballot position f=
or<br>


draft-ietf-websec-key-pinning-19: Yes<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br>
<br>
This is an important document, and overall clearly written. =C2=A0There are=
 a<br>
few points that it would be good to clean up.<br>
<br>
<br>
Introduction: &quot;At least one UA...&quot;<br>
<br>
FWIW, this is now &quot;At least two UAs...&quot; =C2=A0Firefox also has a =
manual pin<br>
list as of version 32, currently in Beta.<br>
<br>
<br>
Introduction: &quot;but is possible to pin keys without requiring HSTS&quot=
;<br>
<br>
-&gt; &quot;but it is ... and vice versa.&quot;<br>
<br>
<br>
Section 2.2.2. &quot;Pinned Hosts SHOULD NOT include...&quot;<br>
<br>
This applies not just to Pinned Hosts, but to any web host, right?<br>
<br>
<br>
Section 2.3.1. &quot;If a UA receives more than one PKP header field ... on=
ly<br>
the first PKP-RO header field (if present)&quot;<br>
<br>
This seems problematic in light of the fact that HTTP recipients are<br>
allowed to coalesce the values of multiple header fields.<br>
<a href=3D"http://tools.ietf.org/html/rfc7230#section-3.2.2" target=3D"_bla=
nk">http://tools.ietf.org/html/rfc7230#section-3.2.2</a><br>
<br>
So, for example, if header coalescing were done at a lower layer in the<br>
HTTP stack than HPKP, then the pinning code wouldn&#39;t be able to<br>
distinguish &quot;first&quot; vs. &quot;rest&quot;. =C2=A0On the other hand=
, maybe this is a use<br>
case for using semicolons as separators, since the combined header field<br=
>
would not be valid. =C2=A0In either case, there&#39;s a need for updated te=
xt.<br></blockquote><div><br></div></div></div><div>Note, same issue applie=
s to=C2=A0<a href=3D"http://tools.ietf.org/html/rfc6797#section-8.1" target=
=3D"_blank">http://tools.ietf.org/html/rfc6797#section-8.1</a>, which is th=
e source of this language.</div>

<div><br></div><div>This appears to be RFC 7230 changing the rules that RFC=
 2616 set out, incompatibly.</div><div><br></div><div>RFC 2616 reads</div><=
div>&quot;Multiple message-header fields with the same field-name MAY be pr=
esent in a message if and only if the entire field-value for that header fi=
eld is defined as a comma-separated list [i.e., #(values)]&quot;</div>

<div><br></div><div>In this respect, both this draft and 6797 are compliant=
 with 2616.</div><div><br></div><div>RFC 7230 changes this, incompatibly, t=
o read</div><div>&quot;A sender MUST NOT generate ... unless it&#39;s defin=
ed as a comma-separated list [i.e., #(values)] or the header field is a wel=
l-known exception&quot;</div>

<div>&quot;A recipient MAY combine multiple header fields with the same fie=
ld name, ..., without changing the semantics of the message, by appending e=
ach subsequent field value to the combined field value in order, separated =
by comma.&quot;</div>

<div><br></div><div>So this is clearly something that 7230 changed from 261=
6, in a way that provides a more liberal interpretation than 2616 allows.</=
div><div><br></div><div>As addressed earlier on review, because semi-colons=
 are used, if a recipient did coalesce, then such a header injection would =
cause the pinning header to be ignored (as invalid), rather than processed.=
 That still seems to be acceptable behaviour - e.g. no language change requ=
ired.</div>
</div></div></div></blockquote><div class=3D""><br></div><div class=3D"">Fa=
ir enough.=C2=A0 I hadn&#39;t seen your response to Pete.<br></div><div cla=
ss=3D""><br><br>=C2=A0 <br><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204=
);border-left-style:solid;padding-left:1ex">

Section 2.5. &quot;at least one Pin that does NOT refer to an SPKI in the<b=
r>
certificate chain&quot;<br>
<br>
I understand the motivation for this, but this doesn&#39;t actually force t=
he<br>
site to have a backup pin -- they can just make up a pin value. =C2=A0It se=
ems<br>
like it would be more effective to make the recommendation in Section 4.3<b=
r>
stronger.<br></blockquote><div><br></div></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1e=
x"><div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><=
div>I&#39;m not sure what you see as a viable change. There&#39;s no way th=
at a UA can confirm a Backup Pin is a valid backup pin, short of requiring =
the key be online and capable of proving itself, which is precisely what ha=
ving a backup pin is to help you avoid.</div>
</div></div></div></blockquote><div><br></div><div>I guess I&#39;m just say=
ing that forcing the server to present a backup pin is kind of ineffective,=
 precisely because the UA can&#39;t verify that it&#39;s actually a backup =
pin.=C2=A0 So I&#39;m not sure that having this requirement will result in =
much more backup pinning than the recommendations in 4.3, especially if tho=
se recommendations were made stronger or more prominent.=C2=A0 <br>
<br></div><div>But if the WG thinks the requirement for a backup pin is wor=
th the effort, it is specified interoperably, so I&#39;m not going to stand=
 in the way.<br><br></div><div>--Richard <br></div><div><br><br><br></div>
<div><br>=C2=A0</div></div></div></div>

--e89a8f50221cf426f604fffbbbf7--


From nobody Wed Aug  6 15:12:12 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C33D81B28F5; Wed,  6 Aug 2014 15:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5gXleoSfqtc; Wed,  6 Aug 2014 15:12:05 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A75D61B28F3; Wed,  6 Aug 2014 15:12:04 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id z12so3295533wgg.0 for <multiple recipients>; Wed, 06 Aug 2014 15:12:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=peOkvCEZfsdUuKGSRy0e7eX6hJ41JnhO2aysc8toSR8=; b=BDSb9zeURDLZjXADWGd1GOJb0BkRto4BMvKQDUZYuOLIxJzVZWHgaEKZJd70MrnAY/ VFVmvxUBcCrgOtjG2/FSwjKszC6kO9nF+PfHjSxuodTAvrjvG/dnPWry9ZJ7kfmdZyqi ArsD3QxuZMcONW9KotU48E++XBr4MtYaMnruFEEhvWnb4snnIzFNZaHNdpdkQKh00n+0 zmhkTHzD7/QnERYi6UN2hBjPTp069mnwLJE64o6OJUk9U4ITrwOosg4dsKUhsYWdbK3H yNErpAGxRjSTMVdu5hJ3ngkI1rPlJoUXutXL+eTbQfFPdgjRnAJwm06sWqzfOrr/mtDG Bt+g==
X-Received: by 10.180.184.133 with SMTP id eu5mr48046627wic.26.1407363123239;  Wed, 06 Aug 2014 15:12:03 -0700 (PDT)
Received: from [192.168.1.104] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id eh7sm5315671wjd.32.2014.08.06.15.12.02 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Aug 2014 15:12:02 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20140806192308.15466.52635.idtracker@ietfa.amsl.com>
Date: Thu, 7 Aug 2014 01:12:00 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <4069DECD-ADB7-43BF-9323-1920A99BE141@gmail.com>
References: <20140806192308.15466.52635.idtracker@ietfa.amsl.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/1m13BaGR7BxfH38FDrSmkdMRIMc
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Richard Barnes' Yes on draft-ietf-websec-key-pinning-19: (with COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 22:12:07 -0000

On Aug 6, 2014, at 10:23 PM, Richard Barnes <rlb@ipv.sx> wrote:

> Section 2.5. "at least one Pin that does NOT refer to an SPKI in the
> certificate chain"
>=20
> I understand the motivation for this, but this doesn't actually force =
the
> site to have a backup pin -- they can just make up a pin value.  It =
seems
> like it would be more effective to make the recommendation in Section =
4.3
> stronger.

I don=92t think we can force a site to do thing securely with any =
protocol. TLS and the like require "32 bytes generated by a secure RNG=94 =
here and =93nonce=94 there, yet the peer has no way of checking whether =
an implementation uses a 64-bit LFSR for the former and a hard-coded =
value for the latter. We=92re hoping this requirement will steer them in =
the right direction, but there are no guarantees.

> But if the WG thinks the requirement for a backup pin is worth the =
effort, it is specified interoperably, so I'm not going to stand in the =
way.

It does. Besides, generating a real key is as easy as generating a fake =
one:
  openssl genrsa -out private 2048
  openssl rsa -in private -putout -outform DER -out public
  openssl dgst -sha256 -binary public | base64


> Section 4. "Security Considerations"
>=20
> Most of these seem more like "Operational Considerations" or
> "How-To-Not-Brick-Your-Site Considerations".  :)

We felt that not bricking your site was very important. And it is =
security-relevant. If you don=92t do these things, then a key compromise =
is augmented by a long-lasting DoS. If you don=92t follow the advice, =
then this security mechanism actually makes the attacks worse.

Yoav


From nobody Thu Aug  7 04:07:16 2014
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13CA01B2A73; Thu,  7 Aug 2014 04:07:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6tFeefBX66_b; Thu,  7 Aug 2014 04:07:10 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 19FFD1B2A6D; Thu,  7 Aug 2014 04:07:10 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140807110710.18212.14741.idtracker@ietfa.amsl.com>
Date: Thu, 07 Aug 2014 04:07:10 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/v0P6fnspUrU_TKkYeHxqOq1lFHw
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, websec-chairs@tools.ietf.org
Subject: [websec] Stephen Farrell's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 11:07:13 -0000

Stephen Farrell has entered the following ballot position for
draft-ietf-websec-key-pinning-19: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------



Good doc. Two things I'd like to check before moving to a yes
ballot:

(1) 2.1 - Can a simple-directive start with "pin-"?  Seems like
yes it can, but then the ABNF is ambiguous about the RHS of the
"=" I think, is that right? Its no big deal since valid values
will parse anyway, so only an issue if you ever care about
simple-directive vs. pin-directive. Ah - does the last para of
2.1 mean that this distinction is needed really?

(2) 2.1.3 says that "If the scheme in the report-uri is one
that uses TLS (e.g.  HTTPS), UAs MUST perform Pinning
Validation when the host in the report-uri is a Known Pinned
Host;" That's generally ok, however, I think it may break for
alt-svc, where TLS is used but https is not, or if TCPINC
decided on a TLS based solution then some coder might get it
wrong. I think a simple re-statement in terms of http vs. https
URIs should fix this. I realise that neither alt-svc nor TCPINC
existed when this work started, but since they now do it'd pay
to think about them and I don't recall seeing that on the
websec list (apologies if I'm wrong there).  The IFF in 2.5
also seems related.  2.2 has same issues about alt-svc and
TCPINC. I do see that you only say "e.g. TLS" here but 
wonder nonetheless, e.g. would 2.2.1 cover an alt-svc case 
or not?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------



abstract and elswhere: SubjectPublicKeyInfo doesn't usually
have spaces between the terms. No big deal. After the abstract
would a ref to 5280 be right for SPKI as well?

general: I think emphasising the backup pin requirement in the
intro would be good. It's a little hidden now and would be a
surprise to some I bet.

2.1 - pin-directive has the literal "pin-" but later you say
(in bullet #3) that directive names are case insensitive.  Does
that apply to "pin-" as well or not? 

2.1 - has some typos: reistry and hahs

2.1 - "Known Pinned Host" would be a fine term to define in a
section 1.1 that was renamed via s/Requirements
Language/Terminology/

2.1.1 - max-age is really defined against the time of reception
and not (in principle) from when its emitted?  I know that
makes no difference now, but with a sufficient latency (e.g.
Earth->Mars, min 4 mins, max 20 mins, and yes my DTN heritage
is showing:-) it could, just about. I think to be pedantically
correct, max-age ought be defined versus the time of emission
and not receipt.

2.1.2 - uses the term "Pinned Host" which is not the same as
the previously used "Known Pinned Host" - is the distinction
meant to be significant or is that a typo?

2.1.3/section 4 - shouldn't the potential DoS issues be
discussed for cases where report-uri != same-origin? E.g.  if
busy-site.example.net (is hacked and) sets report-uri to
victim.example.com (maybe with some HTML/JS that generates
loads of queries to the victimj) that'd be like getting /.'d I
think that's maybe worth noting in the security considerations
or in 2.1.3 where you (quite properly) say to rate-limit
reporting. If you'd rather not say why though, that's ok too.



From nobody Thu Aug  7 06:58:03 2014
Return-Path: <ted.lemon@nominum.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73DE91B2B28; Thu,  7 Aug 2014 06:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6LxZDlUy6sR; Thu,  7 Aug 2014 06:57:59 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E38CA1B2B3D; Thu,  7 Aug 2014 06:57:51 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Ted Lemon" <ted.lemon@nominum.com>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140807135751.6422.30957.idtracker@ietfa.amsl.com>
Date: Thu, 07 Aug 2014 06:57:51 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/h7k9Gv8BHP5SOME8G75iXAkn5d8
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, websec-chairs@tools.ietf.org
Subject: [websec] Ted Lemon's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 13:58:01 -0000

Ted Lemon has entered the following ballot position for
draft-ietf-websec-key-pinning-19: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

This mechanism relies on there being no MiTM attack from a compromised
signing key either prior to a legitimate pinning, or in a situation where
the host being "protected" doesn't actually do pinning.   I think this
should be mentioned in the security considerations section.   I raise
this to the level of DISCUSS because I think this actually creates a new
attack surface for government censorship: you MiTM the host you're
attacking, pin it to a cert signed using a compromised CA, and then that
UA can't communicate with the host again for the duration of the pin.

The scenario would be that the government has a transparent web cache in
the path between the host and the UA, and the web cache pins false cert
for hosts that are being censored.   Now even if the user sets up a
tunnel to bypass the transparent cache, they can't access the censored
site, so they conclude that the site is down and abandon the tunnel.   I
could easily see this being used in a scenario like the recent DNS
censorship in Turkey.

Setting a lower maximum pin age mitigates the damage of such attacks if
the user keeps the tunnel up for the duration of the pin, but I don't
think it's realistic to assume that they will.   I think that the only
way to mitigate this attack is to have a mechanism whereby conflicting
DANE TLSA information overrides the pin.   This would allow a site being
attacked in this way to securely inform the UA that the pin was invalid. 
 The government could of course prevent DNSSEC validation, but the UA
could take this as another signal to drop the pin: if the zone where the
TLSA record should be fails to validate (as opposed to isn't signed,
which wouldn't signify anything), the pin is likely a censorship attempt.





From nobody Thu Aug  7 11:11:47 2014
Return-Path: <internet-drafts@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D136A1A0322; Thu,  7 Aug 2014 11:11:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z4YmIJ4Tq82W; Thu,  7 Aug 2014 11:11:44 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9156A1A035B; Thu,  7 Aug 2014 11:11:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140807181140.4935.81427.idtracker@ietfa.amsl.com>
Date: Thu, 07 Aug 2014 11:11:40 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/dJ7KJ8E4AUBvtCQfc7-trjh0WkQ
Cc: websec@ietf.org
Subject: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 18:11:46 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Web Security Working Group of the IETF.

        Title           : Public Key Pinning Extension for HTTP
        Authors         : Chris Evans
                          Chris Palmer
                          Ryan Sleevi
	Filename        : draft-ietf-websec-key-pinning-20.txt
	Pages           : 26
	Date            : 2014-08-07

Abstract:
   This document describes an extension to the HTTP protocol allowing
   web host operators to instruct user agents to remember ("pin") the
   hosts' cryptographic identities for a given period of time.  During
   that time, UAs will require that the host present a certificate chain
   including at least one Subject Public Key Info structure whose
   fingerprint matches one of the pinned fingerprints for that host.  By
   effectively reducing the number of authorities who can authenticate
   the domain during the lifetime of the pin, pinning may reduce the
   incidence of man-in-the-middle attacks due to compromised
   Certification Authorities.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-websec-key-pinning-20


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu Aug  7 11:11:54 2014
Return-Path: <internet-drafts@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ADCB1A0369 for <websec@ietfa.amsl.com>; Thu,  7 Aug 2014 11:11:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 383RkGcJSTFh; Thu,  7 Aug 2014 11:11:45 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A689D1A0360; Thu,  7 Aug 2014 11:11:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: websec-chairs@tools.ietf.org, draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, barryleiba@computer.org, ted.lemon@nominum.com, stephen.farrell@cs.tcd.ie, Kathleen.Moriarty.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140807181140.4935.630.idtracker@ietfa.amsl.com>
Date: Thu, 07 Aug 2014 11:11:40 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/-RPeLcoowpH6pBFUb_t5gOS8fF8
Subject: [websec] New Version Notification - draft-ietf-websec-key-pinning-20.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 18:11:52 -0000

A new version (-20) has been submitted for draft-ietf-websec-key-pinning:
http://www.ietf.org/internet-drafts/draft-ietf-websec-key-pinning-20.txt


The IETF datatracker page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/

Diff from previous version:
http://www.ietf.org/rfcdiff?url2=draft-ietf-websec-key-pinning-20

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

IETF Secretariat.


From nobody Thu Aug  7 15:42:12 2014
Return-Path: <Kathleen.Moriarty.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF4EF1A02E1; Wed,  6 Aug 2014 20:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level: 
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TarUbpkhhROR; Wed,  6 Aug 2014 20:15:50 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 911531A0640; Wed,  6 Aug 2014 20:15:50 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Kathleen Moriarty" <Kathleen.Moriarty.ietf@gmail.com>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140807031550.1175.40039.idtracker@ietfa.amsl.com>
Date: Wed, 06 Aug 2014 20:15:50 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/00oWGXS39kqlRr3VxEmo0o4B9vA
X-Mailman-Approved-At: Thu, 07 Aug 2014 15:42:07 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org, websec-chairs@tools.ietf.org
Subject: [websec] Kathleen Moriarty's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 03:15:53 -0000

Kathleen Moriarty has entered the following ballot position for
draft-ietf-websec-key-pinning-19: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Overall the draft is very good, thank you for writing it.  I just wanted
to discuss some of the security/privacy considerations and see if we
could improve the language and make sure the set of concerns are clear.

The privacy consideration section reads more like possible attack
scenarios that would fit into the security considerations.  What privacy
related concerns result from these attacks?  Having that spelled out to
differentiate the risks as privacy only would be helpful (if appropriate)
or moving this into the security consideration section *IF* it is more
generically applicable.  If I am missing something and this is only
privacy related, it would be good to understand that in this discussion. 
 Adding some text on how these attacks could be used to expose privacy
related information would be helpful too.

For the first example, it seems it is the possibility that a report goes
outside out the intended scope is the concern.  The mitigation seems to
be provided in the last sentence of #4, but couldn't this be other
information leakage and not just privacy?  Let me know if I am missing
something that explains why this is privacy specific.

In #3 of the second example, the last sentence includes the following
clause:
          and giving some UAs no
          Valid Pinning Header for other subdomains (causing subsequent
          requests for m.fingerprint.example.com to succeed).

Does this mean that these subdomains are succeeding when they should
fail?  It might just be me, but that is not clear in the text (or if they
are supposed to succeed).  It sounds like they are not supposed to
succeed and this is the security issue.  How is this privacy specific? 
Again, this may just be me, but an explanation would be helpful.

In the last sentence of the privacy considerations section, what is meant
by the description "forensic attacker"?  I find this term confusing.  Was
this intended to mean that techniques used in forensic analysis could be
used by an attacker to discern information that could be of interest?  If
that's the case, I think it would be clearer to the reader if that were
stated instead.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I agree with Richard's comment that the document is well written and an
important document, thank you for writing it.  The style changed a little
toward the end and I had some trouble with long sentences in the security
& privacy considerations sections.  This should be easy enough to fix and
may be done with the RFC editor anyway.

To Richard's point on operational concerns versus security concerns, are
there explicit security attacks that could occur with the max-age
variations described?  

In 4.2, I can't see this being more than an operational concern since it
fails when overlapping pin sets are not used.  Are we missing a gap that
leads to a security concern?

4.3 makes sense to me as a security concern that drives operational
practices.



From nobody Thu Aug  7 15:42:14 2014
Return-Path: <ietf-secretariat-reply@ietf.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E9721A0AF1 for <websec@ietfa.amsl.com>; Thu,  7 Aug 2014 10:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_SPACE_RATIO=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f2Lups2fi5N8; Thu,  7 Aug 2014 10:11:19 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A91A1B2E78; Thu,  7 Aug 2014 10:11:14 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: websec-chairs@tools.ietf.org, draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.2.p5
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20140807171114.427.40052.idtracker@ietfa.amsl.com>
Date: Thu, 07 Aug 2014 10:11:14 -0700
From: IETF Secretariat <ietf-secretariat-reply@ietf.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/JWd8Y2LfQk9t9rfA9QlecDnic7M
X-Mailman-Approved-At: Thu, 07 Aug 2014 15:42:07 -0700
Subject: [websec] ID Tracker State Update Notice: <draft-ietf-websec-key-pinning-19.txt>
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2014 17:11:20 -0000

IESG state changed to IESG Evaluation::AD Followup from IESG Evaluation
ID Tracker URL: http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/


From nobody Fri Aug  8 12:11:54 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1BD21A010E for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:11:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIUPLHX3VYFX for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:11:46 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 397CF1A0055 for <websec@ietf.org>; Fri,  8 Aug 2014 12:11:45 -0700 (PDT)
Received: by mail-lb0-f169.google.com with SMTP id s7so4159413lbd.14 for <websec@ietf.org>; Fri, 08 Aug 2014 12:11:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=4rJXTEZuJSLOj0fz8ufpXsPeBzxDKWpupTj4AEv5fC0=; b=oYgtGVGth+hZtSMZl9fkg3d8bwKSSKTrPTyY4p0pQ6Rd9c64lGb4+0ngG4kexxYQaF JSmn96anpR1p9u7Chyz1wbU1ytGs77zKmn6cYBasbDJtz3bpoIJgdxrvLblsxMqSllJ5 smTnRWM7W5wTPXMLTKVLeOl5yw80vNuUf9cihvaBKaloToMKhYKPi+hQ1cnRXSyng6eX +cn0lhBrARoERmQIw8u+vj4xm48jwpFIKGen4BPlnUXaoUFb3Us8uIxR9Mfm2YgvXP72 RvXxbnOP4RXuQqexZwJEJYQTMan31dSBypyMJklqZ4AxfBq7RLLo5/G70woB9s9/TeKg QVSQ==
MIME-Version: 1.0
X-Received: by 10.112.35.97 with SMTP id g1mr22693396lbj.20.1407525104442; Fri, 08 Aug 2014 12:11:44 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Fri, 8 Aug 2014 12:11:44 -0700 (PDT)
In-Reply-To: <20140808190533.56A431801A4@rfc-editor.org>
References: <20140808190533.56A431801A4@rfc-editor.org>
Date: Fri, 8 Aug 2014 15:11:44 -0400
X-Google-Sender-Auth: xp5eGI58TvT1yd7gVHc-mnvaZIg
Message-ID: <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/XGNJBhiHDZWYyJ9L0ezTq1Yrb-c
Cc: e_lawrence@hotmail.com, Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, "websec@ietf.org" <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 19:11:54 -0000

Eric, thanks for the report.

Errata are errors in the text that would have been fixed at
publication time, had they been caught.

Isn't this a change request, rather than an errata report?

Barry, Applications AD

On Fri, Aug 8, 2014 at 3:05 PM, RFC Errata System
<rfc-editor@rfc-editor.org> wrote:
> The following errata report has been submitted for RFC6797,
> "HTTP Strict Transport Security (HSTS)".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075
>
> --------------------------------------
> Type: Technical
> Reported by: Eric Lawrence <e_lawrence@hotmail.com>
>
> Section: 14
>
> Original Text
> -------------
>    Without the "includeSubDomains" directive, HSTS is unable to protect
>    such Secure-flagged domain cookies.
>
> Corrected Text
> --------------
>    Without the "includeSubDomains" directive, HSTS is unable to protect
>    such Secure-flagged domain cookies.
>
>    Even with the "includeSubDomains" directive, the unavailability of
>    an "includeParent" directive means that an Active MITM attacker can
>    perform a cookie-injection attack against an otherwise
>    HSTS-protected victim domain.
>
>    Consider the following scenario:
>
>     The user visits https://sub.example.com and gets a HSTS policy with
>     includeSubdomains set. All subsequent navigations to
>     sub.example.com and its subdomains will be secure.
>
>     An attacker causes the victim's browser to navigate to
>     http://example.com. Because the HSTS policy applies only to
>     sub.example.com and its superdomain matches, this insecure
>     navigation is not blocked by the user agent.
>
>     The attacker intercepts this insecure request and returns a
>     response that sets a cookie on the entire domain tree using a
>     Set-Cookie header.
>
>     All subsequent requests to sub.example.com carry the injected
>     cookie, despite the use of HSTS.
>
> Notes
> -----
> To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC6797 (draft-ietf-websec-strict-transport-sec-14)
> --------------------------------------
> Title               : HTTP Strict Transport Security (HSTS)
> Publication Date    : November 2012
> Author(s)           : J. Hodges, C. Jackson, A. Barth
> Category            : PROPOSED STANDARD
> Source              : Web Security
> Area                : Applications
> Stream              : IETF
> Verifying Party     : IESG
>


From nobody Fri Aug  8 12:54:19 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BF751A03CD for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:54:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avPh9K2w08ME for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:54:16 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 338A61A03C8 for <websec@ietf.org>; Fri,  8 Aug 2014 12:54:16 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id mc6so4954694lab.20 for <websec@ietf.org>; Fri, 08 Aug 2014 12:54:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=V6ocbBrpLfRfm/Iv5YpV3Qh+ODJR0DRscjkPBLLuCEc=; b=pwVHZLbf0U4igcO2HRmpz/5xdXxQVsIjGQdx0HTw7StQ4F928qZi0x5M5wV1WpgGNC 0Uk2zYKoARS0fxhbD+tcvx4xpUdFeNUxMAFb2fMmqqPx73ujTHv9sKTG4EkqIPLSHPxc 8r7ZYX/HmkXhwXmrILWNR3BAx21VV814/Py6gbWXdqXCv0kem+MxP0MywuU8G43jV+z+ HZPFHdjK4wVvTAoige1O913+23rUR4w8N2Ri3SKE9qVvze0ox/vx8PPS6zqCu/dZrPXj sRqJf6S7orpeyNYWrKBJuQpCUC8noqfXKnFcstic4fzqJVc7pozxzLRsC5TKFLLPadQi mfMg==
MIME-Version: 1.0
X-Received: by 10.112.161.72 with SMTP id xq8mr22225266lbb.18.1407527654510; Fri, 08 Aug 2014 12:54:14 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Fri, 8 Aug 2014 12:54:14 -0700 (PDT)
In-Reply-To: <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl>
Date: Fri, 8 Aug 2014 15:54:14 -0400
X-Google-Sender-Auth: a-jFWl0PyXh7PIoj8vJEhcd4Vds
Message-ID: <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Eric Lawrence <e_lawrence@hotmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/hkz8C7mYnEXtOGkkgDImgnNuozk
Cc: Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, "websec@ietf.org" <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 19:54:18 -0000

> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I understand
> the distinction here. To me, it seems that the RFC's threat model is
> incomplete.

Perhaps it is, but the distinction is about whether an error was made
in writing the document, or whether there's a flaw in the protocol, an
issue that wasn't considered in the discussion, or the like.

The sentence you're addressing is entirely consistent with the rest of
Section 14.4, and doesn't look like "errata" to me.  It's quite
possible that the working group blew it and should have thought about
things differently.  It's possible that someone should write an update
to RFC 6797 to correct it, and that your input would be useful.

But you're asking the websec working group to consider an update, not
making an errata report, as I see it.

Does anyone from websec have a comment on this?

Barry

> -----Original Message----- From: Barry Leiba
> Sent: Friday, August 8, 2014 2:11 PM
> To: RFC Errata System
> Cc: Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete Resnick ; Tobias
> Gondrom ; Yoav Nir ; e_lawrence@hotmail.com ; websec@ietf.org
> Subject: Re: [Technical Errata Reported] RFC6797 (4075)
>
>
> Eric, thanks for the report.
>
> Errata are errors in the text that would have been fixed at
> publication time, had they been caught.
>
> Isn't this a change request, rather than an errata report?
>
> Barry, Applications AD
>
> On Fri, Aug 8, 2014 at 3:05 PM, RFC Errata System
> <rfc-editor@rfc-editor.org> wrote:
>>
>> The following errata report has been submitted for RFC6797,
>> "HTTP Strict Transport Security (HSTS)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Eric Lawrence <e_lawrence@hotmail.com>
>>
>> Section: 14
>>
>> Original Text
>> -------------
>>    Without the "includeSubDomains" directive, HSTS is unable to protect
>>    such Secure-flagged domain cookies.
>>
>> Corrected Text
>> --------------
>>    Without the "includeSubDomains" directive, HSTS is unable to protect
>>    such Secure-flagged domain cookies.
>>
>>    Even with the "includeSubDomains" directive, the unavailability of
>>    an "includeParent" directive means that an Active MITM attacker can
>>    perform a cookie-injection attack against an otherwise
>>    HSTS-protected victim domain.
>>
>>    Consider the following scenario:
>>
>>     The user visits https://sub.example.com and gets a HSTS policy with
>>     includeSubdomains set. All subsequent navigations to
>>     sub.example.com and its subdomains will be secure.
>>
>>     An attacker causes the victim's browser to navigate to
>>     http://example.com. Because the HSTS policy applies only to
>>     sub.example.com and its superdomain matches, this insecure
>>     navigation is not blocked by the user agent.
>>
>>     The attacker intercepts this insecure request and returns a
>>     response that sets a cookie on the entire domain tree using a
>>     Set-Cookie header.
>>
>>     All subsequent requests to sub.example.com carry the injected
>>     cookie, despite the use of HSTS.
>>
>> Notes
>> -----
>> To mitigate this attack, HSTS-protected websites should perform a
>> background fetch of a resource at the first-level domain. This resource
>> should carry a HSTS header that will apply to the entire domain and all
>> subdomains.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party (IESG)
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC6797 (draft-ietf-websec-strict-transport-sec-14)
>> --------------------------------------
>> Title               : HTTP Strict Transport Security (HSTS)
>> Publication Date    : November 2012
>> Author(s)           : J. Hodges, C. Jackson, A. Barth
>> Category            : PROPOSED STANDARD
>> Source              : Web Security
>> Area                : Applications
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>


From nobody Fri Aug  8 14:16:51 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B57CF1A00D7 for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 14:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-OcjEFOvG7V for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 14:16:32 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA041A026C for <websec@ietf.org>; Fri,  8 Aug 2014 14:16:32 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id n3so3087866wiv.4 for <websec@ietf.org>; Fri, 08 Aug 2014 14:16:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=df6RsabIh68EPD8mDHEdNWlZ6O0Zisq8AS7FXOdCVDA=; b=Q4yL4lFB982vTK/l9lNRg79JXJMj8DPniXJ7JcWHIZjxUaHryH50bZFpqJ/7rMinh1 60h6CYBjkGZsE4Z87dYnQKlT1nvvGEzzkydFky6YDHF0S//9CuJ1JIzWpnNt1W9ong4Q Cx66m0NYNUL837PnWYpa5C04lIe/J5q7blYnxH82w1DacJpPP8haSfoc8bHbd+op/pM4 lfI4FTVr8DM9zomFK1g6bko4HmMmqL3225/fv6QL6HUG7GhrqoCWvrMYG5aSM9saQeeF N7x8tXB+OHIJzMJ0SC4X/6/JSQI1wG+mwqvREvvVlaieHUvDNkkOHKLl37msb1EnGkKB sy2A==
X-Received: by 10.180.206.134 with SMTP id lo6mr928156wic.1.1407532591054; Fri, 08 Aug 2014 14:16:31 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id r1sm11115299wia.21.2014.08.08.14.16.29 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 08 Aug 2014 14:16:30 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com>
Date: Sat, 9 Aug 2014 00:16:30 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com>
To: Eric Lawrence <e_lawrence@hotmail.com>, Barry Leiba <barryleiba@computer.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/a5JgG4EkGjLCqsx_2KvYfYELbLQ
Cc: Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, "websec@ietf.org" <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 21:16:35 -0000

On Aug 8, 2014, at 10:54 PM, Barry Leiba <barryleiba@computer.org> =
wrote:

>> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I =
understand
>> the distinction here. To me, it seems that the RFC's threat model is
>> incomplete.
>=20
> Perhaps it is, but the distinction is about whether an error was made
> in writing the document, or whether there's a flaw in the protocol, an
> issue that wasn't considered in the discussion, or the like.
>=20
> The sentence you're addressing is entirely consistent with the rest of
> Section 14.4, and doesn't look like "errata" to me.  It's quite
> possible that the working group blew it and should have thought about
> things differently.  It's possible that someone should write an update
> to RFC 6797 to correct it, and that your input would be useful.
>=20
> But you're asking the websec working group to consider an update, not
> making an errata report, as I see it.
>=20
> Does anyone from websec have a comment on this?

Hi Barry.

Reading this, it doesn=92t look like an error in the document, but as an =
attack that the group may not have considered, which HSTS may not =
protect. If this is indeed valid, and if this had been caught in IETF =
last call or IESG review, this would probably have been sent back to the =
working group to complete.

Eric: I=92m trying to understand the issue, so please see the below and =
tell me if I understood it correctly.=20

Suppose we set up secure.tools.ietf.org and a sub-domain of =
tools.ietf.org and set HSTS on that domain (but not on tools.ietf.org, =
which is available in HTTP)
I browse http://tools.ietf.org. Because I=92m not using HTTPS, an =
attacker intercepts the connection and injects a cookie for all =
subdomain (Path=3D/; Domain=3Dtools.ietf.org).=20
My next connection to https://secure.tools.ietf.org will send this =
cookie.

Did I get this correctly?

So my first reaction was =93No way. You can=92t set a Secure cookie over =
an HTTP connection, can you?  Just like you can=92t set HSTS over an =
HTTP connection.=94 So I went to find where in RFC 6265 it says that. So =
of course it doesn=92t.  Googling it shows that I=92m not the first to =
wonder about that. In anyone has some insight about this, I=92d be glad =
to know. Is it just that cookies have always worked like this, so we=92re =
not changing it now?

Unless I=92m missing something, this could be a real problem, and there =
are several ways to mitigate it. Any of them requires a new document =
that either replaces 6797 or updates it ( I can see this solved with a =
2-page + boilerplate document). But I don=92t think an errata report is =
the way to go on this.

Yoav



From nobody Fri Aug  8 15:06:30 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84F1D1A00FC for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 15:06:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0l_RXLG0pOv for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 15:06:27 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7E511A00EB for <websec@ietf.org>; Fri,  8 Aug 2014 15:06:26 -0700 (PDT)
Received: by mail-wi0-f173.google.com with SMTP id f8so1705385wiw.0 for <websec@ietf.org>; Fri, 08 Aug 2014 15:06:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6i0cx3v35nGul4Pvyzag95poOaOFZPftL75SVkRQwq8=; b=BcBuwzJC3qciaHdk+ZLyGh3LCT7cLmEl4mKDnPoj1hh51fWMVLccdx3sX7M9+Ew/Wr Kz50fPbNOJ/nlROnwtsxF/ZAxV/VuamKk5rJ/dBJrI+/6b4ZdzSQe9zkNR3ubiGVJ3+X Cm8CAP1BYn5Z1IYmXesoyoQAGrZmKjF+jzAtazn5NkNUWvTAmvxxMI4TEcyaeY+F3aFb cjeL4WhW15b/NkG/kB6QRHpGhTMUdmZYmL+Y9QxiSJqBRFg+B332VlM0K2ZRStNAkqiA nO0XglxgMVmp/FgQbY8v9+cKhqJlYxs6uxMXzYauvQr3j8nNNhDDqNDxeCBnS0MwEUWO Hm4Q==
X-Received: by 10.180.73.139 with SMTP id l11mr6990617wiv.30.1407535585213; Fri, 08 Aug 2014 15:06:25 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id h13sm20190790wjs.2.2014.08.08.15.06.22 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 08 Aug 2014 15:06:24 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset=windows-1252
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3
In-Reply-To: <COL131-DS10F844603100882CC36852F0EE0@phx.gbl>
Date: Sat, 9 Aug 2014 01:06:23 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl>
To: Eric Lawrence <e_lawrence@hotmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/6SNqZ6BHg7XpO16SRL6wJ_OSGKM
Cc: Barry Leiba <barryleiba@computer.org>, Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, websec@ietf.org, Collin Jackson <collin.jackson@sv.cmu.edu>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 22:06:29 -0000

Thanks, Eric

This does look to me like content for an update RFC (with a name like =
=93secure practices of using HSTS in the presence of subdomains=94).

I=92m not sure how high in the DNS hierarchy you would wish to go.

For secure.tools.ietf.org, it makes sense to check tools.ietf.org and =
ietf.org.  That also works for .com sites. But in some countries they =
have their national TLS plus another for commercial/organization. So the =
top company/organizational domain would be something like somecorp.co.uk =
or someorg.org.il.  There would be no point in checking for HSTS at =
co.uk.  Maybe there are rules for this.

Yoav

On Aug 9, 2014, at 12:52 AM, Eric Lawrence <e_lawrence@hotmail.com> =
wrote:

> Hi, Yoav--
>=20
> Ivan Ristic's new "Bulletproof SSL and TLS" covers "Cookie =
Manipulation Attacks" quite nicely.  As he explains well, a serious =
limitation with HTTP cookies is that they do not carry their metadata =
when resent to the server, so a secure cookie set by =
"secure.tools.ietf.org" is, upon receipt by the server in a request's =
Cookie header, indistinguishable from a insecure cookie of the same name =
set by "tools.ietf.org". The cookie does not convey the origin from =
which it was set.
>=20
> RFC6797 Section 14 notes that HSTS's includeSubdomains feature blocks =
a similar problem (namely, an insecure cookie set by =
http://sub.secure.tools.ietf.org could be set against its parent =
secure.tools.ietf.org). However, because includeSubdomains only applies =
to sub-domains, rather than parent-domains, this protection is =
insufficient to address cookie injection attacks against a parent =
domain.
>=20
> It's hard to argue that this limitation is a flaw in HSTS (because the =
alternative would be to permit a subdomain to define a HSTS policy for =
its parent). However, because it is a threat against a site that is =
otherwise protected via HSTS, I would suggest that there should be =
implementation guidance of the form: "Any page secured by HSTS that is =
at a third-level-effective-domain (www.privatedomain.etld) or lower in =
the DNS hierarchy should include a resource reference to the parent =
privatedomain (e.g. https://privatedomain.etld/1x1.gif) such that the =
dereferencing of that resource will provide the UA the opportunity to =
store a HSTS policy that will protect the entire privatedomain tree."
>=20
> -Eric
>=20
> -----Original Message----- From: Yoav Nir
> Sent: Friday, August 8, 2014 4:16 PM
> To: Eric Lawrence ; Barry Leiba
> Cc: RFC Errata System ; Jeff Hodges ; Collin Jackson ; Adam Barth ; =
Pete Resnick ; Tobias Gondrom ; websec@ietf.org
> Subject: Re: [Technical Errata Reported] RFC6797 (4075)
>=20
>=20
> On Aug 8, 2014, at 10:54 PM, Barry Leiba <barryleiba@computer.org> =
wrote:
>=20
>>> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I =
understand
>>> the distinction here. To me, it seems that the RFC's threat model is
>>> incomplete.
>>=20
>> Perhaps it is, but the distinction is about whether an error was made
>> in writing the document, or whether there's a flaw in the protocol, =
an
>> issue that wasn't considered in the discussion, or the like.
>>=20
>> The sentence you're addressing is entirely consistent with the rest =
of
>> Section 14.4, and doesn't look like "errata" to me.  It's quite
>> possible that the working group blew it and should have thought about
>> things differently.  It's possible that someone should write an =
update
>> to RFC 6797 to correct it, and that your input would be useful.
>>=20
>> But you're asking the websec working group to consider an update, not
>> making an errata report, as I see it.
>>=20
>> Does anyone from websec have a comment on this?
>=20
> Hi Barry.
>=20
> Reading this, it doesn=92t look like an error in the document, but as =
an attack that the group may not have considered, which HSTS may not =
protect. If this is indeed valid, and if this had been caught in IETF =
last call or IESG review, this would probably have been sent back to the =
working group to complete.
>=20
> Eric: I=92m trying to understand the issue, so please see the below =
and tell me if I understood it correctly.
>=20
> Suppose we set up secure.tools.ietf.org and a sub-domain of =
tools.ietf.org and set HSTS on that domain (but not on tools.ietf.org, =
which is available in HTTP)
> I browse http://tools.ietf.org. Because I=92m not using HTTPS, an =
attacker intercepts the connection and injects a cookie for all =
subdomain (Path=3D/; Domain=3Dtools.ietf.org).
> My next connection to https://secure.tools.ietf.org will send this =
cookie.
>=20
> Did I get this correctly?
>=20
> So my first reaction was =93No way. You can=92t set a Secure cookie =
over an HTTP connection, can you?  Just like you can=92t set HSTS over =
an HTTP connection.=94 So I went to find where in RFC 6265 it says that. =
So of course it doesn=92t. Googling it shows that I=92m not the first to =
wonder about that. In anyone has some insight about this, I=92d be glad =
to know. Is it just that cookies have always worked like this, so we=92re =
not changing it now?
>=20
> Unless I=92m missing something, this could be a real problem, and =
there are several ways to mitigate it. Any of them requires a new =
document that either replaces 6797 or updates it ( I can see this solved =
with a 2-page + boilerplate document). But I don=92t think an errata =
report is the way to go on this.
>=20
> Yoav
>=20
>=20


From nobody Fri Aug  8 16:44:41 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C6761A0202 for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 16:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.38
X-Spam-Level: 
X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzFDFzeAA3Gp for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 16:44:38 -0700 (PDT)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D51CD1A01E2 for <websec@ietf.org>; Fri,  8 Aug 2014 16:44:37 -0700 (PDT)
Received: by mail-qg0-f43.google.com with SMTP id a108so6877321qge.30 for <websec@ietf.org>; Fri, 08 Aug 2014 16:44:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=TF5Pj9ZCq8TW2T61N5GDaavBPy3luIXoDlaLruEx65s=; b=V0Ti3Aibqwbj0JYgz6L69r6k+bS4pWkrZ0vHH5VxJ3MSfevto67lBG9Fnv9TByKE8x e00JAYu/oed8wpo7+x4SuooJHyQp/vAlHyghGKOzgMubCbu1ASZULHQC64JIApNnIqaC potBjNxVxce/3OK4pXTwDFIMqcS2jkxBcOD+gLLN1bN1iMZ+cGmQ2gAHsO8zyb6yB4F6 AG2nbC+ZDuiCGVLKWobDim8go+0KdNTDqZy/+mwANnfabU+Cc4EPiRkxSpDN2hIE6Ezp ztW4zNeN8urt0uY0MoM8LJlzKtZh+a/E9sIu07NOlc382B56lBtmj87a6tHW/c/+7aCK TwVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=TF5Pj9ZCq8TW2T61N5GDaavBPy3luIXoDlaLruEx65s=; b=YWjfHsPCK+WofdutcjOtwzO24Edtw3Y929unuB1g4T/NG3lhpVl5Vop+bPIAHnggdk W1+oX355EJxlyuYkJp1eW8fnzdI7VM9pwIKPZW0+ql9t4ptPJk5PJ7A2soY+rSV4ga9W csIKqjjZLBp6nyVTzXaoFvtdK3GAukxhMCDRUmXUXdxfbP+kQlTsoJJVh8HgRPECp6W6 p/NNtKNFoIDL4xeo8yfBRfCkY+h1C2pIiigER0ASnZ/eIN7SoTApz30QGDe2B4Xxx1tU NSoU+I9Vk16WTJANo4mndCJMO5my9lAeN3yvq/u4MHjlSL+1n6h+3Ye6NLtYgQ+St9m9 +xzg==
X-Gm-Message-State: ALoCoQnrR8PjslBX1eSvOXpH5IvvKIivd3fOimEhLOcMcGzRWZiU5bA0wLnY0OYiqezVdWnK/Elt
MIME-Version: 1.0
X-Received: by 10.140.25.11 with SMTP id 11mr28773228qgs.9.1407541476904; Fri, 08 Aug 2014 16:44:36 -0700 (PDT)
Received: by 10.229.9.130 with HTTP; Fri, 8 Aug 2014 16:44:36 -0700 (PDT)
In-Reply-To: <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>
Date: Fri, 8 Aug 2014 16:44:36 -0700
Message-ID: <CAOuvq23i1b3FwiZukJiq0wUb_UMjMC0xK5FUUSnEN1mat7U_wQ@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/CI-OR72Mt9kHD9fstf9uKgN-tY8
Cc: Eric Lawrence <e_lawrence@hotmail.com>, Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, IETF WebSec WG <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, Barry Leiba <barryleiba@computer.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 23:44:39 -0000

On Fri, Aug 8, 2014 at 3:06 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> For secure.tools.ietf.org, it makes sense to check tools.ietf.org and iet=
f.org.  That also works for .com sites. But in some countries they have the=
ir national TLS plus another for commercial/organization. So the top compan=
y/organizational domain would be something like somecorp.co.uk or someorg.o=
rg.il.  There would be no point in checking for HSTS at co.uk.  Maybe there=
 are rules for this.

https://publicsuffix.org/


From nobody Fri Aug  8 17:06:37 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DDC31A0262 for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 17:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level: 
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdU5tjkq6gEg for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 17:06:30 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABB211A024F for <websec@ietf.org>; Fri,  8 Aug 2014 17:06:29 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id hz20so5122870lab.22 for <websec@ietf.org>; Fri, 08 Aug 2014 17:06:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=KQWIoDC/9BLS0wIVb6RWLGFMJpjNv3aBa+mxHze4ejs=; b=W1bl1BOZdHD4S5NuIDQJigm1Hrl1uuYVpTDTv/nsfZRnri/hpBAc5ZUvrxKpIDyI6F JSyhlAYb4micAgPDfjzzslqr4k9zEa8bSu3o0uxjp3uJJU/i1sqIa+UlE8/rQNlLhcuO Sp2pW9bwwmYVFav3m2B7FqVSEW198JxPQUBCoYBODgXO57qH8Tlt/1f9gZanoPM6zUI6 BqUZh8EjNfwcpAN4RXU2eSRSPLmTs05Dai1JzN4l7ibEonhKcYjsirILl/S3XyvTgagn 4rcRkM1At/ROsnWKVqqFt+c0IpYAvPloDv6AlOU48Ur/hiwRAxCAaRh1DXYuoW1QUAwR euHA==
MIME-Version: 1.0
X-Received: by 10.152.42.196 with SMTP id q4mr24127213lal.47.1407542787546; Fri, 08 Aug 2014 17:06:27 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Fri, 8 Aug 2014 17:06:27 -0700 (PDT)
In-Reply-To: <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>
Date: Fri, 8 Aug 2014 20:06:27 -0400
X-Google-Sender-Auth: Facrz17Bk7eaO77Upj8AWQlKutA
Message-ID: <CALaySJKoDvXQ=P2oUbnds4GedVaoQ5ef3zksSXt2ZnnnpmYaEQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c34e8edba55805002717e9
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/8tGGuQYdj1F4a4y19agTKOFFH5k
Cc: Eric Lawrence <e_lawrence@hotmail.com>, Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, "websec@ietf.org" <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 00:06:36 -0000

--001a11c34e8edba55805002717e9
Content-Type: text/plain; charset=ISO-8859-1

And now we're in the DBOUND territory.  Talk with Andrew Sullivan.

I will mark this errata report as Rejected, and you can drop the RFC Editor
off the CC and continue this conversation in the we sec WG.

Barry

On Friday, August 8, 2014, Yoav Nir <ynir.ietf@gmail.com> wrote:

> Thanks, Eric
>
> This does look to me like content for an update RFC (with a name like
> "secure practices of using HSTS in the presence of subdomains").
>
> I'm not sure how high in the DNS hierarchy you would wish to go.
>
> For secure.tools.ietf.org, it makes sense to check tools.ietf.org and
> ietf.org.  That also works for .com sites. But in some countries they
> have their national TLS plus another for commercial/organization. So the
> top company/organizational domain would be something like somecorp.co.uk
> or someorg.org.il.  There would be no point in checking for HSTS at co.uk.
>  Maybe there are rules for this.
>
> Yoav
>
> On Aug 9, 2014, at 12:52 AM, Eric Lawrence <e_lawrence@hotmail.com
> <javascript:;>> wrote:
>
> > Hi, Yoav--
> >
> > Ivan Ristic's new "Bulletproof SSL and TLS" covers "Cookie Manipulation
> Attacks" quite nicely.  As he explains well, a serious limitation with HTTP
> cookies is that they do not carry their metadata when resent to the server,
> so a secure cookie set by "secure.tools.ietf.org" is, upon receipt by the
> server in a request's Cookie header, indistinguishable from a insecure
> cookie of the same name set by "tools.ietf.org". The cookie does not
> convey the origin from which it was set.
> >
> > RFC6797 Section 14 notes that HSTS's includeSubdomains feature blocks a
> similar problem (namely, an insecure cookie set by
> http://sub.secure.tools.ietf.org could be set against its parent
> secure.tools.ietf.org). However, because includeSubdomains only applies
> to sub-domains, rather than parent-domains, this protection is insufficient
> to address cookie injection attacks against a parent domain.
> >
> > It's hard to argue that this limitation is a flaw in HSTS (because the
> alternative would be to permit a subdomain to define a HSTS policy for its
> parent). However, because it is a threat against a site that is otherwise
> protected via HSTS, I would suggest that there should be implementation
> guidance of the form: "Any page secured by HSTS that is at a
> third-level-effective-domain (www.privatedomain.etld) or lower in the DNS
> hierarchy should include a resource reference to the parent privatedomain
> (e.g. https://privatedomain.etld/1x1.gif) such that the dereferencing of
> that resource will provide the UA the opportunity to store a HSTS policy
> that will protect the entire privatedomain tree."
> >
> > -Eric
> >
> > -----Original Message----- From: Yoav Nir
> > Sent: Friday, August 8, 2014 4:16 PM
> > To: Eric Lawrence ; Barry Leiba
> > Cc: RFC Errata System ; Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete
> Resnick ; Tobias Gondrom ; websec@ietf.org <javascript:;>
> > Subject: Re: [Technical Errata Reported] RFC6797 (4075)
> >
> >
> > On Aug 8, 2014, at 10:54 PM, Barry Leiba <barryleiba@computer.org
> <javascript:;>> wrote:
> >
> >>> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I
> understand
> >>> the distinction here. To me, it seems that the RFC's threat model is
> >>> incomplete.
> >>
> >> Perhaps it is, but the distinction is about whether an error was made
> >> in writing the document, or whether there's a flaw in the protocol, an
> >> issue that wasn't considered in the discussion, or the like.
> >>
> >> The sentence you're addressing is entirely consistent with the rest of
> >> Section 14.4, and doesn't look like "errata" to me.  It's quite
> >> possible that the working group blew it and should have thought about
> >> things differently.  It's possible that someone should write an update
> >> to RFC 6797 to correct it, and that your input would be useful.
> >>
> >> But you're asking the websec working group to consider an update, not
> >> making an errata report, as I see it.
> >>
> >> Does anyone from websec have a comment on this?
> >
> > Hi Barry.
> >
> > Reading this, it doesn't look like an error in the document, but as an
> attack that the group may not have considered, which HSTS may not protect.
> If this is indeed valid, and if this had been caught in IETF last call or
> IESG review, this would probably have been sent back to the working group
> to complete.
> >
> > Eric: I'm trying to understand the issue, so please see the below and
> tell me if I understood it correctly.
> >
> > Suppose we set up secure.tools.ietf.org and a sub-domain of
> tools.ietf.org and set HSTS on that domain (but not on tools.ietf.org,
> which is available in HTTP)
> > I browse http://tools.ietf.org. Because I'm not using HTTPS, an
> attacker intercepts the connection and injects a cookie for all subdomain
> (Path=/; Domain=tools.ietf.org).
> > My next connection to https://secure.tools.ietf.org will send this
> cookie.
> >
> > Did I get this correctly?
> >
> > So my first reaction was "No way. You can't set a Secure cookie over an
> HTTP connection, can you?  Just like you can't set HSTS over an HTTP
> connection." So I went to find where in RFC 6265 it says that. So of course
> it doesn't. Googling it shows that I'm not the first to wonder about that.
> In anyone has some insight about this, I'd be glad to know. Is it just that
> cookies have always worked like this, so we're not changing it now?
> >
> > Unless I'm missing something, this could be a real problem, and there
> are several ways to mitigate it. Any of them requires a new document that
> either replaces 6797 or updates it ( I can see this solved with a 2-page +
> boilerplate document). But I don't think an errata report is the way to go
> on this.
> >
> > Yoav
> >
> >
>
>

--001a11c34e8edba55805002717e9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

And now we&#39;re in the DBOUND territory. &nbsp;Talk with Andrew Sullivan.=
<div><br></div><div>I will mark this errata report as Rejected, and you can=
 drop the RFC Editor off the CC and continue this conversation in the we se=
c WG.</div>
<div><br></div><div>Barry<span></span><br><br>On Friday, August 8, 2014, Yo=
av Nir &lt;<a href=3D"mailto:ynir.ietf@gmail.com">ynir.ietf@gmail.com</a>&g=
t; wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;b=
order-left:1px #ccc solid;padding-left:1ex">
Thanks, Eric<br>
<br>
This does look to me like content for an update RFC (with a name like &ldqu=
o;secure practices of using HSTS in the presence of subdomains&rdquo;).<br>
<br>
I&rsquo;m not sure how high in the DNS hierarchy you would wish to go.<br>
<br>
For <a href=3D"http://secure.tools.ietf.org" target=3D"_blank">secure.tools=
.ietf.org</a>, it makes sense to check <a href=3D"http://tools.ietf.org" ta=
rget=3D"_blank">tools.ietf.org</a> and <a href=3D"http://ietf.org" target=
=3D"_blank">ietf.org</a>. &nbsp;That also works for .com sites. But in some=
 countries they have their national TLS plus another for commercial/organiz=
ation. So the top company/organizational domain would be something like <a =
href=3D"http://somecorp.co.uk" target=3D"_blank">somecorp.co.uk</a> or <a h=
ref=3D"http://someorg.org.il" target=3D"_blank">someorg.org.il</a>. &nbsp;T=
here would be no point in checking for HSTS at <a href=3D"http://co.uk" tar=
get=3D"_blank">co.uk</a>. &nbsp;Maybe there are rules for this.<br>

<br>
Yoav<br>
<br>
On Aug 9, 2014, at 12:52 AM, Eric Lawrence &lt;<a href=3D"javascript:;" onc=
lick=3D"_e(event, &#39;cvml&#39;, &#39;e_lawrence@hotmail.com&#39;)">e_lawr=
ence@hotmail.com</a>&gt; wrote:<br>
<br>
&gt; Hi, Yoav--<br>
&gt;<br>
&gt; Ivan Ristic&#39;s new &quot;Bulletproof SSL and TLS&quot; covers &quot=
;Cookie Manipulation Attacks&quot; quite nicely. &nbsp;As he explains well,=
 a serious limitation with HTTP cookies is that they do not carry their met=
adata when resent to the server, so a secure cookie set by &quot;<a href=3D=
"http://secure.tools.ietf.org" target=3D"_blank">secure.tools.ietf.org</a>&=
quot; is, upon receipt by the server in a request&#39;s Cookie header, indi=
stinguishable from a insecure cookie of the same name set by &quot;<a href=
=3D"http://tools.ietf.org" target=3D"_blank">tools.ietf.org</a>&quot;. The =
cookie does not convey the origin from which it was set.<br>

&gt;<br>
&gt; RFC6797 Section 14 notes that HSTS&#39;s includeSubdomains feature blo=
cks a similar problem (namely, an insecure cookie set by <a href=3D"http://=
sub.secure.tools.ietf.org" target=3D"_blank">http://sub.secure.tools.ietf.o=
rg</a> could be set against its parent <a href=3D"http://secure.tools.ietf.=
org" target=3D"_blank">secure.tools.ietf.org</a>). However, because include=
Subdomains only applies to sub-domains, rather than parent-domains, this pr=
otection is insufficient to address cookie injection attacks against a pare=
nt domain.<br>

&gt;<br>
&gt; It&#39;s hard to argue that this limitation is a flaw in HSTS (because=
 the alternative would be to permit a subdomain to define a HSTS policy for=
 its parent). However, because it is a threat against a site that is otherw=
ise protected via HSTS, I would suggest that there should be implementation=
 guidance of the form: &quot;Any page secured by HSTS that is at a third-le=
vel-effective-domain (www.privatedomain.etld) or lower in the DNS hierarchy=
 should include a resource reference to the parent privatedomain (e.g. <a h=
ref=3D"https://privatedomain.etld/1x1.gif" target=3D"_blank">https://privat=
edomain.etld/1x1.gif</a>) such that the dereferencing of that resource will=
 provide the UA the opportunity to store a HSTS policy that will protect th=
e entire privatedomain tree.&quot;<br>

&gt;<br>
&gt; -Eric<br>
&gt;<br>
&gt; -----Original Message----- From: Yoav Nir<br>
&gt; Sent: Friday, August 8, 2014 4:16 PM<br>
&gt; To: Eric Lawrence ; Barry Leiba<br>
&gt; Cc: RFC Errata System ; Jeff Hodges ; Collin Jackson ; Adam Barth ; Pe=
te Resnick ; Tobias Gondrom ; <a href=3D"javascript:;" onclick=3D"_e(event,=
 &#39;cvml&#39;, &#39;websec@ietf.org&#39;)">websec@ietf.org</a><br>
&gt; Subject: Re: [Technical Errata Reported] RFC6797 (4075)<br>
&gt;<br>
&gt;<br>
&gt; On Aug 8, 2014, at 10:54 PM, Barry Leiba &lt;<a href=3D"javascript:;" =
onclick=3D"_e(event, &#39;cvml&#39;, &#39;barryleiba@computer.org&#39;)">ba=
rryleiba@computer.org</a>&gt; wrote:<br>
&gt;<br>
&gt;&gt;&gt; I&#39;m afraid I&#39;m only a consumer of RFCs and thus I&#39;=
m not sure I understand<br>
&gt;&gt;&gt; the distinction here. To me, it seems that the RFC&#39;s threa=
t model is<br>
&gt;&gt;&gt; incomplete.<br>
&gt;&gt;<br>
&gt;&gt; Perhaps it is, but the distinction is about whether an error was m=
ade<br>
&gt;&gt; in writing the document, or whether there&#39;s a flaw in the prot=
ocol, an<br>
&gt;&gt; issue that wasn&#39;t considered in the discussion, or the like.<b=
r>
&gt;&gt;<br>
&gt;&gt; The sentence you&#39;re addressing is entirely consistent with the=
 rest of<br>
&gt;&gt; Section 14.4, and doesn&#39;t look like &quot;errata&quot; to me. =
&nbsp;It&#39;s quite<br>
&gt;&gt; possible that the working group blew it and should have thought ab=
out<br>
&gt;&gt; things differently. &nbsp;It&#39;s possible that someone should wr=
ite an update<br>
&gt;&gt; to RFC 6797 to correct it, and that your input would be useful.<br=
>
&gt;&gt;<br>
&gt;&gt; But you&#39;re asking the websec working group to consider an upda=
te, not<br>
&gt;&gt; making an errata report, as I see it.<br>
&gt;&gt;<br>
&gt;&gt; Does anyone from websec have a comment on this?<br>
&gt;<br>
&gt; Hi Barry.<br>
&gt;<br>
&gt; Reading this, it doesn&rsquo;t look like an error in the document, but=
 as an attack that the group may not have considered, which HSTS may not pr=
otect. If this is indeed valid, and if this had been caught in IETF last ca=
ll or IESG review, this would probably have been sent back to the working g=
roup to complete.<br>

&gt;<br>
&gt; Eric: I&rsquo;m trying to understand the issue, so please see the belo=
w and tell me if I understood it correctly.<br>
&gt;<br>
&gt; Suppose we set up <a href=3D"http://secure.tools.ietf.org" target=3D"_=
blank">secure.tools.ietf.org</a> and a sub-domain of <a href=3D"http://tool=
s.ietf.org" target=3D"_blank">tools.ietf.org</a> and set HSTS on that domai=
n (but not on <a href=3D"http://tools.ietf.org" target=3D"_blank">tools.iet=
f.org</a>, which is available in HTTP)<br>

&gt; I browse <a href=3D"http://tools.ietf.org" target=3D"_blank">http://to=
ols.ietf.org</a>. Because I&rsquo;m not using HTTPS, an attacker intercepts=
 the connection and injects a cookie for all subdomain (Path=3D/; Domain=3D=
<a href=3D"http://tools.ietf.org" target=3D"_blank">tools.ietf.org</a>).<br=
>

&gt; My next connection to <a href=3D"https://secure.tools.ietf.org" target=
=3D"_blank">https://secure.tools.ietf.org</a> will send this cookie.<br>
&gt;<br>
&gt; Did I get this correctly?<br>
&gt;<br>
&gt; So my first reaction was &ldquo;No way. You can&rsquo;t set a Secure c=
ookie over an HTTP connection, can you? &nbsp;Just like you can&rsquo;t set=
 HSTS over an HTTP connection.&rdquo; So I went to find where in RFC 6265 i=
t says that. So of course it doesn&rsquo;t. Googling it shows that I&rsquo;=
m not the first to wonder about that. In anyone has some insight about this=
, I&rsquo;d be glad to know. Is it just that cookies have always worked lik=
e this, so we&rsquo;re not changing it now?<br>

&gt;<br>
&gt; Unless I&rsquo;m missing something, this could be a real problem, and =
there are several ways to mitigate it. Any of them requires a new document =
that either replaces 6797 or updates it ( I can see this solved with a 2-pa=
ge + boilerplate document). But I don&rsquo;t think an errata report is the=
 way to go on this.<br>

&gt;<br>
&gt; Yoav<br>
&gt;<br>
&gt;<br>
<br>
</blockquote></div>

--001a11c34e8edba55805002717e9--


From nobody Fri Aug  8 18:01:48 2014
Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23B551A02F0 for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 18:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.231
X-Spam-Level: 
X-Spam-Status: No, score=-1.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GB-hK85v92pf for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 18:01:44 -0700 (PDT)
Received: from gproxy7-pub.mail.unifiedlayer.com (gproxy7-pub.mail.unifiedlayer.com [70.40.196.235]) by ietfa.amsl.com (Postfix) with SMTP id 673321A02E8 for <websec@ietf.org>; Fri,  8 Aug 2014 18:01:44 -0700 (PDT)
Received: (qmail 23422 invoked by uid 0); 9 Aug 2014 01:01:40 -0000
Received: from unknown (HELO cmgw3) (10.0.90.84) by gproxy7.mail.unifiedlayer.com with SMTP; 9 Aug 2014 01:01:40 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw3 with  id cX1Y1o00L2UhLwi01X1bzq; Sat, 09 Aug 2014 01:01:38 -0600
X-Authority-Analysis: v=2.1 cv=DIUcvU9b c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=ekOJvlQLSnQA:10 a=OKxkqqKDs78A:10 a=lVB5xtUsM40A:10 a=3NT3xRclEPMA:10 a=8nJEP1OIZ-IA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=vS7MmSmxvPQA:10 a=A1X0JdhQAAAA:8 a=48vgC7mUAAAA:8 a=KPcibb87oZ-6Z4ZuIhcA:9 a=9bFfiOKcGA-NuIkR:21 a=3iHkDXmn6asv3U17:21 a=wPNLvfGTeEIA:10 a=4rq7TwIXcRUA:10 a=lZB815dzVvQA:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default;  h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=8/R4oTvpX/Gmtxc6zEzkF7kxdCQcXH9Z64CYGgfezWk=;  b=jw6103sw5uz0XfsUAC0cCwp0n7kvuKw1kkLtEjInMD4LLEN0C8ttXYt8Ye8Yup4otboeKgauP+EbMNchXp2/i4putTGNsJVhh7t7IVx4wqoYoK1LBbrb/U+5WKRkWgao;
Received: from [216.113.168.128] (port=16681 helo=[10.244.137.98]) by box514.bluehost.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1XFv2L-0003Ic-LG; Fri, 08 Aug 2014 19:01:33 -0600
Message-ID: <53E572EA.3000301@KingsMountain.com>
Date: Fri, 08 Aug 2014 18:01:30 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Eric Lawrence <e_lawrence@hotmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/E5w9pdK2al_TaOSDzrMjvjS67TA
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] cookie injection attack via superdomain of HSTS Host (was: [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 01:01:46 -0000

[ trimming to: and cc: as I think most everyone is on websec@ ]

Hi Eric, thanks for submitting this errata.

Barry & everyone: actually, this issue is in S 14 "Security Considerations" 
of RFC6797, and I think Eric is correct that that subsection "14.4. The Need 
for includeSubDomains" is overlooking this detail, and hence is actually an 
errata (more or less).

However, the text I'd use to correct it would be somewhat different than 
Eric's proposed text (tho it'd build on it).

Overall, I think we discussed this aspect of things during our development 
of HSTS and rationale/defense overall amounts to..

1. HSTS Hosts really need to declare HSTS Policy at their top-level domain 
name whether or not they are reachable at other subdomains thereof and 
regardless of whether they employ .  I.e., it's  poor practice to have an 
HSTS Host at https://sub.example.com yet also answer at https://example.com 
without also declaring the latter as an HSTS Host.

In terms of there being a policy authority boundary between one's HSTS Host 
and it's immediate superdomain -- eg between example.com. and com. -- that 
to some degree is presently addressed by language in RFC6265 section 5.3 
step 5 --- but nominally I think Eric is overall correct and this "cookie 
injection attack via superdomain of HSTS Host" isn't properly discussed in 
RFC6797 and that it would (today) be an issue for example if foo.example.com 
is a distinct entity from example.com, and example.com _is not_ a "public 
suffix". Essentially, i think there's a subtle impedance mismatch between 
HSTS's Storage Model and that of HTTP cookies per RFC6265, and it's arguably 
a spec bug in rfc6797 that it isn't explicitly called out.

Thus Barry is correct that this is treading into "domain boundary" aka 
"domain policy authority" territory <dbound@ietf.org> -- and thus is another 
example of why the latter work is important (several of us, along with 
Andrew Sullivan, are chipping away at it).

Also, there's a recent draft academic paper that's been mentioned on other 
lists that I am going to post a reference to on this list -- it goes into 
HSTS deployment common mistakes as well as best practices and touches on 
issues similar to this.

ah, I see Eric's proposed best practice in his reply to Yoav, and yeah, 
that's one way to address this issue, and could ostensibly be included in a 
spec update -- but the actual errata is the above-noted impedance mismatch 
between cookies' and HSTS's storage models (and also the lack of cookie's 
declaring their originating origin).

HTH,

=JeffH


From e_lawrence@hotmail.com  Sat Aug  9 10:46:53 2014
Return-Path: <e_lawrence@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDE9A1A00EF for <websec@ietfa.amsl.com>; Sat,  9 Aug 2014 10:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.132
X-Spam-Level: 
X-Spam-Status: No, score=0.132 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJrg-cSybjai for <websec@ietfa.amsl.com>; Sat,  9 Aug 2014 10:46:51 -0700 (PDT)
Received: from COL004-OMC1S11.hotmail.com (col004-omc1s11.hotmail.com [65.55.34.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2F381A00EC for <websec@ietf.org>; Sat,  9 Aug 2014 10:46:50 -0700 (PDT)
Received: from COL131-DS9 ([65.55.34.8]) by COL004-OMC1S11.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712); Sat, 9 Aug 2014 10:46:50 -0700
X-TMN: [sHQpQ3o9yLsQUlgoX1KmwS/2bBiI90B7]
X-Originating-Email: [e_lawrence@hotmail.com]
Message-ID: <COL131-DS9E68224E55DB0534D47F5F0EF0@phx.gbl>
From: "Eric Lawrence" <e_lawrence@hotmail.com>
To: "=JeffH" <Jeff.Hodges@KingsMountain.com>
References: <53E572EA.3000301@KingsMountain.com>
In-Reply-To: <53E572EA.3000301@KingsMountain.com>
Date: Sat, 9 Aug 2014 12:46:47 -0500
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 09 Aug 2014 17:46:50.0626 (UTC) FILETIME=[E6222620:01CFB3F9]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/HTRePRgUKBRiKHEH5ZlW5usepZU
X-Mailman-Approved-At: Sat, 09 Aug 2014 13:21:11 -0700
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] cookie injection attack via superdomain of HSTS Host (was: [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 17:49:40 -0000

Thanks, Jeff--

> I.e., it's  poor practice to have an HSTS Host at https://sub.example.com 
> yet also answer at
> https://example.com without also declaring the latter as an HSTS Host.

Yes, but even further, sending HSTS at example.com is insufficient, because 
a user may only ever visit https://www.example.com. That otherwise-protected 
user would always be at risk from a cookie injection attack mounted by a 
MITM who injects a reference to http://example.com (or even 
http://nonexistentpeer.example.com) which he himself would answer. A website 
can mitigate this threat by always including a resource reference served by 
the root such that domain-tree-wide HSTS policy is set if any subdomain is 
ever visited.

The best scenario, of course, is if a site's HSTS policy is pre-deployed to 
the browser, and even better would be if progress is made on convincing TLDs 
(e.g. *.secure, *.bank, *.trust, etc) to opt-in to UA-enforcement of HSTS 
for the entire TLD.

-Eric

-----Original Message----- 
From: =JeffH
Sent: Friday, August 8, 2014 8:01 PM
To: Eric Lawrence
Cc: IETF WebSec WG
Subject: Re: cookie injection attack via superdomain of HSTS Host (was: 
[Technical Errata Reported] RFC6797 (4075)

[ trimming to: and cc: as I think most everyone is on websec@ ]

Hi Eric, thanks for submitting this errata.

Barry & everyone: actually, this issue is in S 14 "Security Considerations"
of RFC6797, and I think Eric is correct that that subsection "14.4. The Need
for includeSubDomains" is overlooking this detail, and hence is actually an
errata (more or less).

However, the text I'd use to correct it would be somewhat different than
Eric's proposed text (tho it'd build on it).

Overall, I think we discussed this aspect of things during our development
of HSTS and rationale/defense overall amounts to..

1. HSTS Hosts really need to declare HSTS Policy at their top-level domain
name whether or not they are reachable at other subdomains thereof and
regardless of whether they employ .  I.e., it's  poor practice to have an
HSTS Host at https://sub.example.com yet also answer at https://example.com
without also declaring the latter as an HSTS Host.

In terms of there being a policy authority boundary between one's HSTS Host
and it's immediate superdomain -- eg between example.com. and com. -- that
to some degree is presently addressed by language in RFC6265 section 5.3
step 5 --- but nominally I think Eric is overall correct and this "cookie
injection attack via superdomain of HSTS Host" isn't properly discussed in
RFC6797 and that it would (today) be an issue for example if foo.example.com
is a distinct entity from example.com, and example.com _is not_ a "public
suffix". Essentially, i think there's a subtle impedance mismatch between
HSTS's Storage Model and that of HTTP cookies per RFC6265, and it's arguably
a spec bug in rfc6797 that it isn't explicitly called out.

Thus Barry is correct that this is treading into "domain boundary" aka
"domain policy authority" territory <dbound@ietf.org> -- and thus is another
example of why the latter work is important (several of us, along with
Andrew Sullivan, are chipping away at it).

Also, there's a recent draft academic paper that's been mentioned on other
lists that I am going to post a reference to on this list -- it goes into
HSTS deployment common mistakes as well as best practices and touches on
issues similar to this.

ah, I see Eric's proposed best practice in his reply to Yoav, and yeah,
that's one way to address this issue, and could ostensibly be included in a
spec update -- but the actual errata is the above-noted impedance mismatch
between cookies' and HSTS's storage models (and also the lack of cookie's
declaring their originating origin).

HTH,

=JeffH


From nobody Sat Aug  9 13:21:23 2014
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 304831A0276 for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.903
X-Spam-Level: 
X-Spam-Status: No, score=-106.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-wFb5g6S3-X for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:07:08 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2E41A0272 for <websec@ietf.org>; Fri,  8 Aug 2014 12:07:08 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 56A431801A4; Fri,  8 Aug 2014 12:05:33 -0700 (PDT)
To: Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu, ietf@adambarth.com, barryleiba@computer.org, presnick@qti.qualcomm.com, tobias.gondrom@gondrom.org, ynir.ietf@gmail.com
X-PHP-Originating-Script: 6000:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20140808190533.56A431801A4@rfc-editor.org>
Date: Fri,  8 Aug 2014 12:05:33 -0700 (PDT)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/vSdh2P8ZYsVXI2o_Yl3D9w4J9i8
X-Mailman-Approved-At: Sat, 09 Aug 2014 13:21:12 -0700
Cc: e_lawrence@hotmail.com, websec@ietf.org, rfc-editor@rfc-editor.org
Subject: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 19:07:10 -0000

The following errata report has been submitted for RFC6797,
"HTTP Strict Transport Security (HSTS)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075

--------------------------------------
Type: Technical
Reported by: Eric Lawrence <e_lawrence@hotmail.com>

Section: 14

Original Text
-------------
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

Corrected Text
--------------
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

   Even with the "includeSubDomains" directive, the unavailability of 
   an "includeParent" directive means that an Active MITM attacker can 
   perform a cookie-injection attack against an otherwise 
   HSTS-protected victim domain.

   Consider the following scenario:

    The user visits https://sub.example.com and gets a HSTS policy with
    includeSubdomains set. All subsequent navigations to 
    sub.example.com and its subdomains will be secure.

    An attacker causes the victim's browser to navigate to 
    http://example.com. Because the HSTS policy applies only to 
    sub.example.com and its superdomain matches, this insecure 
    navigation is not blocked by the user agent.

    The attacker intercepts this insecure request and returns a 
    response that sets a cookie on the entire domain tree using a 
    Set-Cookie header.

    All subsequent requests to sub.example.com carry the injected
    cookie, despite the use of HSTS.

Notes
-----
To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC6797 (draft-ietf-websec-strict-transport-sec-14)
--------------------------------------
Title               : HTTP Strict Transport Security (HSTS)
Publication Date    : November 2012
Author(s)           : J. Hodges, C. Jackson, A. Barth
Category            : PROPOSED STANDARD
Source              : Web Security
Area                : Applications
Stream              : IETF
Verifying Party     : IESG


From e_lawrence@hotmail.com  Fri Aug  8 14:52:14 2014
Return-Path: <e_lawrence@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 217CC1A00BE for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 14:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.153
X-Spam-Level: *
X-Spam-Status: No, score=1.153 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439, TVD_FINGER_02=1.215] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpiYpVr8ptzw for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 14:52:12 -0700 (PDT)
Received: from COL004-OMC4S3.hotmail.com (col004-omc4s3.hotmail.com [65.55.34.205]) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7675F1A00B0 for <websec@ietf.org>; Fri,  8 Aug 2014 14:52:12 -0700 (PDT)
Received: from COL131-DS10 ([65.55.34.201]) by COL004-OMC4S3.hotmail.com with Microsoft SMTPSVC(7.5.7601.22701); Fri, 8 Aug 2014 14:52:11 -0700
X-TMN: [AYGQ5pxSUIy9aIhw722ONw+9alqsacej]
X-Originating-Email: [e_lawrence@hotmail.com]
Message-ID: <COL131-DS10F844603100882CC36852F0EE0@phx.gbl>
From: "Eric Lawrence" <e_lawrence@hotmail.com>
To: "Yoav Nir" <ynir.ietf@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com>
In-Reply-To: <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com>
Date: Fri, 8 Aug 2014 16:52:10 -0500
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 08 Aug 2014 21:52:11.0869 (UTC) FILETIME=[0243D0D0:01CFB353]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/GzhsvZbvCwjZzjVDXSeHdqfJAQc
X-Mailman-Approved-At: Sat, 09 Aug 2014 13:21:11 -0700
Cc: Barry Leiba <barryleiba@computer.org>, Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, websec@ietf.org, Collin Jackson <collin.jackson@sv.cmu.edu>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 17:50:01 -0000

Hi, Yoav--

Ivan Ristic's new "Bulletproof SSL and TLS" covers "Cookie Manipulation 
Attacks" quite nicely.  As he explains well, a serious limitation with HTTP 
cookies is that they do not carry their metadata when resent to the server, 
so a secure cookie set by "secure.tools.ietf.org" is, upon receipt by the 
server in a request's Cookie header, indistinguishable from a insecure 
cookie of the same name set by "tools.ietf.org". The cookie does not convey 
the origin from which it was set.

RFC6797 Section 14 notes that HSTS's includeSubdomains feature blocks a 
similar problem (namely, an insecure cookie set by 
http://sub.secure.tools.ietf.org could be set against its parent 
secure.tools.ietf.org). However, because includeSubdomains only applies to 
sub-domains, rather than parent-domains, this protection is insufficient to 
address cookie injection attacks against a parent domain.

It's hard to argue that this limitation is a flaw in HSTS (because the 
alternative would be to permit a subdomain to define a HSTS policy for its 
parent). However, because it is a threat against a site that is otherwise 
protected via HSTS, I would suggest that there should be implementation 
guidance of the form: "Any page secured by HSTS that is at a 
third-level-effective-domain (www.privatedomain.etld) or lower in the DNS 
hierarchy should include a resource reference to the parent privatedomain 
(e.g. https://privatedomain.etld/1x1.gif) such that the dereferencing of 
that resource will provide the UA the opportunity to store a HSTS policy 
that will protect the entire privatedomain tree."

-Eric

-----Original Message----- 
From: Yoav Nir
Sent: Friday, August 8, 2014 4:16 PM
To: Eric Lawrence ; Barry Leiba
Cc: RFC Errata System ; Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete 
Resnick ; Tobias Gondrom ; websec@ietf.org
Subject: Re: [Technical Errata Reported] RFC6797 (4075)


On Aug 8, 2014, at 10:54 PM, Barry Leiba <barryleiba@computer.org> wrote:

>> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I understand
>> the distinction here. To me, it seems that the RFC's threat model is
>> incomplete.
>
> Perhaps it is, but the distinction is about whether an error was made
> in writing the document, or whether there's a flaw in the protocol, an
> issue that wasn't considered in the discussion, or the like.
>
> The sentence you're addressing is entirely consistent with the rest of
> Section 14.4, and doesn't look like "errata" to me.  It's quite
> possible that the working group blew it and should have thought about
> things differently.  It's possible that someone should write an update
> to RFC 6797 to correct it, and that your input would be useful.
>
> But you're asking the websec working group to consider an update, not
> making an errata report, as I see it.
>
> Does anyone from websec have a comment on this?

Hi Barry.

Reading this, it doesn’t look like an error in the document, but as an 
attack that the group may not have considered, which HSTS may not protect. 
If this is indeed valid, and if this had been caught in IETF last call or 
IESG review, this would probably have been sent back to the working group to 
complete.

Eric: I’m trying to understand the issue, so please see the below and tell 
me if I understood it correctly.

Suppose we set up secure.tools.ietf.org and a sub-domain of tools.ietf.org 
and set HSTS on that domain (but not on tools.ietf.org, which is available 
in HTTP)
I browse http://tools.ietf.org. Because I’m not using HTTPS, an attacker 
intercepts the connection and injects a cookie for all subdomain (Path=/; 
Domain=tools.ietf.org).
My next connection to https://secure.tools.ietf.org will send this cookie.

Did I get this correctly?

So my first reaction was “No way. You can’t set a Secure cookie over an HTTP 
connection, can you?  Just like you can’t set HSTS over an HTTP connection.” 
So I went to find where in RFC 6265 it says that. So of course it doesn’t. 
Googling it shows that I’m not the first to wonder about that. In anyone has 
some insight about this, I’d be glad to know. Is it just that cookies have 
always worked like this, so we’re not changing it now?

Unless I’m missing something, this could be a real problem, and there are 
several ways to mitigate it. Any of them requires a new document that either 
replaces 6797 or updates it ( I can see this solved with a 2-page + 
boilerplate document). But I don’t think an errata report is the way to go 
on this.

Yoav



From e_lawrence@hotmail.com  Fri Aug  8 12:32:54 2014
Return-Path: <e_lawrence@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86F11A011F for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.062
X-Spam-Level: 
X-Spam-Status: No, score=-0.062 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dk7hy3qkytc0 for <websec@ietfa.amsl.com>; Fri,  8 Aug 2014 12:32:53 -0700 (PDT)
Received: from COL004-OMC1S12.hotmail.com (col004-omc1s12.hotmail.com [65.55.34.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A1F91A0055 for <websec@ietf.org>; Fri,  8 Aug 2014 12:32:53 -0700 (PDT)
Received: from COL131-DS14 ([65.55.34.9]) by COL004-OMC1S12.hotmail.com with Microsoft SMTPSVC(7.5.7601.22712); Fri, 8 Aug 2014 12:32:53 -0700
X-TMN: [y0X7cvRigUQH0ZLTmF2J2fjDLUPcK97N]
X-Originating-Email: [e_lawrence@hotmail.com]
Message-ID: <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl>
From: "Eric Lawrence" <e_lawrence@hotmail.com>
To: "Barry Leiba" <barryleiba@computer.org>, "RFC Errata System" <rfc-editor@rfc-editor.org>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com>
In-Reply-To: <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com>
Date: Fri, 8 Aug 2014 14:32:52 -0500
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 08 Aug 2014 19:32:53.0277 (UTC) FILETIME=[8C27E4D0:01CFB33F]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/ZTBLdVbBQ1sehfAyoDfQ9Gw8sRc
X-Mailman-Approved-At: Sat, 09 Aug 2014 13:21:12 -0700
Cc: Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, websec@ietf.org, Collin Jackson <collin.jackson@sv.cmu.edu>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 17:50:09 -0000

Hi, Barry--

I'm afraid I'm only a consumer of RFCs and thus I'm not sure I understand 
the distinction here. To me, it seems that the RFC's threat model is 
incomplete.

-Eric

-----Original Message----- 
From: Barry Leiba
Sent: Friday, August 8, 2014 2:11 PM
To: RFC Errata System
Cc: Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete Resnick ; Tobias 
Gondrom ; Yoav Nir ; e_lawrence@hotmail.com ; websec@ietf.org
Subject: Re: [Technical Errata Reported] RFC6797 (4075)

Eric, thanks for the report.

Errata are errors in the text that would have been fixed at
publication time, had they been caught.

Isn't this a change request, rather than an errata report?

Barry, Applications AD

On Fri, Aug 8, 2014 at 3:05 PM, RFC Errata System
<rfc-editor@rfc-editor.org> wrote:
> The following errata report has been submitted for RFC6797,
> "HTTP Strict Transport Security (HSTS)".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075
>
> --------------------------------------
> Type: Technical
> Reported by: Eric Lawrence <e_lawrence@hotmail.com>
>
> Section: 14
>
> Original Text
> -------------
>    Without the "includeSubDomains" directive, HSTS is unable to protect
>    such Secure-flagged domain cookies.
>
> Corrected Text
> --------------
>    Without the "includeSubDomains" directive, HSTS is unable to protect
>    such Secure-flagged domain cookies.
>
>    Even with the "includeSubDomains" directive, the unavailability of
>    an "includeParent" directive means that an Active MITM attacker can
>    perform a cookie-injection attack against an otherwise
>    HSTS-protected victim domain.
>
>    Consider the following scenario:
>
>     The user visits https://sub.example.com and gets a HSTS policy with
>     includeSubdomains set. All subsequent navigations to
>     sub.example.com and its subdomains will be secure.
>
>     An attacker causes the victim's browser to navigate to
>     http://example.com. Because the HSTS policy applies only to
>     sub.example.com and its superdomain matches, this insecure
>     navigation is not blocked by the user agent.
>
>     The attacker intercepts this insecure request and returns a
>     response that sets a cookie on the entire domain tree using a
>     Set-Cookie header.
>
>     All subsequent requests to sub.example.com carry the injected
>     cookie, despite the use of HSTS.
>
> Notes
> -----
> To mitigate this attack, HSTS-protected websites should perform a 
> background fetch of a resource at the first-level domain. This resource 
> should carry a HSTS header that will apply to the entire domain and all 
> subdomains.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC6797 (draft-ietf-websec-strict-transport-sec-14)
> --------------------------------------
> Title               : HTTP Strict Transport Security (HSTS)
> Publication Date    : November 2012
> Author(s)           : J. Hodges, C. Jackson, A. Barth
> Category            : PROPOSED STANDARD
> Source              : Web Security
> Area                : Applications
> Stream              : IETF
> Verifying Party     : IESG
> 


From nobody Sat Aug  9 14:46:44 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 796A61A01D6 for <websec@ietfa.amsl.com>; Sat,  9 Aug 2014 14:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level: 
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNztwHatOOB9 for <websec@ietfa.amsl.com>; Sat,  9 Aug 2014 14:46:42 -0700 (PDT)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1CAB1A019A for <websec@ietf.org>; Sat,  9 Aug 2014 14:46:41 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id x48so7097426wes.19 for <websec@ietf.org>; Sat, 09 Aug 2014 14:46:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=B6jGKo6l7WaYsGQIlsmi7cMesSzx+CILqqkwtsudi4o=; b=Eeyge6yXuZbmth3wtWmJIbhzwhWeJl8OB5nyA0UZcaNgbNeqZbTjLK4KQCMPaqLOxf yVP1WaNxnXIDc23sX2y8tZGGZLsc8qUWrRmif3+8v1fz8oHrdwVa74VORHWvyPtJ5vSb sUI0rUyrdnUAjYrY2AB6JOj8SAW3O6gtCoxW8oD9PYFPU44MGCOeejCCuwEBkLFai0lF vGjelr0mTrhu8TfAtieFIvYDTZVe3vAs8y5LbMWp6Bf3ijU/ETqXEpssBLQYScvaVNo5 bajHIzHF8f0lNFQnDTTxUa1RvbT7PAwtx/0zVfGsMa7kVun3c+S994z0KCueUMrkX4Gn 1qHA==
X-Received: by 10.194.222.230 with SMTP id qp6mr41732917wjc.23.1407620800610;  Sat, 09 Aug 2014 14:46:40 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id eb4sm23307043wic.16.2014.08.09.14.46.39 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 09 Aug 2014 14:46:40 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset=windows-1252
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3
In-Reply-To: <COL131-DS9E68224E55DB0534D47F5F0EF0@phx.gbl>
Date: Sun, 10 Aug 2014 00:46:41 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA897446-295F-41AB-9976-5B6E5D87972B@gmail.com>
References: <53E572EA.3000301@KingsMountain.com> <COL131-DS9E68224E55DB0534D47F5F0EF0@phx.gbl>
To: Eric Lawrence <e_lawrence@hotmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/1jSgWsRmOeYJssbhJ6gRkpWo60Y
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] cookie injection attack via superdomain of HSTS Host (was: [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 21:46:43 -0000

On Aug 9, 2014, at 8:46 PM, Eric Lawrence <e_lawrence@hotmail.com> =
wrote:

>=20
> The best scenario, of course, is if a site's HSTS policy is =
pre-deployed to the browser

These things tend to work for big sites (Facebook, bank of america, =
Amazon) and not so well for smaller sites.  I wonder if a good =
modification to HSTS would be to have an =93includeParent=94 directive. =
Of course we can=92t let a subdomain specify a policy for a parent =
domain, but it could serve as a hint, triggering the UA to probe the =
parent domain as you suggested.=20

That said, this is yet more evidence that cookies are hopelessly broken.=20=


Yoav
(not wearing any hats)


From nobody Sat Aug  9 22:53:46 2014
Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E75E11A0643 for <websec@ietfa.amsl.com>; Sat,  9 Aug 2014 22:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.033
X-Spam-Level: *
X-Spam-Status: No, score=1.033 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fr1a0NFHb3R9 for <websec@ietfa.amsl.com>; Sat,  9 Aug 2014 22:53:42 -0700 (PDT)
Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com [69.89.23.142]) by ietfa.amsl.com (Postfix) with SMTP id AFC3D1A0640 for <websec@ietf.org>; Sat,  9 Aug 2014 22:53:42 -0700 (PDT)
Received: (qmail 17215 invoked by uid 0); 10 Aug 2014 05:53:39 -0000
Received: from unknown (HELO cmgw3) (10.0.90.84) by gproxy4.mail.unifiedlayer.com with SMTP; 10 Aug 2014 05:53:39 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw3 with  id cztX1o0012UhLwi01ztaJ6; Sun, 10 Aug 2014 05:53:38 -0600
X-Authority-Analysis: v=2.1 cv=DIUcvU9b c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=ekOJvlQLSnQA:10 a=YXR_0xDj8ZkA:10 a=AZJedDZmUUUA:10 a=3NT3xRclEPMA:10 a=8nJEP1OIZ-IA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=aQyOShshic0A:10 a=gX9PHW2fAAAA:8 a=A1X0JdhQAAAA:8 a=NEAV23lmAAAA:8 a=cm27Pg_UAAAA:8 a=1XWaLZrsAAAA:8 a=s5MJRaXj4EHIG1AAJ-AA:9 a=wPNLvfGTeEIA:10 a=9qIKL8-R5rUA:10 a=VlZU0XKO32wA:10 a=zv9_9hqRWm8A:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default;  h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=SOL++2UmDyNwiqdWnUjbKqNvAvg5lo4oDaAtWpN6wZQ=;  b=WEzZ5sduIxjZL/kGce+yDEhuraUlTwmoBqHq7mggbW2kkyy6HxRnJGRxe2zvA2D/XtoiTeNRxr8x2VFfDsLxmazx10s8y+o2+thJwYuWO3EhsOFSInqbi+7PESeoNb48;
Received: from [98.248.231.21] (port=54148 helo=[192.168.11.14]) by box514.bluehost.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1XGM4S-0003RL-9M for websec@ietf.org; Sat, 09 Aug 2014 23:53:32 -0600
Message-ID: <53E708DB.4010505@KingsMountain.com>
Date: Sat, 09 Aug 2014 22:53:31 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 98.248.231.21 authed with jeff.hodges+kingsmountain.com}
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/caO9aKtOjZiorITuwDCrk30j_Gs
Subject: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 05:53:44 -0000

Here's an interesting & relevant draft paper by Lucas Garron (and Andrew 
Bortz & Dan Boneh)..

   The State of HSTS Deployment:  A Survey and Common Pitfalls
   https://garron.net/crypto/hsts/hsts-2013.pdf

Note that "S 8.5 Securing https://example.com from a subdomain" is 
essentially the issue that Eric Lawrence recently filed against RFC6797 HSTS.

The paper is worth a read, and the scan code is here..

   https://github.com/lgarron/HSTS/tree/scan

..see also the discussion in this thread on <security-dev@chromium.org>..

   State of HSTS in on the Web (2013)
 
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Ibdf-x_uqEs


HTH,

=JeffH


From nobody Sun Aug 10 02:59:57 2014
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD3B1A06B3 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 02:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.969
X-Spam-Level: 
X-Spam-Status: No, score=-99.969 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16xMvNpyWYGt for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 02:59:53 -0700 (PDT)
Received: from www.gondrom.org (www.gondrom.org [91.250.114.153]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A86FE1A06AD for <websec@ietf.org>; Sun, 10 Aug 2014 02:59:52 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=NbrzvQL2N0Z8+HRK5kvJRM1Ko6P3zRQ08H2aTSeAASlE4NeJ47PU9Cpyh2mIT+2MXUG/L1VI35P/D9Lq3iFhTSeNoLzXhF6OhCZAqw9hn7XClvYkGtaKEaFD5X6M+LOdO3n9Nj0sBwvPMme5q54k39cj7KhTK4feBdZLnBFxnzk=; h=X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.0.6] (46-64-103-184.zone15.bethere.co.uk [46.64.103.184]) by www.gondrom.org (Postfix) with ESMTPSA id A57581539004F; Sun, 10 Aug 2014 11:59:49 +0200 (CEST)
Message-ID: <53E74295.7060402@gondrom.org>
Date: Sun, 10 Aug 2014 10:59:49 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Jeff.Hodges@KingsMountain.com
References: <53E708DB.4010505@KingsMountain.com>
In-Reply-To: <53E708DB.4010505@KingsMountain.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/xIW4E6WM_4w-5QyHD_fbC6uzshU
Cc: websec@ietf.org
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 09:59:56 -0000

Hi Jeff,

thanks for sharing. Good paper and interesting read.

Even though things are slowly picking up in adoption, a bit
disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a
personal note: this is consistent with my personal anecdotal experience:
as part of overall secure development training, I also mention HSTS to
developers a couple of times per year, and so far nearly none of them
used it before...)

Best regards, Tobias


Ps.: and as Lucas wrote, he initially prepared the document as a
conference paper. In case he is interested, this might be an interesting
submission for an AppSec conference in 2015 (the 2014 ones are
unfortunately already finished or past CFP). (e.g. AppSecUS or AppSecEU)



On 10/08/14 06:53, =JeffH wrote:
> Here's an interesting & relevant draft paper by Lucas Garron (and
> Andrew Bortz & Dan Boneh)..
>
>   The State of HSTS Deployment:  A Survey and Common Pitfalls
>   https://garron.net/crypto/hsts/hsts-2013.pdf
>
> Note that "S 8.5 Securing https://example.com from a subdomain" is
> essentially the issue that Eric Lawrence recently filed against
> RFC6797 HSTS.
>
> The paper is worth a read, and the scan code is here..
>
>   https://github.com/lgarron/HSTS/tree/scan
>
> ..see also the discussion in this thread on <security-dev@chromium.org>..
>
>   State of HSTS in on the Web (2013)
>
> https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Ibdf-x_uqEs
>
>
>
> HTH,
>
> =JeffH
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From nobody Sun Aug 10 04:28:09 2014
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B0FA1A06E0 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.969
X-Spam-Level: 
X-Spam-Status: No, score=-99.969 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F97fLoxPKZ9w for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:28:05 -0700 (PDT)
Received: from www.gondrom.org (www.gondrom.org [91.250.114.153]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20EF01A06DD for <websec@ietf.org>; Sun, 10 Aug 2014 04:28:05 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=dlQiQF8H0LA4MTp4fA78E1DfTMt4jSXtcVBqJerrvr+xGEzbPZhnbAv/mPLN8x2nNn7zjxYbpugVOIkaqnuL4eSo3LMeMkIgsrKSb4STLkG69XHQYwb8bk3y6SOfr7hG12OtblzfBi0tsUD6Qn5VzDAh7r04B9zaD6GH2x63l04=; h=X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.0.6] (46-64-103-184.zone15.bethere.co.uk [46.64.103.184]) by www.gondrom.org (Postfix) with ESMTPSA id D32EB1539004F; Sun, 10 Aug 2014 13:28:01 +0200 (CEST)
Message-ID: <53E75740.1060200@gondrom.org>
Date: Sun, 10 Aug 2014 12:28:00 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ynir.ietf@gmail.com, e_lawrence@hotmail.com
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>
In-Reply-To: <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/03ScanZoCPQTKsK-nvDC4WBLcT8
Cc: barryleiba@computer.org, Jeff.Hodges@paypal.com, presnick@qti.qualcomm.com, websec@ietf.org, collin.jackson@sv.cmu.edu, rfc-editor@rfc-editor.org
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 11:28:08 -0000

Thanks.

I agree, this is an "update" and not an "errata".

However, am not sure how to best retain this information:
Because this is a good point for a best practice.
And be it only in advising the best practice when using HSTS, like
simply including one link to the parent https://example.com to avoid
having unprotected parent-domains.

For errata we have this nice mechanism to keep errata proposals, while
for updates, I think we don't.

Best regards, Tobias


On 08/08/14 23:06, Yoav Nir wrote:
> Thanks, Eric
>
> This does look to me like content for an update RFC (with a name like “secure practices of using HSTS in the presence of subdomains”).
>
> I’m not sure how high in the DNS hierarchy you would wish to go.
>
> For secure.tools.ietf.org, it makes sense to check tools.ietf.org and ietf.org.  That also works for .com sites. But in some countries they have their national TLS plus another for commercial/organization. So the top company/organizational domain would be something like somecorp.co.uk or someorg.org.il.  There would be no point in checking for HSTS at co.uk.  Maybe there are rules for this.
>
> Yoav
>
> On Aug 9, 2014, at 12:52 AM, Eric Lawrence <e_lawrence@hotmail.com> wrote:
>
>> Hi, Yoav--
>>
>> Ivan Ristic's new "Bulletproof SSL and TLS" covers "Cookie Manipulation Attacks" quite nicely.  As he explains well, a serious limitation with HTTP cookies is that they do not carry their metadata when resent to the server, so a secure cookie set by "secure.tools.ietf.org" is, upon receipt by the server in a request's Cookie header, indistinguishable from a insecure cookie of the same name set by "tools.ietf.org". The cookie does not convey the origin from which it was set.
>>
>> RFC6797 Section 14 notes that HSTS's includeSubdomains feature blocks a similar problem (namely, an insecure cookie set by http://sub.secure.tools.ietf.org could be set against its parent secure.tools.ietf.org). However, because includeSubdomains only applies to sub-domains, rather than parent-domains, this protection is insufficient to address cookie injection attacks against a parent domain.
>>
>> It's hard to argue that this limitation is a flaw in HSTS (because the alternative would be to permit a subdomain to define a HSTS policy for its parent). However, because it is a threat against a site that is otherwise protected via HSTS, I would suggest that there should be implementation guidance of the form: "Any page secured by HSTS that is at a third-level-effective-domain (www.privatedomain.etld) or lower in the DNS hierarchy should include a resource reference to the parent privatedomain (e.g. https://privatedomain.etld/1x1.gif) such that the dereferencing of that resource will provide the UA the opportunity to store a HSTS policy that will protect the entire privatedomain tree."
>>
>> -Eric
>>
>> -----Original Message----- From: Yoav Nir
>> Sent: Friday, August 8, 2014 4:16 PM
>> To: Eric Lawrence ; Barry Leiba
>> Cc: RFC Errata System ; Jeff Hodges ; Collin Jackson ; Adam Barth ; Pete Resnick ; Tobias Gondrom ; websec@ietf.org
>> Subject: Re: [Technical Errata Reported] RFC6797 (4075)
>>
>>
>> On Aug 8, 2014, at 10:54 PM, Barry Leiba <barryleiba@computer.org> wrote:
>>
>>>> I'm afraid I'm only a consumer of RFCs and thus I'm not sure I understand
>>>> the distinction here. To me, it seems that the RFC's threat model is
>>>> incomplete.
>>> Perhaps it is, but the distinction is about whether an error was made
>>> in writing the document, or whether there's a flaw in the protocol, an
>>> issue that wasn't considered in the discussion, or the like.
>>>
>>> The sentence you're addressing is entirely consistent with the rest of
>>> Section 14.4, and doesn't look like "errata" to me.  It's quite
>>> possible that the working group blew it and should have thought about
>>> things differently.  It's possible that someone should write an update
>>> to RFC 6797 to correct it, and that your input would be useful.
>>>
>>> But you're asking the websec working group to consider an update, not
>>> making an errata report, as I see it.
>>>
>>> Does anyone from websec have a comment on this?
>> Hi Barry.
>>
>> Reading this, it doesn’t look like an error in the document, but as an attack that the group may not have considered, which HSTS may not protect. If this is indeed valid, and if this had been caught in IETF last call or IESG review, this would probably have been sent back to the working group to complete.
>>
>> Eric: I’m trying to understand the issue, so please see the below and tell me if I understood it correctly.
>>
>> Suppose we set up secure.tools.ietf.org and a sub-domain of tools.ietf.org and set HSTS on that domain (but not on tools.ietf.org, which is available in HTTP)
>> I browse http://tools.ietf.org. Because I’m not using HTTPS, an attacker intercepts the connection and injects a cookie for all subdomain (Path=/; Domain=tools.ietf.org).
>> My next connection to https://secure.tools.ietf.org will send this cookie.
>>
>> Did I get this correctly?
>>
>> So my first reaction was “No way. You can’t set a Secure cookie over an HTTP connection, can you?  Just like you can’t set HSTS over an HTTP connection.” So I went to find where in RFC 6265 it says that. So of course it doesn’t. Googling it shows that I’m not the first to wonder about that. In anyone has some insight about this, I’d be glad to know. Is it just that cookies have always worked like this, so we’re not changing it now?
>>
>> Unless I’m missing something, this could be a real problem, and there are several ways to mitigate it. Any of them requires a new document that either replaces 6797 or updates it ( I can see this solved with a 2-page + boilerplate document). But I don’t think an errata report is the way to go on this.
>>
>> Yoav
>>
>>


From nobody Sun Aug 10 04:38:37 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31E01A06E5 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level: 
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRDIKT4fDmnS for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:38:35 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 148271A06E4 for <websec@ietf.org>; Sun, 10 Aug 2014 04:38:34 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id ho1so2934602wib.10 for <websec@ietf.org>; Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dT3588L+CslMHeFcSaAyaBfj4YvW3832tPbwPKfoNyo=; b=q1dRpUkDLs4D40zXJ7I3/w6nd/wkJkkdT69D21hJaeVY1BJuFIhv0rO26wqTKHXOEJ 5orb0owvj3YW4hE5rRo9BwJzmG+UmbZ3GdSWzIJMwZn7r1MYqqIJ+PmbVi3xOQJALf8/ 1WUhCC7105RIaj1IS+OYnDUzxKuNkZ9ybxsPrU20TpLqO9egB66xs1JAQlACgv1seXiy bWIxxqn0K9Es4YulhVA3DDT9FgM7gSPGeV39pcfA9ZwuZxPVMuyqrkfTnG86zWS6/sLX 3NLS0UKi1N7IkxN4IvD+vW4vr3TffJd24h5WHknrXkr7Snln+baL5cooYK5FB38kYWIO REzA==
X-Received: by 10.194.100.34 with SMTP id ev2mr44956775wjb.76.1407670713638; Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id pm3sm31474117wjb.28.2014.08.10.04.38.32 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 Aug 2014 04:38:33 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53E74295.7060402@gondrom.org>
Date: Sun, 10 Aug 2014 14:38:35 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <9324C2B1-7DAA-418B-87C2-7D4CFABD8B1C@gmail.com>
References: <53E708DB.4010505@KingsMountain.com> <53E74295.7060402@gondrom.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/eMhYxEN8N_81v_ConunVVX-Dosg
Cc: websec@ietf.org
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 11:38:36 -0000

On Aug 10, 2014, at 12:59 PM, Tobias Gondrom =
<tobias.gondrom@gondrom.org> wrote:

> Hi Jeff,
>=20
> thanks for sharing. Good paper and interesting read.
>=20
> Even though things are slowly picking up in adoption, a bit
> disappointing it's been only 277 out of 100000 sites in Oct 2013. (on =
a
> personal note: this is consistent with my personal anecdotal =
experience:
> as part of overall secure development training, I also mention HSTS to
> developers a couple of times per year, and so far nearly none of them
> used it before=85)

My anecdotal evidence is that I tried to promote it at the company where =
I work. We sell (among other things) an SSL-VPN gateway. That is pretty =
much a pre-packaged web server, configurable to provide access to =
company resources such as email, ERP and whatever else employees need =
over a web interface.=20

At first this looked to me like a great candidate for HSTS - it=92s only =
HTTPS, no HTTP. It=92s pre-packaged, so we could add it without the =
administrators needing to do any work. In the end, what killed the idea =
was what happens when certificates expire or when a valid certificate is =
replaced by an almost-valid certificate (missing alternate name). The =
administrators of our products run the gamut from IT professionals who =
have been through our administration courses all the way to the CEO=92s =
nephew who=92s really good with computers (=91cause he=92s got his own =
Facebook profile and everything). We felt it was too risky to just ship =
the server with HSTS on.=20

It=92s still possible to turn it on by editing some Apache configuration =
files, but you really want security to be on by default.

Yoav


From nobody Sun Aug 10 04:41:03 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9531A06EA for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:41:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFPbikDGNNZS for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:41:00 -0700 (PDT)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C943A1A06E8 for <websec@ietf.org>; Sun, 10 Aug 2014 04:40:59 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id x48so7487554wes.19 for <websec@ietf.org>; Sun, 10 Aug 2014 04:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tZ3ktCsz2usnzIZWu2SgqLQjWKMWlQKLyDVc0x54Bvk=; b=ig26mBhUndiBMMZqF612lIR95YaDSz/u+NEq8SHS2eln4CVtgIHmRHWKbpD/C4Pqip H1FIRnyb6yf6hvMcc35w9SgY45F6dix+G6hJJh65rsPLemysYlSYwVtndRdCI05/r6ui eCNJ20hDZUMtUsbJB8Wr/B/chvu7w4bDIpdptcRafh9Exu88HTaENgrLoaUnb7d6Vyp/ pF1CMXNKumKwYL8KVByXAlpkqe2sKspaz1M9Ynv7IBz48eHommdogiPtu1BSB++MahZO 0nMnw0xocq1YsUPzSK3HMVnWRqBbj5GaAkb+igGOKosy45ABQN4P3+usChgBbX4lKZhL 30HQ==
X-Received: by 10.194.206.67 with SMTP id lm3mr46182250wjc.70.1407670858387; Sun, 10 Aug 2014 04:40:58 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id jx10sm5667888wjc.7.2014.08.10.04.40.57 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 Aug 2014 04:40:57 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53E75740.1060200@gondrom.org>
Date: Sun, 10 Aug 2014 14:40:59 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com> <53E75740.1060200@gondrom.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/ccjIDxNcy05FkTsCXT5tYKvrH_U
Cc: Eric Lawrence <e_lawrence@hotmail.com>, Jeff.Hodges@paypal.com, Pete Resnick <presnick@qti.qualcomm.com>, IETF WebSec WG <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>, Barry Leiba <barryleiba@computer.org>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 11:41:01 -0000

On Aug 10, 2014, at 2:28 PM, Tobias Gondrom <tobias.gondrom@gondrom.org> =
wrote:

> Thanks.
>=20
> I agree, this is an "update" and not an "errata".
>=20
> However, am not sure how to best retain this information:
> Because this is a good point for a best practice.
> And be it only in advising the best practice when using HSTS, like
> simply including one link to the parent https://example.com to avoid
> having unprotected parent-domains.

Well, if we could talk Eric into writing a draft=85


From nobody Sun Aug 10 04:48:14 2014
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67EFB1A06ED for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.668
X-Spam-Level: 
X-Spam-Status: No, score=-102.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Se_A-ZxO_YyM for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:48:12 -0700 (PDT)
Received: from www.gondrom.org (www.gondrom.org [91.250.114.153]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D779E1A06EA for <websec@ietf.org>; Sun, 10 Aug 2014 04:48:11 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=L458J1HyEMOX9SRQbYY/snVhdojDQhj+gBqS4HmgqlABm4z1qZJFPSxXSQ83jqEs63fgPK/c0uUVuCykrdjtKl9Qvhq2ElgBiKOa7B9kEtqZ0O8XPKwjHuklSt9FugWANEIGWzsik31O/WajYXy8d570jYmhKSB6ZLOoQ4S8VZU=; h=X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.0.6] (46-64-103-184.zone15.bethere.co.uk [46.64.103.184]) by www.gondrom.org (Postfix) with ESMTPSA id 9A57C1539004F; Sun, 10 Aug 2014 13:48:09 +0200 (CEST)
Message-ID: <53E75BF8.2060204@gondrom.org>
Date: Sun, 10 Aug 2014 12:48:08 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ynir.ietf@gmail.com
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com> <53E75740.1060200@gondrom.org> <11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com>
In-Reply-To: <11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com>
Content-Type: multipart/alternative; boundary="------------080104010407040506070101"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/npTdsU0gw0oOYeekogoeWASzi1A
Cc: e_lawrence@hotmail.com, Jeff.Hodges@paypal.com, presnick@qti.qualcomm.com, websec@ietf.org, collin.jackson@sv.cmu.edu, barryleiba@computer.org
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 11:48:13 -0000

This is a multi-part message in MIME format.
--------------080104010407040506070101
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit

On 10/08/14 12:40, Yoav Nir wrote:
> On Aug 10, 2014, at 2:28 PM, Tobias Gondrom <tobias.gondrom@gondrom.org> wrote:
>
>> Thanks.
>>
>> I agree, this is an "update" and not an "errata".
>>
>> However, am not sure how to best retain this information:
>> Because this is a good point for a best practice.
>> And be it only in advising the best practice when using HSTS, like
>> simply including one link to the parent https://example.com to avoid
>> having unprotected parent-domains.
> Well, if we could talk Eric into writing a draft…
>

In theory we/he could do an RFC6797bis for this.
And as the change is only small, the review period should also be
possible to keep contained.

On the other hand, personally, I am not sure a new RFC would really be
necessary, because it seems to me that with proper best practices
(declare HSTS Policy at their top-level domain + frequently include the
top-level, to make sure it's HSTS is still renewed) this can be solved
and there would be no change on the wire.

Best regards, Tobias


--------------080104010407040506070101
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 10/08/14 12:40, Yoav Nir wrote:<br>
    </div>
    <blockquote
      cite="mid:11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com"
      type="cite">
      <pre wrap="">
On Aug 10, 2014, at 2:28 PM, Tobias Gondrom <a class="moz-txt-link-rfc2396E" href="mailto:tobias.gondrom@gondrom.org">&lt;tobias.gondrom@gondrom.org&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">Thanks.

I agree, this is an "update" and not an "errata".

However, am not sure how to best retain this information:
Because this is a good point for a best practice.
And be it only in advising the best practice when using HSTS, like
simply including one link to the parent <a class="moz-txt-link-freetext" href="https://example.com">https://example.com</a> to avoid
having unprotected parent-domains.
</pre>
      </blockquote>
      <pre wrap="">
Well, if we could talk Eric into writing a draft…

</pre>
    </blockquote>
    <br>
    <font face="Arial">In theory we/he could do an RFC6797bis for this.
      <br>
      And as the change is only small, the review period should also be
      possible to keep contained. <br>
      <br>
      On the other hand, personally, I am not sure a new RFC would
      really be necessary, because it seems to me that with proper best
      practices (declare HSTS Policy at their top-level domain +
      frequently include the top-level, to make sure it's HSTS is still
      renewed) this can be solved and there would be no change on the
      wire. <br>
      <br>
      Best regards, Tobias<br>
      <br>
    </font>
  </body>
</html>

--------------080104010407040506070101--


From nobody Sun Aug 10 04:53:07 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 138511A06F0 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxvM70GlSo31 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 04:53:01 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B1111A06EB for <websec@ietf.org>; Sun, 10 Aug 2014 04:53:01 -0700 (PDT)
Received: by mail-wi0-f174.google.com with SMTP id d1so2987681wiv.7 for <websec@ietf.org>; Sun, 10 Aug 2014 04:52:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=SVmqrhyBW1kXv8gpns6O8V9a2HZVd3hkyopH9Zh2iw4=; b=BWVYPDOvh9InWwNJm5izIxuD2Stq0TdegyaKC2lzUWhPY5ceE2ktgmLrn8ydJgUiI6 rCaY6OejNMplC3PFAcAErewTcTO+SEvyyN5kAQ8iBH/Ls/q1U1xlMIDl+zcKpw/V1yyo 9PktqoZeYxqAjzs9+iIJyMqnMkF2N639q4lUUo1GhY61AlrD1J1AwWf5+QA++DKzqaEk qOwY7iWJ0InS3ak+lz+NRPVQlD0ruOgVZbO+jmzT1pi5/fJfuq9oL8URrYlKDRSF7QzC MtpuxT82591lOE4UQxqSga5ErMObypvg8wY0p1nw58pIHprd3AvRkS1YRH7INbd5o1wk mJmw==
X-Received: by 10.194.71.52 with SMTP id r20mr2590970wju.113.1407671578260; Sun, 10 Aug 2014 04:52:58 -0700 (PDT)
Received: from [192.168.1.100] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id ko8sm31573381wjc.11.2014.08.10.04.52.56 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 Aug 2014 04:52:57 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_9FA85A13-79D2-42C7-9FC8-C16971587FC3"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53E75BF8.2060204@gondrom.org>
Date: Sun, 10 Aug 2014 14:52:58 +0300
Message-Id: <E9C1EFBA-F9C6-4196-9C6B-A7F3707E7137@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com> <53E75740.1060200@gondrom.org> <11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com> <53E75BF8.2060204@gondrom.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/Ub3gJfES_FLVv-6vbvG_JY96udQ
Cc: e_lawrence@hotmail.com, Jeff.Hodges@paypal.com, presnick@qti.qualcomm.com, websec@ietf.org, collin.jackson@sv.cmu.edu, barryleiba@computer.org
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 11:53:06 -0000

--Apple-Mail=_9FA85A13-79D2-42C7-9FC8-C16971587FC3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


On Aug 10, 2014, at 2:48 PM, Tobias Gondrom <tobias.gondrom@gondrom.org> =
wrote:

> On 10/08/14 12:40, Yoav Nir wrote:
>> On Aug 10, 2014, at 2:28 PM, Tobias Gondrom =
<tobias.gondrom@gondrom.org> wrote:
>>=20
>>> Thanks.
>>>=20
>>> I agree, this is an "update" and not an "errata".
>>>=20
>>> However, am not sure how to best retain this information:
>>> Because this is a good point for a best practice.
>>> And be it only in advising the best practice when using HSTS, like
>>> simply including one link to the parent https://example.com to avoid
>>> having unprotected parent-domains.
>> Well, if we could talk Eric into writing a draft=85
>>=20
>=20
> In theory we/he could do an RFC6797bis for this.=20
> And as the change is only small, the review period should also be =
possible to keep contained.=20
>=20
> On the other hand, personally, I am not sure a new RFC would really be =
necessary, because it seems to me that with proper best practices =
(declare HSTS Policy at their top-level domain + frequently include the =
top-level, to make sure it's HSTS is still renewed) this can be solved =
and there would be no change on the wire.=20

So we get an Informational draft called =93best practices in using =
HSTS=94. 2 pages long unless we rathole and add lots of stuff.


--Apple-Mail=_9FA85A13-79D2-42C7-9FC8-C16971587FC3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;"><br><div><div>On Aug 10, 2014, at 2:48 PM, Tobias =
Gondrom &lt;<a =
href=3D"mailto:tobias.gondrom@gondrom.org">tobias.gondrom@gondrom.org</a>&=
gt; wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">On 10/08/14 12:40, Yoav Nir =
wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com" type=3D"cite">=

      <pre wrap=3D"">On Aug 10, 2014, at 2:28 PM, Tobias Gondrom <a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:tobias.gondrom@gondrom.org">&lt;tobias.gondrom@gondrom.org&=
gt;</a> wrote:

</pre>
      <blockquote type=3D"cite">
        <pre wrap=3D"">Thanks.

I agree, this is an "update" and not an "errata".

However, am not sure how to best retain this information:
Because this is a good point for a best practice.
And be it only in advising the best practice when using HSTS, like
simply including one link to the parent <a class=3D"moz-txt-link-freetext"=
 href=3D"https://example.com/">https://example.com</a> to avoid
having unprotected parent-domains.
</pre>
      </blockquote>
      <pre wrap=3D"">Well, if we could talk Eric into writing a draft=85

</pre>
    </blockquote>
    <br>
    <font face=3D"Arial">In theory we/he could do an RFC6797bis for =
this.
      <br>
      And as the change is only small, the review period should also be
      possible to keep contained. <br>
      <br>
      On the other hand, personally, I am not sure a new RFC would
      really be necessary, because it seems to me that with proper best
      practices (declare HSTS Policy at their top-level domain +
      frequently include the top-level, to make sure it's HSTS is still
      renewed) this can be solved and there would be no change on the
      wire. <br></font></div></blockquote><br></div><div>So we get an =
Informational draft called =93best practices in using HSTS=94. 2 pages =
long unless we rathole and add lots of stuff.</div><br></body></html>=

--Apple-Mail=_9FA85A13-79D2-42C7-9FC8-C16971587FC3--


From nobody Sun Aug 10 08:02:13 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C72BD1A0748 for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 08:02:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrKq8saZY-qv for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 08:02:06 -0700 (PDT)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 320CF1A0741 for <websec@ietf.org>; Sun, 10 Aug 2014 08:02:03 -0700 (PDT)
Received: by mail-la0-f51.google.com with SMTP id pn19so5867517lab.24 for <websec@ietf.org>; Sun, 10 Aug 2014 08:02:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=LLEDlg14wdZVX0qL1OxlAOHXnE4nvtTNCegqnTJhCxs=; b=QQrl+YmFeTqWvHLoSKkSVFawruN8cwllQvW6B9ctSilbAF7JPFoJYdkRu2t7L2JCxx EnW3br/OGR7BRHaRbhyQrAICcdjpLNXJynt51TufTg8Xpxm3rWjQ8h5D3utxG9/VF7qM 3slHfa3DmQmojGOYNuh+O7+F+Gqf6HdfKF//xRK7OlquEzoKzvPWC9PI2WckKhvN+t9w 5PC8bYkllqS0xZ4Qee8Y77tuXMW14kQziBV1rUKUyLZ3U5TguiHSnhwnPI3oypd64KL3 5yLw6BEminDkqWfYSDa28blMtHkANFoqZ8rxEjB6OJfSnjOnNMe4XwmfWULAGwqOc62T fm9Q==
MIME-Version: 1.0
X-Received: by 10.152.36.135 with SMTP id q7mr33316333laj.42.1407682922235; Sun, 10 Aug 2014 08:02:02 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Sun, 10 Aug 2014 08:02:02 -0700 (PDT)
In-Reply-To: <E9C1EFBA-F9C6-4196-9C6B-A7F3707E7137@gmail.com>
References: <20140808190533.56A431801A4@rfc-editor.org> <CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com> <COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl> <CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com> <151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com> <COL131-DS10F844603100882CC36852F0EE0@phx.gbl> <85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com> <53E75740.1060200@gondrom.org> <11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com> <53E75BF8.2060204@gondrom.org> <E9C1EFBA-F9C6-4196-9C6B-A7F3707E7137@gmail.com>
Date: Sun, 10 Aug 2014 11:02:02 -0400
X-Google-Sender-Auth: YxSSeTvzt5le1TO1FVjKBVptm7Y
Message-ID: <CALaySJLvC5fTvOg=73689z=B4Fv1jT=61GOMeJgOcmmuUErPow@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/psvkY2bMB8jQ6-UlpGhLAbhAC1U
Cc: Eric Lawrence <e_lawrence@hotmail.com>, Jeff Hodges <Jeff.Hodges@paypal.com>, Pete Resnick <presnick@qti.qualcomm.com>, "websec@ietf.org" <websec@ietf.org>, Collin Jackson <collin.jackson@sv.cmu.edu>
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 15:02:11 -0000

>> I agree, this is an "update" and not an "errata".
>>
>> However, am not sure how to best retain this information:
>> Because this is a good point for a best practice.
>> And be it only in advising the best practice when using HSTS, like
>> simply including one link to the parent https://example.com to avoid
>> having unprotected parent-domains.
>
> Well, if we could talk Eric into writing a draft...
...
> So we get an Informational draft called "best practices in using HSTS". 2
> pages long unless we rathole and add lots of stuff.

That absolutely seems the best approach, and have it "update" 6797.  I
would love it if Eric would be a co-author, and I think we can keep
the working group going long enough to do this.

To Tobias's more general question of where we keep track of these
sorts of things when we don't have a working group to pick it up and
go with it:  Yes, that's something we've been discussing.  If we have
a former working group to work from, there's a wiki on tools.ietf.org
(websec's is at <http://trac.tools.ietf.org/wg/websec/trac/wiki>, and
it's entirely unused, but some working groups do use theirs).  I've
been suggesting that we make a habit of keeping updates, change
requests, follow-on notes, and other non-errata things there, on the
appropriate current or former WG wiki.  If there's no obvious WG, we
can use the appsawg wiki at
<http://trac.tools.ietf.org/wg/appsawg/trac/wiki> for App Area stuff.
The only bad thing about that is that there's no pointer from the RFC
to the appropriate wiki, and we've talked about establishing some sort
of per-RFC wiki also, or maybe just a per-RFC pointer to a wiki.

Barry


From nobody Sun Aug 10 12:04:50 2014
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703411A010F for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 12:04:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.668
X-Spam-Level: 
X-Spam-Status: No, score=-102.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppZfNEe4_aGt for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 12:04:47 -0700 (PDT)
Received: from www.gondrom.org (www.gondrom.org [91.250.114.153]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F9201A0009 for <websec@ietf.org>; Sun, 10 Aug 2014 12:04:47 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=OcAxrbAKb04Wyjx3aYAKCE0XkEsp184jtW8ECZJBmbpm7d9+nh1s7t+yrbilqDsIO61UZ+PRf2ZbifW0AZ/rWK1BGgvMQaVgKY8Cg6jT5pb1k7++CcuJreXi8ATrNQQeDVFG/1Lfj3WDT+7nyiSIU3crMShIH2QoHasa1nLGTxk=; h=X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.0.6] (46-64-103-184.zone15.bethere.co.uk [46.64.103.184]) by www.gondrom.org (Postfix) with ESMTPSA id 3314115390052; Sun, 10 Aug 2014 21:04:44 +0200 (CEST)
Message-ID: <53E7C248.1070301@gondrom.org>
Date: Sun, 10 Aug 2014 20:04:40 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: barryleiba@computer.org, ynir.ietf@gmail.com
References: <20140808190533.56A431801A4@rfc-editor.org>	<CALaySJJB=g_gD9rFVoLU7JW7SkVvq9bK_H71TdPq3-em0JLFfQ@mail.gmail.com>	<COL131-DS14E7BAAD30061ECA07D1D5F0EE0@phx.gbl>	<CALaySJJe6v7JwceN+TucqtdJWA9dh3+oj6-awYXHJwY6iZEvzA@mail.gmail.com>	<151DC1A6-B162-4EF7-A78B-3723A64F7D84@gmail.com>	<COL131-DS10F844603100882CC36852F0EE0@phx.gbl>	<85006244-94CE-4AD8-9042-4C8CDF216C12@gmail.com>	<53E75740.1060200@gondrom.org>	<11E76DB3-F10C-4C1C-9720-97F590639044@gmail.com>	<53E75BF8.2060204@gondrom.org>	<E9C1EFBA-F9C6-4196-9C6B-A7F3707E7137@gmail.com> <CALaySJLvC5fTvOg=73689z=B4Fv1jT=61GOMeJgOcmmuUErPow@mail.gmail.com>
In-Reply-To: <CALaySJLvC5fTvOg=73689z=B4Fv1jT=61GOMeJgOcmmuUErPow@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010704050706030008060007"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/8vlmJonHY4ebVoL8R3X4jVATQBE
Cc: e_lawrence@hotmail.com, Jeff.Hodges@paypal.com, presnick@qti.qualcomm.com, websec@ietf.org, collin.jackson@sv.cmu.edu
Subject: Re: [websec] [Technical Errata Reported] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 19:04:49 -0000

This is a multi-part message in MIME format.
--------------010704050706030008060007
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On 10/08/14 16:02, Barry Leiba wrote:
>>> I agree, this is an "update" and not an "errata".
>>>
>>> However, am not sure how to best retain this information:
>>> Because this is a good point for a best practice.
>>> And be it only in advising the best practice when using HSTS, like
>>> simply including one link to the parent https://example.com to avoid
>>> having unprotected parent-domains.
>> Well, if we could talk Eric into writing a draft...
> ...
>> So we get an Informational draft called "best practices in using HSTS". 2
>> pages long unless we rathole and add lots of stuff.
> That absolutely seems the best approach, and have it "update" 6797.  I
> would love it if Eric would be a co-author, and I think we can keep
> the working group going long enough to do this.
>
> To Tobias's more general question of where we keep track of these
> sorts of things when we don't have a working group to pick it up and
> go with it:  Yes, that's something we've been discussing.  If we have
> a former working group to work from, there's a wiki on tools.ietf.org
> (websec's is at <http://trac.tools.ietf.org/wg/websec/trac/wiki>, and
> it's entirely unused, but some working groups do use theirs).  I've
> been suggesting that we make a habit of keeping updates, change
> requests, follow-on notes, and other non-errata things there, on the
> appropriate current or former WG wiki.  If there's no obvious WG, we
> can use the appsawg wiki at
> <http://trac.tools.ietf.org/wg/appsawg/trac/wiki> for App Area stuff.
> The only bad thing about that is that there's no pointer from the RFC
> to the appropriate wiki, and we've talked about establishing some sort
> of per-RFC wiki also, or maybe just a per-RFC pointer to a wiki.
>
> Barry

I agree.

The question is, does Eric (and maybe Jeff or anybody else) want to do a
small update informational RFC?

Best regards, Tobias


Ps.: and thanks for the clarification about the Wiki.


--------------010704050706030008060007
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 10/08/14 16:02, Barry Leiba wrote:<br>
    </div>
    <blockquote
cite="mid:CALaySJLvC5fTvOg=73689z=B4Fv1jT=61GOMeJgOcmmuUErPow@mail.gmail.com"
      type="cite">
      <blockquote type="cite">
        <blockquote type="cite">
          <pre wrap="">I agree, this is an "update" and not an "errata".

However, am not sure how to best retain this information:
Because this is a good point for a best practice.
And be it only in advising the best practice when using HSTS, like
simply including one link to the parent <a class="moz-txt-link-freetext" href="https://example.com">https://example.com</a> to avoid
having unprotected parent-domains.
</pre>
        </blockquote>
        <pre wrap="">
Well, if we could talk Eric into writing a draft...
</pre>
      </blockquote>
      <pre wrap="">...
</pre>
      <blockquote type="cite">
        <pre wrap="">So we get an Informational draft called "best practices in using HSTS". 2
pages long unless we rathole and add lots of stuff.
</pre>
      </blockquote>
      <pre wrap="">
That absolutely seems the best approach, and have it "update" 6797.  I
would love it if Eric would be a co-author, and I think we can keep
the working group going long enough to do this.

To Tobias's more general question of where we keep track of these
sorts of things when we don't have a working group to pick it up and
go with it:  Yes, that's something we've been discussing.  If we have
a former working group to work from, there's a wiki on tools.ietf.org
(websec's is at <a class="moz-txt-link-rfc2396E" href="http://trac.tools.ietf.org/wg/websec/trac/wiki">&lt;http://trac.tools.ietf.org/wg/websec/trac/wiki&gt;</a>, and
it's entirely unused, but some working groups do use theirs).  I've
been suggesting that we make a habit of keeping updates, change
requests, follow-on notes, and other non-errata things there, on the
appropriate current or former WG wiki.  If there's no obvious WG, we
can use the appsawg wiki at
<a class="moz-txt-link-rfc2396E" href="http://trac.tools.ietf.org/wg/appsawg/trac/wiki">&lt;http://trac.tools.ietf.org/wg/appsawg/trac/wiki&gt;</a> for App Area stuff.
The only bad thing about that is that there's no pointer from the RFC
to the appropriate wiki, and we've talked about establishing some sort
of per-RFC wiki also, or maybe just a per-RFC pointer to a wiki.

Barry
</pre>
    </blockquote>
    <font face="Arial"><br>
      I agree. <br>
      <br>
      The question is, does Eric (and maybe Jeff or anybody else) want
      to do a small update informational RFC? <br>
      <br>
      Best regards, Tobias<br>
      <br>
      <br>
      Ps.: and thanks for the clarification about the Wiki. <br>
      <br>
    </font>
  </body>
</html>

--------------010704050706030008060007--


From nobody Sun Aug 10 16:18:44 2014
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD901A017A for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 16:18:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-fQg2Bin9ie for <websec@ietfa.amsl.com>; Sun, 10 Aug 2014 16:18:41 -0700 (PDT)
Received: from mail-vc0-x231.google.com (mail-vc0-x231.google.com [IPv6:2607:f8b0:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25ADF1A0178 for <websec@ietf.org>; Sun, 10 Aug 2014 16:18:41 -0700 (PDT)
Received: by mail-vc0-f177.google.com with SMTP id hy4so10795569vcb.36 for <websec@ietf.org>; Sun, 10 Aug 2014 16:18:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1pFAVtmwExB3ZYKNAkclBozrUDicZEiOSw4/0P2o7Eg=; b=uXloBR7fbcwfH+zsCBEfHLASRyfDL98RvHF1YxrIZW3oOi/hBKTPJkJxBkVTY3Y48a DOB9FMVfHxkU5wUiYWKCBMqYZix9WjIbJXvKmdwa0GflpdBrzY0q0051iqN4hgiRzmlv 5A1OiBLUmr3UnmajBqVECt1h0h5I3O8CE4vXJrrFgzxB6uSOixFK7jGJX0Ct2uhpUD2N m0dSWkXWvAnzm4anGPYzM041KJWWIKX5+uctfMIDSCScOP1Tcw5NF1xmwBPX9suW4Cd4 oHmUThn8xfcBMNHVS29lBD8Z8sYV1kk/BKiDcEhwde0c1s/xXagQ+rTWehbbvqn95BuC Pv4g==
X-Received: by 10.52.6.138 with SMTP id b10mr33083vda.84.1407712720014; Sun, 10 Aug 2014 16:18:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.100.148 with HTTP; Sun, 10 Aug 2014 16:17:56 -0700 (PDT)
In-Reply-To: <9324C2B1-7DAA-418B-87C2-7D4CFABD8B1C@gmail.com>
References: <53E708DB.4010505@KingsMountain.com> <53E74295.7060402@gondrom.org> <9324C2B1-7DAA-418B-87C2-7D4CFABD8B1C@gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Sun, 10 Aug 2014 19:17:56 -0400
Message-ID: <CAOe4Uik8F44zCLBVvZFEDTURTWcVc_u4oz=AVMn8eFPpOKKQjw@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=20cf302ef2ba9f52c905004ea8dd
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/jfAXljLY-Gvd9hzFKNP1zIB445c
Cc: "<websec@ietf.org>" <websec@ietf.org>, "Michael J. Kranch" <mkranch@princeton.edu>
Subject: Re: [websec] fyi: State of HSTS Deployment in 2013-Oct
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 23:18:43 -0000

--20cf302ef2ba9f52c905004ea8dd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi all,

Michael Kranch and I have undertaken a similar effort this summer to study
both HSTS and key pinning in practice. Standard disclaimer, this is a
working draft that hasn't been peer reviewed yet (it's currently under
submission), but here's a draft of our findings:
http://jbonneau.com/doc/KB14-hsts_pinning_survey_working_draft.pdf

Compared to Lucas et al.'s paper our crawl was actually slightly smaller
(top 10k sites) but is more up-to-date and we checked for a few more
things. In particular we have a breakdown of bugs due to errors with the
interaction of cookies and pinning/HSTS and a survey of pinning "mixed
content" which I haven't seen documented previously. We'll get the code up
publicly soon as well.

Hopefully our work is also of interest to this list and we'd very much
appreciate any feedback!

Cheers,

Joe


On Sun, Aug 10, 2014 at 7:38 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:

>
> On Aug 10, 2014, at 12:59 PM, Tobias Gondrom <tobias.gondrom@gondrom.org>
> wrote:
>
> > Hi Jeff,
> >
> > thanks for sharing. Good paper and interesting read.
> >
> > Even though things are slowly picking up in adoption, a bit
> > disappointing it's been only 277 out of 100000 sites in Oct 2013. (on a
> > personal note: this is consistent with my personal anecdotal experience=
:
> > as part of overall secure development training, I also mention HSTS to
> > developers a couple of times per year, and so far nearly none of them
> > used it before=E2=80=A6)
>
> My anecdotal evidence is that I tried to promote it at the company where =
I
> work. We sell (among other things) an SSL-VPN gateway. That is pretty muc=
h
> a pre-packaged web server, configurable to provide access to company
> resources such as email, ERP and whatever else employees need over a web
> interface.
>
> At first this looked to me like a great candidate for HSTS - it=E2=80=99s=
 only
> HTTPS, no HTTP. It=E2=80=99s pre-packaged, so we could add it without the
> administrators needing to do any work. In the end, what killed the idea w=
as
> what happens when certificates expire or when a valid certificate is
> replaced by an almost-valid certificate (missing alternate name). The
> administrators of our products run the gamut from IT professionals who ha=
ve
> been through our administration courses all the way to the CEO=E2=80=99s =
nephew
> who=E2=80=99s really good with computers (=E2=80=98cause he=E2=80=99s got=
 his own Facebook profile
> and everything). We felt it was too risky to just ship the server with HS=
TS
> on.
>
> It=E2=80=99s still possible to turn it on by editing some Apache configur=
ation
> files, but you really want security to be on by default.
>
> Yoav
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>

--20cf302ef2ba9f52c905004ea8dd
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi all,<div><br></div><div>Michael Kranch and I have under=
taken a similar effort this summer to study both HSTS and key pinning in pr=
actice. Standard disclaimer, this is a working draft that hasn&#39;t been p=
eer reviewed yet (it&#39;s currently under submission), but here&#39;s a dr=
aft of our findings:=C2=A0<a href=3D"http://jbonneau.com/doc/KB14-hsts_pinn=
ing_survey_working_draft.pdf">http://jbonneau.com/doc/KB14-hsts_pinning_sur=
vey_working_draft.pdf</a></div>

<div><br></div><div>Compared to Lucas et al.&#39;s paper our crawl was actu=
ally slightly smaller (top 10k sites) but is more up-to-date and we checked=
 for a few more things. In particular we have a breakdown of bugs due to er=
rors with the interaction of cookies and pinning/HSTS and a survey of pinni=
ng &quot;mixed content&quot; which I haven&#39;t seen documented previously=
. We&#39;ll get the code up publicly soon as well.</div>

<div><br></div><div>Hopefully our work is also of interest to this list and=
 we&#39;d very much appreciate any feedback!</div><div><br></div><div>Cheer=
s,</div><div><br></div><div>Joe</div></div><div class=3D"gmail_extra"><br>

<br><div class=3D"gmail_quote">On Sun, Aug 10, 2014 at 7:38 AM, Yoav Nir <s=
pan dir=3D"ltr">&lt;<a href=3D"mailto:ynir.ietf@gmail.com" target=3D"_blank=
">ynir.ietf@gmail.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_q=
uote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1e=
x">

<div class=3D""><br>
On Aug 10, 2014, at 12:59 PM, Tobias Gondrom &lt;<a href=3D"mailto:tobias.g=
ondrom@gondrom.org">tobias.gondrom@gondrom.org</a>&gt; wrote:<br>
<br>
&gt; Hi Jeff,<br>
&gt;<br>
&gt; thanks for sharing. Good paper and interesting read.<br>
&gt;<br>
&gt; Even though things are slowly picking up in adoption, a bit<br>
&gt; disappointing it&#39;s been only 277 out of 100000 sites in Oct 2013. =
(on a<br>
&gt; personal note: this is consistent with my personal anecdotal experienc=
e:<br>
&gt; as part of overall secure development training, I also mention HSTS to=
<br>
&gt; developers a couple of times per year, and so far nearly none of them<=
br>
</div>&gt; used it before=E2=80=A6)<br>
<br>
My anecdotal evidence is that I tried to promote it at the company where I =
work. We sell (among other things) an SSL-VPN gateway. That is pretty much =
a pre-packaged web server, configurable to provide access to company resour=
ces such as email, ERP and whatever else employees need over a web interfac=
e.<br>


<br>
At first this looked to me like a great candidate for HSTS - it=E2=80=99s o=
nly HTTPS, no HTTP. It=E2=80=99s pre-packaged, so we could add it without t=
he administrators needing to do any work. In the end, what killed the idea =
was what happens when certificates expire or when a valid certificate is re=
placed by an almost-valid certificate (missing alternate name). The adminis=
trators of our products run the gamut from IT professionals who have been t=
hrough our administration courses all the way to the CEO=E2=80=99s nephew w=
ho=E2=80=99s really good with computers (=E2=80=98cause he=E2=80=99s got hi=
s own Facebook profile and everything). We felt it was too risky to just sh=
ip the server with HSTS on.<br>


<br>
It=E2=80=99s still possible to turn it on by editing some Apache configurat=
ion files, but you really want security to be on by default.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
Yoav<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
_______________________________________________<br>
websec mailing list<br>
<a href=3D"mailto:websec@ietf.org">websec@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/websec" target=3D"_blank">=
https://www.ietf.org/mailman/listinfo/websec</a><br>
</div></div></blockquote></div><br></div>

--20cf302ef2ba9f52c905004ea8dd--


From nobody Mon Aug 11 09:00:28 2014
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 407311A04B8; Mon, 11 Aug 2014 08:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.003
X-Spam-Level: 
X-Spam-Status: No, score=-100.003 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9GqI6lVwKQj; Mon, 11 Aug 2014 08:08:29 -0700 (PDT)
Received: from mk-outboundfilter-5.mail.uk.tiscali.com (mk-outboundfilter-5.mail.uk.tiscali.com [212.74.114.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0C491A042D; Mon, 11 Aug 2014 08:08:28 -0700 (PDT)
X-Trace: 120630917/mk-outboundfilter-5.mail.uk.tiscali.com/PIPEX/$OFF_NET_AUTH_ACCEPTED/TUK-OFF-NET-SMTP-AUTH-PIPEX-Customers/81.187.254.252/None/elwynd@dial.pipex.com
X-SBRS: None
X-RemoteIP: 81.187.254.252
X-IP-MAIL-FROM: elwynd@dial.pipex.com
X-SMTP-AUTH: elwynd@dial.pipex.com
X-MUA: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArcEACTc6FNRu/78/2dsb2JhbABbg19XzQuHRgGBLoR6AQEEATIBBS0CEQEQCw4GBAkWDwkDAgECAQ82Bg0BBQIBAQWIJQMJDAm8GA2FYBeJf4MgJ4IGB4RMBY8GhjiCOYIvggmBV4U4hzqGMoFlG4FdawGBBiQ
X-IPAS-Result: ArcEACTc6FNRu/78/2dsb2JhbABbg19XzQuHRgGBLoR6AQEEATIBBS0CEQEQCw4GBAkWDwkDAgECAQ82Bg0BBQIBAQWIJQMJDAm8GA2FYBeJf4MgJ4IGB4RMBY8GhjiCOYIvggmBV4U4hzqGMoFlG4FdawGBBiQ
X-IronPort-AV: E=Sophos;i="5.01,842,1400022000"; d="scan'208";a="120630917"
X-IP-Direction: OUT
Received: from neut-f.netinf.eu (HELO [81.187.254.252]) ([81.187.254.252]) by smtp.pipex.tiscali.co.uk with ESMTP/TLS/DHE-RSA-AES128-SHA; 11 Aug 2014 16:08:26 +0100
Message-ID: <53E8DC68.5010803@dial.pipex.com>
Date: Mon, 11 Aug 2014 16:08:24 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com> <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
In-Reply-To: <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/iQLBrIcS88jvDmPcsrMsUNY_ie8
X-Mailman-Approved-At: Mon, 11 Aug 2014 09:00:26 -0700
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 15:08:35 -0000

Hi, Yoav and authors.


Thanks for the responses and -20 updates.  Apologies for the delay in 
replying (expedition to rural parts for my birthday!)

These have fixed several of the issues/nits but some remain as noted below.


On 04/08/14 16:49, Yoav Nir wrote:
> [ with no hats on ]
>
> inline
>
> On Jul 31, 2014, at 10:27 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> On Jul 31, 2014, at 4:05 PM, Elwyn Davies <elwynd@dial.pipex.com> wrote:
>>
>>> I am the assigned Gen-ART reviewer for this draft. For background on
>>> Gen-ART, please see the FAQ at
>>>
>>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>>
>>> Please resolve these comments along with any other Last Call comments
>>> you may receive.
>>>
>>> Document: draft-ietf-websec-key-pinning-19.txt
>>> Reviewer: Elwyn Davies
>>> Review Date: 31 July 2014
>>> IETF LC End Date: 1 August 2014
>>> IESG Telechat date: (if known) -
>>>
>>> Summary:
>>> Almost ready.  There are some minor issues some of which may be as a result of some
>>> misunderstanding on my part.  The descriptive text in the early part of s2 is missing
>>> some definitions that make it unclear until they appear later on.  This makes the early
>>> descriptions more confusing that illuminating in places.  Suggestions in the detailed
>>> comments below.
>
> [YN] I believe the missing definitions you’re talking about are Pin, Pin Validation. I think anyone who reads this specification is familiar enough with HTTP to know what request, response, UA and directive mean. If so, I suggest that these can be defined in 1-2 sentences in section 1, even if they’re better explained later on.
>
>>> One thing that is not fully clear to me and could probably be explained to help others
>>> is the start up of the pinning mechanisms for a given host domain.  AFAICS Pin validation
>>> would possibly not be carried out on a first connection to a domain when there are no
>>> preconfigured Pins.  I am not clear if this adds anything to the risk of a MITM attack or
>>> does it in any way negate the value of the whole pinning process?  I was not clear if
>>> an effective Pin validation should be carried out during the first connection when the
>>> UA receives the host's Pins for the first time and decides that it is now a Pinned Host,
>>> in that the document doesn't state that the connection is terminated if the setting up
>>> of the Pinned host fails because the certs don't validate.
>
> Key pinning is a TOFU (trust on first use) mechanism. As such, the first time a UA connects to a domain there is no validation. A MitM attacking such a first connection will not be discovered. Worse, such a MitM can inject its own PKP header into the HTTP stream, and pin the UA to its own keys. Note that in order to pin false information, the attacker would have to be able to produce an error-free connection. Without compromising a trusted CA, this should not be possible, and the best that attackers can accomplish is to use an invalid TLS certificate, leading to an interstitial warning page.
>
> This is apparent from section 2.3.1, but perhaps deserves a short paragraph in the introduction.
>
Fine - done.

>>> Major issues:
>>> None
>>>
>>> Minor issues:
>>> s1: The term "Pin" (as a noun) is not explicitly defined. The definition doesn't appear
>>> until s2.4.
Done.
>>>
>>> s2.1.1: I'm not sure if this could be an issue.. should a maximum possible value for max_age
>>> be specified to avoid UA's being cluttered up with old Pins - this might possible be a DoS
>>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3 talks about limits.
>>> A pointer to this discussion would be useful here

A pointer to the discussion in s2.3.3 would still help.

>>>
>>> s2.2.1: Does this response behaviour apply to all possible request types? Once a server has sent a
>>> Pin header should it send it again on all subsequent requests on the same TLS connection or is
>>> that a choice?  Given the "SHOULD" in s2.2.1, what are the circumstances in which the server should
>>> refrain from sending the Pins? [I first thought about 'Redirects' but realized that that was probably
>>> a really good time to send Pins!]
>
> This has been discussed, and because of all kinds of weird deployments, such as with multiplexed servers
> behind a load-balancer the only viable way was to send the PKP in every response. Some (me!) wereconcerned

about the overhead of these large-ish headers, but we heard from people 
who actually run servers

that a header this small is inconsequential. The draft for HTTP/2 makes 
this less of an issue, as

repeated headers are efficiently encoded by referring back to previous 
header sets.
>

Ok.  Accepting that the host is expected normally to send the headers on 
all responses, when SHOULD it not send the headers? (from the previous 
comments a server that knows it is not multiplexed might be a candidate 
- or if it knows it has already responded on this connection?)

>>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in future.  Presumably a
>>> deprecated algorithm should be treated as an unrecognized directive or some such to avoid
>>> downgrade attacks.  Probably worth being explicit about this.  Also this is potentially
>>> incompatible with the statement that 'UAs MUST recognize "sha256"' (Para 3 of s2.4).
>>> This results in a potential downgrade attack when and if SHA256 is deemed to be no longer
>>> cryptographically effective. I think this statement can be removed as presently a UA
>>> has no other option if it is to implement the specification.

Not addressed as yet.  At least the statement in s2.4 needs to be removed.

>>>
>>> s2.6:
>>>>    Note that the UA MUST perform Pin Validation when setting up the TLS
>>>>    session, before beginning an HTTP conversation over the TLS channel.
>>> I suspect I am confused: If a UA is making its first connection to a host for which it doesn't
>>> have a preconfigured Pin, then it won't get the Pin(s) from the host until it has set up the
>>> TLS connection and received the response to the request at the HTTP protocol level.  In that case
>>> Pin validation will pass by default (subject to local policy perhaps) since the cache doesn't have
>>> entries for the host.  Presumably the UA should then perform Pin validation if it has passed by
>>> default during TLS setup (assuming that this is possible given the layering) or does the UA have to
>>> terminate the session and restart it so that Pin validation can be performed?  The second case may
>>> give scope for a DoS attack.  Or is it the case that Pin validation is not needed on the first
>>> connection... I don't see why this shouldn't be done but I may not understand the problem.  I think
>>> some clarification about the startup of the process is needed.

Ok. Done.

>>> Nits/editorial comments:
>>>
>>> s1, last para: s/toegether/together/, s/but is possible/but it is possible/
>>> s2.1: It would be good to expand the term OWS.
>>>
>>> s2.1, Figure 1 caption: The acronym HPKP needs expanding.
>>>
>>> s2.1, 2nd para after numbered bullets:
>>> It is not the definition of hash algorithms that is relevant, but allowing them to be
>>> used in pin-directives thus:
>>> OLD:
>>> additional algorithms may be defined in the future
>>> NEW:
>>> additional algorithms may be allowed for use in this context in future
>>>
>>> Also the implication of the "sha256" name should be explained precisely -
>>> i.e, that the SHA256 hash algorithm will be used, and a suitable reference
>>> for SHA256 should be given. (Again this doesn't happen until s2.4).
>>>
>>> And finally the "Fingerprint" of what SPKI? Defining Pin formally as noted above would help!
>>>
>>> s2.1, last para: s/hahs/hash/
>>>
>>> s4.2/Figure 8: The first line of text is too wide.
>>>
>>> s5, para 1: Is it really "HSTS or HPKP"?  I thought it would be "HSTS combined with HPKP".
>>>
>>> s5, 2nd top level bullet: Expand SNI acronym.

All nits above sorted.

>>>
>>> s6: Needs to be more precise about *which* message headers repository is to be updated! Presumably
>>> the permanent one at http://www.iana.org/assignments/message-headers/message-headers.xml#perm-headers.
OK.

>>>
>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need specific answers.

There are still some of the questions that ought to be explicitly answered.

One extra nit:
s2, para after bullets: s/reistry/registry/

Regards,
Elwyn
>>>
>>
>


From nobody Mon Aug 11 09:33:29 2014
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71D0C1A0584; Mon, 11 Aug 2014 09:33:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.57
X-Spam-Level: 
X-Spam-Status: No, score=-102.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1dDpnlWJ1y3; Mon, 11 Aug 2014 09:33:20 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [IPv6:2001:1900:3001:11::31]) by ietfa.amsl.com (Postfix) with ESMTP id 000D21A05C0; Mon, 11 Aug 2014 09:33:19 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id E62D318000E; Mon, 11 Aug 2014 09:31:35 -0700 (PDT)
To: e_lawrence@hotmail.com, Jeff.Hodges@PayPal.com, collin.jackson@sv.cmu.edu,  ietf@adambarth.com
X-PHP-Originating-Script: 1005:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20140811163135.E62D318000E@rfc-editor.org>
Date: Mon, 11 Aug 2014 09:31:35 -0700 (PDT)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/oIWZ7yvgEv_iDKibkeusFg1FW3o
Cc: barryleiba@computer.org, websec@ietf.org, iesg@ietf.org, rfc-editor@rfc-editor.org
Subject: [websec] [Errata Rejected] RFC6797 (4075)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 16:33:21 -0000

The following errata report has been rejected for RFC6797,
"HTTP Strict Transport Security (HSTS)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6797&eid=4075

--------------------------------------
Status: Rejected
Type: Technical

Reported by: Eric Lawrence <e_lawrence@hotmail.com>
Date Reported: 2014-08-08
Rejected by: Barry Leiba (IESG)

Section: 14

Original Text
-------------
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

Corrected Text
--------------
   Without the "includeSubDomains" directive, HSTS is unable to protect
   such Secure-flagged domain cookies.

   Even with the "includeSubDomains" directive, the unavailability of 
   an "includeParent" directive means that an Active MITM attacker can 
   perform a cookie-injection attack against an otherwise 
   HSTS-protected victim domain.

   Consider the following scenario:

    The user visits https://sub.example.com and gets a HSTS policy with
    includeSubdomains set. All subsequent navigations to 
    sub.example.com and its subdomains will be secure.

    An attacker causes the victim's browser to navigate to 
    http://example.com. Because the HSTS policy applies only to 
    sub.example.com and its superdomain matches, this insecure 
    navigation is not blocked by the user agent.

    The attacker intercepts this insecure request and returns a 
    response that sets a cookie on the entire domain tree using a 
    Set-Cookie header.

    All subsequent requests to sub.example.com carry the injected
    cookie, despite the use of HSTS.

Notes
-----
To mitigate this attack, HSTS-protected websites should perform a background fetch of a resource at the first-level domain. This resource should carry a HSTS header that will apply to the entire domain and all subdomains.
 --VERIFIER NOTES-- 
This is a valid issue, but not suitable for the errata system.  The websec working group is discussing handling this with a short document to update RFC 6797.

--------------------------------------
RFC6797 (draft-ietf-websec-strict-transport-sec-14)
--------------------------------------
Title               : HTTP Strict Transport Security (HSTS)
Publication Date    : November 2012
Author(s)           : J. Hodges, C. Jackson, A. Barth
Category            : PROPOSED STANDARD
Source              : Web Security
Area                : Applications
Stream              : IETF
Verifying Party     : IESG


From nobody Thu Aug 14 08:47:23 2014
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068791A6F14; Thu, 14 Aug 2014 08:47:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIzMUgg1oP4B; Thu, 14 Aug 2014 08:47:19 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25BA91A0770; Thu, 14 Aug 2014 08:47:19 -0700 (PDT)
Received: by mail-ig0-f171.google.com with SMTP id l13so13979621iga.4 for <multiple recipients>; Thu, 14 Aug 2014 08:47:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:date:message-id:subject:from:to:cc:content-type;  bh=xR5gpQDOrYT05BfX9HcnbpZkVkME+T7grZcK83XSztk=; b=GZuB/1eBQpCySo6rT3AUIbTylOL17B6GnOLlsi1gCfDFcC1aZ1O37cnuXjUK13iQN9 g7c/5am+r7BWBO015L+z7mMO6zxvAnpEoB0PanUFLFvdy49886zF7/sRRtxhIKm89eYh Cf2hucLfOTKZi2kzu4IWasqxwggpxROQ5D43B/pd7VTsecYjCoX3moQ6zu2FyTL73WBv F3/yKy47NeIsVuNnt5/WzZy6Zy2eYpniM0dz5KuwFn2LRYWoHt50UJ89hGgngX17aoXP sorRR/zICSHPp/oJp4QsTuXwA1qfNbCkKHdRsxWxeCH3ShmkTUIAEC+YrAAvYts03ZXw GxNQ==
MIME-Version: 1.0
X-Received: by 10.50.80.116 with SMTP id q20mr60779613igx.22.1408031238527; Thu, 14 Aug 2014 08:47:18 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.107.163.148 with HTTP; Thu, 14 Aug 2014 08:47:18 -0700 (PDT)
Date: Thu, 14 Aug 2014 11:47:18 -0400
X-Google-Sender-Auth: xSwm2k1c1fs4smCYQq94WYuBkrM
Message-ID: <CAC4RtVDiy-QbHNREsm07+iPzjDiZ1q5GjowZCBnP63nw1ezTAw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: IETF WebSec WG <websec@ietf.org>, draft-ietf-websec-key-pinning.all@tools.ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/GlNgJQ4mexXTOAQ6y3QlC-TRW0M
Cc: IESG <iesg@ietf.org>
Subject: [websec] DISCUSS positions on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 15:47:21 -0000

Websec folks, and especially the document authors:
We have several DISCUSS ballots on the key-pinning doc (from Stephen,
Kathleen, and Ted):

   http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ballot/

...and I have seen no response from the authors on them.  Please
respond soonest, and have the necessary discussions to resolve them.
Please also consider and respond to the non-blocking comments from
Alissa, Pete, and Richard.

Yoav, please stay on top of this and do the necessary prodding to keep
this moving.

Thanks,
Barry


From nobody Thu Aug 14 10:21:47 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B54961A6F61; Thu, 14 Aug 2014 10:21:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EG5mCC_jk1jD; Thu, 14 Aug 2014 10:21:43 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 891C51A0920; Thu, 14 Aug 2014 10:21:42 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id z11so1104537lbi.17 for <multiple recipients>; Thu, 14 Aug 2014 10:21:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=MwDRsmdpWrFGj3QbroAs5zwu94FN+qzfSXxLVeVcTZs=; b=o/EGE59SJi45HLpHZI6yxhtYeeTr4QVIbZ6TGDzIuqDaDDwy1TE1UMon31TFwE5rn/ 9XlHzkEE+Lr+QuaHoQHOqvhT0PCfPF54Hl5aXvvTBxkrVOb5702GNUfrHP4wHAUTpZGo ySZfmgzcm5iD61jvYvrXYyCg6XZyFy8LnvDBPCzA2esec91VfBBXSNSnMB7GGdrpVUU8 psGwAk6JcYg3MgRDWBnSarPvAw7r8IMLSP/RoGAJbZsFhotQN4i2JOHFQD7HqY6irSLk 8hBtoI3T+C8P0gLhsa6dKT4niDx5HJu1nvEKhhot1unEZ3v91kC3PKDVz28t6YL+mYNM l20A==
MIME-Version: 1.0
X-Received: by 10.112.155.226 with SMTP id vz2mr6341869lbb.23.1408036900885; Thu, 14 Aug 2014 10:21:40 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Thu, 14 Aug 2014 10:21:40 -0700 (PDT)
In-Reply-To: <CACvaWvb2HyhgHZJH4-DO0NX=zj2-Mk8r1Ua-we4HRwBp6twFeg@mail.gmail.com>
References: <CAC4RtVDiy-QbHNREsm07+iPzjDiZ1q5GjowZCBnP63nw1ezTAw@mail.gmail.com> <CACvaWvb2HyhgHZJH4-DO0NX=zj2-Mk8r1Ua-we4HRwBp6twFeg@mail.gmail.com>
Date: Thu, 14 Aug 2014 13:21:40 -0400
X-Google-Sender-Auth: G_rR-S7kBk1BSZ_1N9KYQOl2zi8
Message-ID: <CALaySJKHOBv=viCV88=S0a1f5JwZ9DOYGNgnJr2izYtG71vhQA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Ryan Sleevi <sleevi@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/irbm9Uh-gh5T7h9jnjr-eRHpImk
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [websec] DISCUSS positions on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 17:21:43 -0000

> It sounds like you're looking for an acknowledgement of the messages. Just
> to confirm, we have received this feedback, and are taking time to ensure
> the replies are as considered and thoughtful as the DISCUSS points,
> especially as many of these points were discussed early on and thought
> addressed by the draft already.

Great; thanks, Ryan.

Yes, it's always good to at least send a "we're working on it" message
in response, especially to DISCUSS positions (as those are
specifically asking for discussion).

So we'll take this as "we're working on it, and we'll get back to
y'all when we have a good response," and thanks for confirming that.

Barry


From nobody Fri Aug 15 15:02:59 2014
Return-Path: <prvs=03043d89bb=carl.mehner@usaa.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 168331A06D3 for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 15:02:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.569
X-Spam-Level: 
X-Spam-Status: No, score=-7.569 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1h1uT9Ck2B0 for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 15:02:55 -0700 (PDT)
Received: from prodomx01.usaa.com (prodomx01.usaa.com [167.24.101.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 527271A06D2 for <websec@ietf.org>; Fri, 15 Aug 2014 15:02:54 -0700 (PDT)
Received: from pps.filterd (prodomx01.usaa.com [127.0.0.1]) by prodomx01.usaa.com (8.14.5/8.14.5) with SMTP id s7FLxW5A006432; Fri, 15 Aug 2014 17:02:51 -0500
Received: from prodexch03w.eagle.usaa.com (prodexch03w.usaa.com [10.70.41.152]) by prodomx01.usaa.com with ESMTP id 1nph6c3evq-1; Fri, 15 Aug 2014 17:02:51 -0500
Received: from PRODEXCH11W.eagle.usaa.com (10.70.40.36) by PRODEXCH03W.eagle.usaa.com (10.70.41.152) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 15 Aug 2014 17:02:51 -0500
Received: from PRODEXMB01W.eagle.usaa.com ([169.254.1.161]) by PRODEXCH11W.eagle.usaa.com ([10.70.40.36]) with mapi id 14.03.0158.001; Fri, 15 Aug 2014 17:02:51 -0500
From: "Mehner, Carl" <Carl.Mehner@usaa.com>
To: "websec@ietf.org" <websec@ietf.org>
Thread-Topic: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
Thread-Index: AQHPuNSnPAJPbxM0q0WPAcHDcJDc7w==
Date: Fri, 15 Aug 2014 22:02:50 +0000
Message-ID: <19075EB00EA7FE49AFF87E5818D673D4111F5EA2@PRODEXMB01W.eagle.usaa.com>
References: <20140807181140.4935.81427.idtracker@ietfa.amsl.com>
In-Reply-To: <20140807181140.4935.81427.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.122.15.114]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Direction: FromExch
X-Proofpoint-Direction: Internet
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.27,  0.0.0000 definitions=2014-08-15_06:2014-08-15,2014-08-15,1970-01-01 signatures=0
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/HZlId9B9v8knkvlF0kmw5WnWXSg
Cc: "cevans@google.com" <cevans@google.com>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 22:02:58 -0000

Sorry for the late, last minute review. I found one capitalization nit, one=
 issue, and one personal-opinion-based nit.



Section 2.1; The first word of the sentence should be capitalized.
Old:
. token and quoted-string are used
New:
. Token and quoted-string are used



Section 4.2
Public-Key-Pins: pin-sha256=3D"GHI..."; pin-sha256=3D"JKL..."

This is not a valid Pinning Header as is stated due to it missing the REQUI=
RED max-age directive.

I recommend changing to:
Public-Key-Pins: max-age=3D12000; pin-sha256=3D"GHI..."; pin-sha256=3D"JKL.=
.."



Appendix A:
I understand the POSIX shell may be desirable for some, but openssl is used=
 for everything except for the very last command here. Therefore, I think t=
hat it would make more sense to just have the whole thing be openssl comman=
ds so that Windows users will also be able to create key pins locally using=
 the direct commands from the draft.
Old:
This POSIX shell program generates SPKI Fingerprints...
...
openssl dgst -sha256 -binary public.key | base64
New:
This OpenSSL command generates SPKI Fingerprints...
...
openssl dgst -sha256 -binary public.key | openssl enc -base64


-cem

> -----Original Message-----
> From: websec [mailto:websec-bounces@ietf.org] On Behalf Of internet-
> drafts@ietf.org
> Sent: Thursday, August 07, 2014 1:12 PM
> To: i-d-announce@ietf.org
> Cc: websec@ietf.org
> Subject: EXTERNAL: [websec] I-D Action: draft-ietf-websec-key-pinning-
> 20.txt
>=20
>=20
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>  This draft is a work item of the Web Security Working Group of the
> IETF.
>=20
>         Title           : Public Key Pinning Extension for HTTP
>         Authors         : Chris Evans
>                           Chris Palmer
>                           Ryan Sleevi
> 	Filename        : draft-ietf-websec-key-pinning-20.txt
> 	Pages           : 26
> 	Date            : 2014-08-07
>=20
> Abstract:
>    This document describes an extension to the HTTP protocol allowing
>    web host operators to instruct user agents to remember ("pin") the
>    hosts' cryptographic identities for a given period of time.  During
>    that time, UAs will require that the host present a certificate
> chain
>    including at least one Subject Public Key Info structure whose
>    fingerprint matches one of the pinned fingerprints for that host.
> By
>    effectively reducing the number of authorities who can authenticate
>    the domain during the lifetime of the pin, pinning may reduce the
>    incidence of man-in-the-middle attacks due to compromised
>    Certification Authorities.
>=20
>=20
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>=20
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
>=20
> A diff from the previous version is available at:
> http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-websec-key-pinning-20
>=20
>=20
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>=20
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>=20
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From nobody Fri Aug 15 22:42:42 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9842E1A6FD3 for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 22:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.23
X-Spam-Level: 
X-Spam-Status: No, score=-1.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GxAsaD8lPgH for <websec@ietfa.amsl.com>; Fri, 15 Aug 2014 22:42:38 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEAC1A6FC6 for <websec@ietf.org>; Fri, 15 Aug 2014 22:42:38 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id n3so1701342wiv.0 for <websec@ietf.org>; Fri, 15 Aug 2014 22:42:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8mZ/9Ji5vGt/8HML0bdN1OJHCiuyU4ECviiV/bjma+w=; b=KcKDSIARnZpZeb7zQM7UUVeKRh0YtIAB9uRBESn0LA2crDNeXFPUMmpn7USNG9CUxG s0xbKVTDjBGCpCGTKcjTZWlBAsQJX2DmL2162V3xcTWx3mAda8ILbEUiy/oQOrMM8KkO Eb9Bzt7fcSW0//uy4BTTfMYWa7mBIwBjS1MVswyHLGvZEQbm/NK5eLMat+niORJMhRlt Gqw3SZHyW0L6tj6t9PhQ/pZd4X7RzjqP9XgYsFDU+p3A9fEbYXKUp04s3dq1dhkEV/2p eBLEZUpw5Qp3FlRnuTWYvMpjs/oCPPPq/e/YGOGQEkung2drxuRij82aUZ7tbHv5xjD5 SRuA==
X-Received: by 10.180.75.49 with SMTP id z17mr25266121wiv.80.1408167757103; Fri, 15 Aug 2014 22:42:37 -0700 (PDT)
Received: from [172.17.1.172] ([199.203.120.178]) by mx.google.com with ESMTPSA id bi3sm1249265wib.6.2014.08.15.22.42.35 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Aug 2014 22:42:36 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <19075EB00EA7FE49AFF87E5818D673D4111F5EA2@PRODEXMB01W.eagle.usaa.com>
Date: Sat, 16 Aug 2014 08:42:34 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <B3FCC287-4258-4BAF-9504-8A36CA2A9AD9@gmail.com>
References: <20140807181140.4935.81427.idtracker@ietfa.amsl.com> <19075EB00EA7FE49AFF87E5818D673D4111F5EA2@PRODEXMB01W.eagle.usaa.com>
To: "Mehner, Carl" <Carl.Mehner@usaa.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/cc3ubBqNTEH_VDvoLPzPQVEf9qs
Cc: "cevans@google.com" <cevans@google.com>, "websec@ietf.org" <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] I-D Action: draft-ietf-websec-key-pinning-20.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Aug 2014 05:42:40 -0000

Thanks, Carl

A new revisions is anyways needed because of DISCUSS ballots during IESG =
review, so these nits can be solved a the same time.

Yoav

On Aug 16, 2014, at 1:02 AM, Mehner, Carl <Carl.Mehner@usaa.com> wrote:

> Sorry for the late, last minute review. I found one capitalization =
nit, one issue, and one personal-opinion-based nit.
>=20
>=20
>=20
> Section 2.1; The first word of the sentence should be capitalized.
> Old:
> . token and quoted-string are used
> New:
> . Token and quoted-string are used
>=20
>=20
>=20
> Section 4.2
> Public-Key-Pins: pin-sha256=3D"GHI..."; pin-sha256=3D"JKL..."
>=20
> This is not a valid Pinning Header as is stated due to it missing the =
REQUIRED max-age directive.
>=20
> I recommend changing to:
> Public-Key-Pins: max-age=3D12000; pin-sha256=3D"GHI..."; =
pin-sha256=3D"JKL..."
>=20
>=20
>=20
> Appendix A:
> I understand the POSIX shell may be desirable for some, but openssl is =
used for everything except for the very last command here. Therefore, I =
think that it would make more sense to just have the whole thing be =
openssl commands so that Windows users will also be able to create key =
pins locally using the direct commands from the draft.
> Old:
> This POSIX shell program generates SPKI Fingerprints...
> ...
> openssl dgst -sha256 -binary public.key | base64
> New:
> This OpenSSL command generates SPKI Fingerprints...
> ...
> openssl dgst -sha256 -binary public.key | openssl enc -base64
>=20
>=20
> -cem
>=20
>> -----Original Message-----
>> From: websec [mailto:websec-bounces@ietf.org] On Behalf Of internet-
>> drafts@ietf.org
>> Sent: Thursday, August 07, 2014 1:12 PM
>> To: i-d-announce@ietf.org
>> Cc: websec@ietf.org
>> Subject: EXTERNAL: [websec] I-D Action: =
draft-ietf-websec-key-pinning-
>> 20.txt
>>=20
>>=20
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Web Security Working Group of the
>> IETF.
>>=20
>>        Title           : Public Key Pinning Extension for HTTP
>>        Authors         : Chris Evans
>>                          Chris Palmer
>>                          Ryan Sleevi
>> 	Filename        : draft-ietf-websec-key-pinning-20.txt
>> 	Pages           : 26
>> 	Date            : 2014-08-07
>>=20
>> Abstract:
>>   This document describes an extension to the HTTP protocol allowing
>>   web host operators to instruct user agents to remember ("pin") the
>>   hosts' cryptographic identities for a given period of time.  During
>>   that time, UAs will require that the host present a certificate
>> chain
>>   including at least one Subject Public Key Info structure whose
>>   fingerprint matches one of the pinned fingerprints for that host.
>> By
>>   effectively reducing the number of authorities who can authenticate
>>   the domain during the lifetime of the pin, pinning may reduce the
>>   incidence of man-in-the-middle attacks due to compromised
>>   Certification Authorities.
>>=20
>>=20
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>>=20
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
>>=20
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-websec-key-pinning-20
>>=20
>>=20
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>=20
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>=20
>> _______________________________________________
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>=20
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From nobody Sat Aug 16 17:46:51 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8752C1A09E0 for <websec@ietfa.amsl.com>; Thu, 14 Aug 2014 09:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2WohOzTAtEz for <websec@ietfa.amsl.com>; Thu, 14 Aug 2014 09:20:52 -0700 (PDT)
Received: from mail-vc0-x236.google.com (mail-vc0-x236.google.com [IPv6:2607:f8b0:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0787F1A0890 for <websec@ietf.org>; Thu, 14 Aug 2014 09:20:41 -0700 (PDT)
Received: by mail-vc0-f182.google.com with SMTP id hy4so1686477vcb.13 for <websec@ietf.org>; Thu, 14 Aug 2014 09:20:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FVRQzACVBN56lUuWH8PF0m4S7sG2ZnOfexGRAUtjf+U=; b=S/74z9GlmYghBrq0L4YIRpTb4y39YDLUaApJ4A3stNcHAa/H0iTtDc4mMY3zN0gsw5 yi7bgg6KmsKadHYrmrqgyhJ2BQ8Ne+Vu4ixGk5dX/VbRlq55+ESfIa6liurallY+1QeO Lar/y8zIyF7F8CxXG0pD5lxDCfROiElUEPTWyOXwWa//oznAzeERTqNHSuxl2JZcVCtN p/LPdiMd6voSXR8W9faBJiuN7yJP3FLfmLtBsJG8SSUvrYEC6SN4LrR3to+OvXwjCXae W5ogsDOlBYSuNTftSxNFal7RwrLMYE6tLmCVFbOo5eeIlRtScYRuxWv+m+liwC8Ve/pR iP1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FVRQzACVBN56lUuWH8PF0m4S7sG2ZnOfexGRAUtjf+U=; b=eR1FIJq8+MonwvCzxk54j4c6aBF/eRCPb2qIXgebr/lm0+1UgV113Gswtgqbz5QH4a IEf0+pZ5AgSt29rNaK22iIs0VW5EizTuVXCNH7olDn4fkZWggFDujUxv2gxJ07DYLC2f ZP7MUOUpRBzSC26t8dA615VyorA+aCD5yycVQ3VCau0aIX2QEKeGFWqNEOFGyEAmiRoO W4uQaip9A1M5FhB+OFsmRyvewToQYTkFHIZBFnWIA1r5S7EWxyf9Kr2BSRw2Xm4bztYY kow+EsvbHGFoDAFQk/p7dlZukTaix1grTUbVrnSHOsyMxDrFYvcNMSfXROeBhjD2ITvv 5Q/A==
X-Gm-Message-State: ALoCoQm/6bDLfRkesnepSIm7m02UQIQZz4ss5Gr2M1jcS60dciogzI99EuVosS+K5OwKJ04GrdZC
MIME-Version: 1.0
X-Received: by 10.220.68.208 with SMTP id w16mr1871736vci.79.1408033241038; Thu, 14 Aug 2014 09:20:41 -0700 (PDT)
Received: by 10.52.139.78 with HTTP; Thu, 14 Aug 2014 09:20:40 -0700 (PDT)
Received: by 10.52.139.78 with HTTP; Thu, 14 Aug 2014 09:20:40 -0700 (PDT)
In-Reply-To: <CAC4RtVDiy-QbHNREsm07+iPzjDiZ1q5GjowZCBnP63nw1ezTAw@mail.gmail.com>
References: <CAC4RtVDiy-QbHNREsm07+iPzjDiZ1q5GjowZCBnP63nw1ezTAw@mail.gmail.com>
Date: Thu, 14 Aug 2014 09:20:40 -0700
Message-ID: <CACvaWvb2HyhgHZJH4-DO0NX=zj2-Mk8r1Ua-we4HRwBp6twFeg@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: multipart/alternative; boundary=047d7b3a934e2a18e1050099496a
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/mM_Mr1N12rJZc_RxJ1ukryefljc
X-Mailman-Approved-At: Sat, 16 Aug 2014 17:46:50 -0700
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [websec] DISCUSS positions on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 16:20:55 -0000

--047d7b3a934e2a18e1050099496a
Content-Type: text/plain; charset=UTF-8

On Aug 14, 2014 8:47 AM, "Barry Leiba" <barryleiba@computer.org> wrote:
>
> Websec folks, and especially the document authors:
> We have several DISCUSS ballots on the key-pinning doc (from Stephen,
> Kathleen, and Ted):
>
>    http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ballot/
>
> ...and I have seen no response from the authors on them.

Hi Barry.

It sounds like you're looking for an acknowledgement of the messages. Just
to confirm, we have received this feedback, and are taking time to ensure
the replies are as considered and thoughtful as the DISCUSS points,
especially as many of these points were discussed early on and thought
addressed by the draft already.

In addition to these poibts, the feedback/recent errata from Eric Lawrence
regarding HSTS is also extremely relevant to the discussion of HPKP, and we
were waiting to see what actions, if any, the WG takes regarding that
draft, lest we find ourselves immediately writing a bis to deal with those
same points.

> Please
> respond soonest, and have the necessary discussions to resolve them.
> Please also consider and respond to the non-blocking comments from
> Alissa, Pete, and Richard.
>
> Yoav, please stay on top of this and do the necessary prodding to keep
> this moving.
>
> Thanks,
> Barry

--047d7b3a934e2a18e1050099496a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr"><br>
On Aug 14, 2014 8:47 AM, &quot;Barry Leiba&quot; &lt;<a href=3D"mailto:barr=
yleiba@computer.org">barryleiba@computer.org</a>&gt; wrote:<br>
&gt;<br>
&gt; Websec folks, and especially the document authors:<br>
&gt; We have several DISCUSS ballots on the key-pinning doc (from Stephen,<=
br>
&gt; Kathleen, and Ted):<br>
&gt;<br>
&gt; =C2=A0 =C2=A0<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-web=
sec-key-pinning/ballot/">http://datatracker.ietf.org/doc/draft-ietf-websec-=
key-pinning/ballot/</a><br>
&gt;<br>
&gt; ...and I have seen no response from the authors on them.=C2=A0</p>
<p dir=3D"ltr">Hi Barry.</p>
<p dir=3D"ltr">It sounds like you&#39;re looking for an acknowledgement of =
the messages. Just to confirm, we have received this feedback, and are taki=
ng time to ensure the replies are as considered and thoughtful as the DISCU=
SS points, especially as many of these points were discussed early on and t=
hought addressed by the draft already.</p>

<p dir=3D"ltr">In addition to these poibts, the feedback/recent errata from=
 Eric Lawrence regarding HSTS is also extremely relevant to the discussion =
of HPKP, and we were waiting to see what actions, if any, the WG takes rega=
rding that draft, lest we find ourselves immediately writing a bis to deal =
with those same points.</p>

<p dir=3D"ltr">&gt; Please<br>
&gt; respond soonest, and have the necessary discussions to resolve them.<b=
r>
&gt; Please also consider and respond to the non-blocking comments from<br>
&gt; Alissa, Pete, and Richard.<br>
&gt;<br>
&gt; Yoav, please stay on top of this and do the necessary prodding to keep=
<br>
&gt; this moving.<br>
&gt;<br>
&gt; Thanks,<br>
&gt; Barry<br>
</p>

--047d7b3a934e2a18e1050099496a--


From nobody Sun Aug 17 13:04:37 2014
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87CC61A0171; Sun, 17 Aug 2014 13:04:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.668
X-Spam-Level: 
X-Spam-Status: No, score=-102.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCE7LvEatUVz; Sun, 17 Aug 2014 13:04:33 -0700 (PDT)
Received: from www.gondrom.org (www.gondrom.org [91.250.114.153]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43BE81A016B; Sun, 17 Aug 2014 13:04:32 -0700 (PDT)
X-No-Relay: not in my network
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=f2UKBeRJO84B17sCKqZi65+XuSGs/kpecWPwtEzhop/0qUPg5x2yFCYpzZT16M0wbC56IQQF4G1eFZ+RoIo7VZZDNex8wNGrQKxVPlMFivwTF4KlBma3TuOeYNxUk6EyTbQcEynPd5B0dqxnW3vzUeagMbBeY+QEC59VQwmmHts=; h=X-No-Relay:X-No-Relay:X-No-Relay:X-No-Relay:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type;
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.0.7] (5ec3983d.skybroadband.com [94.195.152.61]) by www.gondrom.org (Postfix) with ESMTPSA id E75561539000F; Sun, 17 Aug 2014 22:04:30 +0200 (CEST)
Message-ID: <53F10ACE.3090605@gondrom.org>
Date: Sun, 17 Aug 2014 21:04:30 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: barryleiba@computer.org, sleevi@google.com
References: <CAC4RtVDiy-QbHNREsm07+iPzjDiZ1q5GjowZCBnP63nw1ezTAw@mail.gmail.com>	<CACvaWvb2HyhgHZJH4-DO0NX=zj2-Mk8r1Ua-we4HRwBp6twFeg@mail.gmail.com> <CALaySJKHOBv=viCV88=S0a1f5JwZ9DOYGNgnJr2izYtG71vhQA@mail.gmail.com>
In-Reply-To: <CALaySJKHOBv=viCV88=S0a1f5JwZ9DOYGNgnJr2izYtG71vhQA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010807060507070706060605"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/-L0b0Q1swF4tkf2WBYDqXuEET88
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, websec@ietf.org, iesg@ietf.org
Subject: Re: [websec] DISCUSS positions on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Aug 2014 20:04:35 -0000

This is a multi-part message in MIME format.
--------------010807060507070706060605
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

On 14/08/14 18:21, Barry Leiba wrote:
>> It sounds like you're looking for an acknowledgement of the messages. Just
>> to confirm, we have received this feedback, and are taking time to ensure
>> the replies are as considered and thoughtful as the DISCUSS points,
>> especially as many of these points were discussed early on and thought
>> addressed by the draft already.
> Great; thanks, Ryan.
>
> Yes, it's always good to at least send a "we're working on it" message
> in response, especially to DISCUSS positions (as those are
> specifically asking for discussion).
>
> So we'll take this as "we're working on it, and we'll get back to
> y'all when we have a good response," and thanks for confirming that.
>
> Barry

Hi Ryan,

in addition to the recommendation from Barry: please feel free to reply 
to the discusses as soon as possible. We are now in IESG review and an 
extensive discussion within the WG is not required to deal with 
discusses if the issues have been raised and resolved in the WG before.

So e.g. if you think that a discuss has already been addressed during a 
previous WG discussion, please feel free to write so to the reviewing AD 
(with cc to the WG). And repeat a quick brief of the reasoning for the 
benefit of the reviewer who has not been part of the WG discussion before.

Furthermore I would recommend to not wait for any HSTS update 
discussions. It is not clear whether they will happen or not at this 
stage. So to wait for them may not be fruitful.

In general it would be good to answer questions in the current IESG 
review process phase timely and one by one as that will help the ADs to 
close the process on the draft in a timely manner. If we wait too long, 
some may need to read the draft again just to refresh their memory when 
casting their vote to publish.

Just a thought, Tobias (no hat)




--------------010807060507070706060605
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 14/08/14 18:21, Barry Leiba wrote:<br>
    </div>
    <blockquote
cite="mid:CALaySJKHOBv=viCV88=S0a1f5JwZ9DOYGNgnJr2izYtG71vhQA@mail.gmail.com"
      type="cite">
      <blockquote type="cite">
        <pre wrap="">It sounds like you're looking for an acknowledgement of the messages. Just
to confirm, we have received this feedback, and are taking time to ensure
the replies are as considered and thoughtful as the DISCUSS points,
especially as many of these points were discussed early on and thought
addressed by the draft already.
</pre>
      </blockquote>
      <pre wrap="">
Great; thanks, Ryan.

Yes, it's always good to at least send a "we're working on it" message
in response, especially to DISCUSS positions (as those are
specifically asking for discussion).

So we'll take this as "we're working on it, and we'll get back to
y'all when we have a good response," and thanks for confirming that.

Barry
</pre>
    </blockquote>
    <font face="Arial"><br>
      Hi Ryan, <br>
      <br>
      in addition to the recommendation from Barry: please feel free to
      reply to the discusses as soon as possible. We are now in IESG
      review and an extensive discussion within the WG is not required
      to deal with discusses if the issues have been raised and resolved
      in the WG before. <br>
      <br>
      So e.g. if you think that a discuss has already been addressed
      during a previous WG discussion, please feel free to write so to
      the reviewing AD (with cc to the WG). And repeat a quick brief of
      the reasoning for the benefit of the reviewer who has not been
      part of the WG discussion before. <br>
      <br>
      Furthermore I would recommend to not wait for any HSTS update
      discussions. It is not clear whether they will happen or not at
      this stage. So to wait for them may not be fruitful. <br>
      <br>
      In general it would be good to answer questions in the current
      IESG review process phase timely and one by one as that will help
      the ADs to close the process on the draft in a timely manner. If
      we wait too long, some may need to read the draft again just to
      refresh their memory when casting their vote to publish. <br>
      <br>
      Just a thought, Tobias (no hat)<br>
      <br>
      <br>
      <br>
    </font>
  </body>
</html>

--------------010807060507070706060605--


From nobody Sun Aug 17 14:15:41 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E8B1A0022; Sun, 17 Aug 2014 14:15:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FCA3pU_GcaVl; Sun, 17 Aug 2014 14:15:33 -0700 (PDT)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43C5E1A0021; Sun, 17 Aug 2014 14:15:33 -0700 (PDT)
Received: by mail-lb0-f180.google.com with SMTP id v6so3519825lbi.11 for <multiple recipients>; Sun, 17 Aug 2014 14:15:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=UkhEe0JrIkpxAIez/w8fPztYQKZG+7qGp2RBfdHwVow=; b=ofcp076dbLT38bwxoILgp0dJZPG917/9irD/NFzeIUYA8UinjK1d1V5/XfhjoeFOxS reoux6/Y2SS9ZM4vo/kXLGfJBnnhO91UJ7BdEYuPqprOmmUHeb8zroa4j0kOQXwyB/CQ Fc5/k83d7EEr6yseNCfobvSbhr7ThwHFQND0cETxgg5hDb8Di2cCa8f8yv/H90i/dC6z rf89dM1A7DmLRAKtX5G9OTO1dATsQVKd4lU+/LxP5gspZicwbbM2s59YoGpebq1v2PEr EYDcjlz1IFpIBsQ8ZEHfGqn43C8QhFFzs6cIPJDYck4fuNGL+UPg9dWSrI2uovgje+0j qXCA==
MIME-Version: 1.0
X-Received: by 10.112.253.165 with SMTP id ab5mr24304615lbd.1.1408310131622; Sun, 17 Aug 2014 14:15:31 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.46 with HTTP; Sun, 17 Aug 2014 14:15:31 -0700 (PDT)
In-Reply-To: <53F10ACE.3090605@gondrom.org>
References: <CAC4RtVDiy-QbHNREsm07+iPzjDiZ1q5GjowZCBnP63nw1ezTAw@mail.gmail.com> <CACvaWvb2HyhgHZJH4-DO0NX=zj2-Mk8r1Ua-we4HRwBp6twFeg@mail.gmail.com> <CALaySJKHOBv=viCV88=S0a1f5JwZ9DOYGNgnJr2izYtG71vhQA@mail.gmail.com> <53F10ACE.3090605@gondrom.org>
Date: Sun, 17 Aug 2014 17:15:31 -0400
X-Google-Sender-Auth: XWZISx0KT-uCZqCANmDUDskU15w
Message-ID: <CALaySJ+0NF8aHeha9VkmX873MgyE2sqySgiQcYF9MTy7XmnkRw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/ByFwrIp-Xjy2EaAb-UH4wEU30ko
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, "websec@ietf.org" <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>, IESG <iesg@ietf.org>
Subject: Re: [websec] DISCUSS positions on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Aug 2014 21:15:34 -0000

> In general it would be good to answer questions in the current IESG review
> process phase timely and one by one as that will help the ADs to close the
> process on the draft in a timely manner. If we wait too long, some may need
> to read the draft again just to refresh their memory when casting their vote
> to publish.

This is a good point, and thanks for making it, Tobias.  Yes, it's
frequently the case that too much delay in having the discussion
causes the AD to have to regain context, which results in more delay
and disrupts the AD's other work more.

Barry


From nobody Tue Aug 19 08:37:53 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7302B1A03C8; Tue, 19 Aug 2014 08:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GIFFf4xzHLjK; Tue, 19 Aug 2014 08:37:51 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F249D1A03BD; Tue, 19 Aug 2014 08:37:50 -0700 (PDT)
Received: by mail-wi0-f171.google.com with SMTP id hi2so5631876wib.16 for <multiple recipients>; Tue, 19 Aug 2014 08:37:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=rFzGffZPxRmXM5P8wvytzZMJbTgKJVKNso/VmpfZKXg=; b=AA3ZZdgQeZlHYSEqhl5NkdAJrZTxXBfo9916em4qcNgGw9Di7DsxUt1it1EKUVngsd hYKryL6j74GSC2h0rUAclrn/sCVkYRUd2Q9R8WYzvzKFMVAgOpWfZQp7uszrGLXGdqqe a3ztwf6uEbL1kl5yOe1JXU0dM4x6MeeJbZM65agNHU64xSP5n+ulddw5PAhCwMPlNWPV 6GUuGIOGzMPKTInwjh8Vx5DIKU1ONa9gBKDi5Tt6sJs0dQpgOPuF9Vo8KF+5EgPgJykC PBoKZ0uql3S3VqU0tvw3p0V4Dn2VgJEIzxgrVRrDoDLA6rVgOhOELa6E9k3shodb5y+C 6Nmw==
X-Received: by 10.180.210.163 with SMTP id mv3mr7739937wic.15.1408462669655; Tue, 19 Aug 2014 08:37:49 -0700 (PDT)
Received: from [172.24.250.90] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id lj18sm13796147wic.8.2014.08.19.08.37.48 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 08:37:49 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_65686F5C-010E-4F79-B88E-7B38796AE5FC"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACvaWvb2HyhgHZJH4-DO0NX=zj2-Mk8r1Ua-we4HRwBp6twFeg@mail.gmail.com>
Date: Tue, 19 Aug 2014 18:37:46 +0300
Message-Id: <7A8DE383-3F22-4DCB-BA3E-6CCF98B0857B@gmail.com>
References: <CAC4RtVDiy-QbHNREsm07+iPzjDiZ1q5GjowZCBnP63nw1ezTAw@mail.gmail.com> <CACvaWvb2HyhgHZJH4-DO0NX=zj2-Mk8r1Ua-we4HRwBp6twFeg@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/wK4O2GSYkxeORKxe_BzG-2lL4UE
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, Barry Leiba <barryleiba@computer.org>, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [websec] DISCUSS positions on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 15:37:52 -0000

--Apple-Mail=_65686F5C-010E-4F79-B88E-7B38796AE5FC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

What Barry and Tobias said.=20

Additionally:

On Aug 14, 2014, at 7:20 PM, Ryan Sleevi <sleevi@google.com> wrote:
> In addition to these poibts, the feedback/recent errata from Eric =
Lawrence regarding HSTS is also extremely relevant to the discussion of =
HPKP, and we were waiting to see what actions, if any, the WG takes =
regarding that draft, lest we find ourselves immediately writing a bis =
to deal with those same points.
>=20
>=20
I don=92t know what is going to come of the issue that Eric found. It=92s =
entirely possible that nothing will come out of it, or that we=92ll have =
a document updating HSTS, or that we=92ll have a document profiling the =
deployment of HSTS.

Either way, this will require more discussion either in this working =
group or elsewhere. If we wanted to make a change like this to HPKP, =
that would require pulling the publication request and sending the =
document back to the working group. I don=92t think any of us wants =
that.

So, I think you should make all the necessary changes regardless of =
Eric=92s issue, so that we can progress HPKP. If that issue later leads =
to a new RFC, it can update and/or profile HPKP at the same time as it =
does HSTS.

This should not impede our progress.

Yoav


--Apple-Mail=_65686F5C-010E-4F79-B88E-7B38796AE5FC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">What =
Barry and Tobias =
said.&nbsp;<div><br></div><div>Additionally:</div><div><br><div><div>On =
Aug 14, 2014, at 7:20 PM, Ryan Sleevi &lt;<a =
href=3D"mailto:sleevi@google.com">sleevi@google.com</a>&gt; =
wrote:</div><blockquote type=3D"cite"><p dir=3D"ltr">In addition to =
these poibts, the feedback/recent errata from Eric Lawrence regarding =
HSTS is also extremely relevant to the discussion of HPKP, and we were =
waiting to see what actions, if any, the WG takes regarding that draft, =
lest we find ourselves immediately writing a bis to deal with those same =
points.</p><div><br></div></blockquote><div>I don=92t know what is going =
to come of the issue that Eric found. It=92s entirely possible that =
nothing will come out of it, or that we=92ll have a document updating =
HSTS, or that we=92ll have a document profiling the deployment of =
HSTS.</div><div><br></div><div>Either way, this will require more =
discussion either in this working group or elsewhere. If we wanted to =
make a change like this to HPKP, that would require pulling the =
publication request and sending the document back to the working group. =
I don=92t think any of us wants that.</div><div><br></div><div>So, I =
think you should make all the necessary changes regardless of Eric=92s =
issue, so that we can progress HPKP. If that issue later leads to a new =
RFC, it can update and/or profile HPKP at the same time as it does =
HSTS.</div><div><br></div><div>This should not impede our =
progress.</div><div><br></div><div>Yoav</div><div><br></div></div></div></=
body></html>=

--Apple-Mail=_65686F5C-010E-4F79-B88E-7B38796AE5FC--


From nobody Mon Aug 25 01:24:18 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C0B1A8A4B for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 22:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.147
X-Spam-Level: 
X-Spam-Status: No, score=-0.147 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-gg63Tpvge8 for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 22:44:04 -0700 (PDT)
Received: from mail-vc0-x233.google.com (mail-vc0-x233.google.com [IPv6:2607:f8b0:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EC491A8A57 for <websec@ietf.org>; Sun, 24 Aug 2014 22:44:04 -0700 (PDT)
Received: by mail-vc0-f179.google.com with SMTP id hq11so14591651vcb.38 for <websec@ietf.org>; Sun, 24 Aug 2014 22:44:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/Kv9YfvFf5Dtvl9AJjHMtanTfiMvKwwC1B4tNEIl2bM=; b=bHNXY/f+vyzSg8omEEMs+25nU052fNebKbt5lvNjXkdcND+R0G71gaQJG7AJUj1tUk 8F1gYwqenpYXG+EeUyI6kSgbv9haToRBun7WdqB9shu+VPDLHwlDbnuEGI6tnoIxD65F lAJEmKHmiMjSztfMmeJjFvpcpMHr5Js7esC6+nDsYP3b4q1Bw5c28VERuvPq9fhvW0XO hHmwlx/SJExI9kU/fF6zixiz+g08v7Iwir//rruYFAYl8tZMxFHDFBvCEkWLi5hTHinm rVRSge0DYj2/0aVUdoCpN0rJE405vquEWbi3mmBcT96MYx9syLYwDf0VShcyMxDkbZDv PM3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/Kv9YfvFf5Dtvl9AJjHMtanTfiMvKwwC1B4tNEIl2bM=; b=bRJB2L3iO/4jk/LlsjNaiNYWzl6b/ATdzeeLIEpKmBR5Ra5+Vlphjc3+Jfagc5AAt/ Jr8tp5tOgOrBc2AmZrW94ClQ3dNlzOfOjEn++K9mFHoCWMsxOUteQ2EomYsj2QKqV+lc tFuHW3cRvUJftHasn6t2Cr/PiXfxwu63rwP5IDYVRruyv5n/WHn4spFioAM90sYcfJ3v zaqtHt5xc7u2w/NSR3iD7bXMnhuwUg3stylum+HAT1Fh/FsazlE+EBnrPTP3W6lRyhhe Ipf8wlGglHDGNYTgUNOiiMm3VPNGflwTs1b3ZuIG65+Z5XGHp0DUhSQ94iFrG43Gjyqj Qgmg==
X-Gm-Message-State: ALoCoQngsTHUYgs9yD1JErHZLxqh51bsmYdC4Hst7bMqlbLeqnnqVx9YkYXjTlDcPsSkIrV30taX
MIME-Version: 1.0
X-Received: by 10.52.227.72 with SMTP id ry8mr3184701vdc.64.1408945443186; Sun, 24 Aug 2014 22:44:03 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Sun, 24 Aug 2014 22:44:02 -0700 (PDT)
In-Reply-To: <20140807031550.1175.40039.idtracker@ietfa.amsl.com>
References: <20140807031550.1175.40039.idtracker@ietfa.amsl.com>
Date: Sun, 24 Aug 2014 22:44:02 -0700
Message-ID: <CACvaWvYfEtHCHc8xFWg=W5AUzqNEAZjHzXn5YX8Sdzyumf-7ug@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=089e011765b9a6459605016dac3e
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/8OxTyKhNAC9OQOxlvUI_ZKBGUvI
X-Mailman-Approved-At: Mon, 25 Aug 2014 01:24:12 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Kathleen Moriarty's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 05:44:07 -0000

--089e011765b9a6459605016dac3e
Content-Type: text/plain; charset=UTF-8

On Wed, Aug 6, 2014 at 8:15 PM, Kathleen Moriarty <
Kathleen.Moriarty.ietf@gmail.com> wrote:

> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-websec-key-pinning-19: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> Overall the draft is very good, thank you for writing it.  I just wanted
> to discuss some of the security/privacy considerations and see if we
> could improve the language and make sure the set of concerns are clear.
>
> The privacy consideration section reads more like possible attack
> scenarios that would fit into the security considerations.  What privacy
> related concerns result from these attacks?  Having that spelled out to
> differentiate the risks as privacy only would be helpful (if appropriate)
> or moving this into the security consideration section *IF* it is more
> generically applicable.  If I am missing something and this is only
> privacy related, it would be good to understand that in this discussion.
>  Adding some text on how these attacks could be used to expose privacy
> related information would be helpful too.
>

The first paragraph spells out precisely why this is listed as a privacy
consideration:

   Hosts can use HSTS or HPKP as a "super-cookie", by setting distinct
   policies for a number of subdomains.  For example, assume example.com
   wishes to track distinct UAs without explicitly setting a cookie, or
   if a previously-set cookie is deleted from the UA's cookie store.

Neither of these attacks undermine the protections afforded by HPKP.
Indeed, they exist precisely BECAUSE of HPKP offering a new means of web
storage. Essentially, all storage mechanisms introduced when dealing with
sites - whether it be cookies, new APIs like IndexedDB, exposure of
persistent storage such as cryptographic keys, or, as in both HSTS and
HPKP, remembering data about a previously visited site - represent new and
potential ways to uniquely identify a user, which the two examples spell
out.


>
> For the first example, it seems it is the possibility that a report goes
> outside out the intended scope is the concern.  The mitigation seems to
> be provided in the last sentence of #4, but couldn't this be other
> information leakage and not just privacy?  Let me know if I am missing
> something that explains why this is privacy specific.
>

I'm not sure how that was reached, as the description of the risk was
explicitly enumerated

   and the ability to pin arbitrary identifiers to distinguish UAs.

This is also reiterated in the #2 and #3.

The same applies to the second example, which hopefully the above
explanation is sufficient to demonstrate how the spec already highlights,
in several means, how this is a privacy issue (distinguishing the user
independent of cookies, aka a "super-cookie")


>
> In #3 of the second example, the last sentence includes the following
> clause:
>           and giving some UAs no
>           Valid Pinning Header for other subdomains (causing subsequent
>           requests for m.fingerprint.example.com to succeed).
>
> Does this mean that these subdomains are succeeding when they should
> fail?  It might just be me, but that is not clear in the text (or if they
> are supposed to succeed).  It sounds like they are not supposed to
> succeed and this is the security issue.  How is this privacy specific?
> Again, this may just be me, but an explanation would be helpful.


Do the above references to the existing portions of the spec make this
clearer?

As noted above, the attack is about identifying and tracking users through
means other than cookies. Such attacks are also known as "super-cookies",
which is the term explicitly used in the introduction of these attacks.

As noted, the attacker is the site serving the headers itself, which is why
it's a privacy issue.


>
> In the last sentence of the privacy considerations section, what is meant
> by the description "forensic attacker"?  I find this term confusing.  Was
> this intended to mean that techniques used in forensic analysis could be
> used by an attacker to discern information that could be of interest?  If
> that's the case, I think it would be clearer to the reader if that were
> stated instead.
>

This was in response to Alissa Cooper's YES vote, in which a threat model
of an attacker with physical access to the machine attempts to recover
state of the user's browsing history, which the UA had otherwise cleared.

Per Eric Lawrence's feedback, this third section will be reworked into it's
own privacy consideration bullet, and hopefully you'll find the
clarification suitable.


>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> I agree with Richard's comment that the document is well written and an
> important document, thank you for writing it.  The style changed a little
> toward the end and I had some trouble with long sentences in the security
> & privacy considerations sections.  This should be easy enough to fix and
> may be done with the RFC editor anyway.
>
> To Richard's point on operational concerns versus security concerns, are
> there explicit security attacks that could occur with the max-age
> variations described?
>
> In 4.2, I can't see this being more than an operational concern since it
> fails when overlapping pin sets are not used.  Are we missing a gap that
> leads to a security concern?
>

I suppose it depends on your threat model and how you view domain authority.

In the example given, subdomain.example.com is bypassing the pins set for
example.com+includeSubDomains, depending on timing. That is, if example.com
is visited first, then subdomain.example.com MUST be
equal-to-or-a-subset-of the pins for example.com, by virtue of the known
pinned host evaluation.

Thus if example.com wishes to administer pins for their domain (and all
subdomains), it's necessary for them to prevent subdomains from setting the
header.

Now, you can see this as an operational concern if you view the example.com
and subdomain.example.com as the same administrative entity, but that's
sometimes not the case (e.g. shared hosting sites like Amazon AWS, GitHub's
pages, or Google AppEngine)



>
> 4.3 makes sense to me as a security concern that drives operational
> practices.
>
>
>

--089e011765b9a6459605016dac3e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Wed, Aug 6, 2014 at 8:15 PM, Kathleen Moriarty <span dir=3D"ltr"=
>&lt;<a href=3D"mailto:Kathleen.Moriarty.ietf@gmail.com" target=3D"_blank">=
Kathleen.Moriarty.ietf@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Kathleen Moriarty has entered the following ballot positio=
n for<br>

draft-ietf-websec-key-pinning-19: Discuss<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
DISCUSS:<br>
----------------------------------------------------------------------<br>
<br>
Overall the draft is very good, thank you for writing it.=C2=A0 I just want=
ed<br>
to discuss some of the security/privacy considerations and see if we<br>
could improve the language and make sure the set of concerns are clear.<br>
<br>
The privacy consideration section reads more like possible attack<br>
scenarios that would fit into the security considerations.=C2=A0 What priva=
cy<br>
related concerns result from these attacks?=C2=A0 Having that spelled out t=
o<br>
differentiate the risks as privacy only would be helpful (if appropriate)<b=
r>
or moving this into the security consideration section *IF* it is more<br>
generically applicable.=C2=A0 If I am missing something and this is only<br=
>
privacy related, it would be good to understand that in this discussion.<br=
>
=C2=A0Adding some text on how these attacks could be used to expose privacy=
<br>
related information would be helpful too.<br></blockquote><div><br></div><d=
iv><div><span style=3D"font-family:arial,sans-serif;font-size:13px">The fir=
st paragraph spells out precisely why this is listed as a privacy considera=
tion:</span></div>
<div><span style=3D"color:rgb(0,0,0);font-size:1em"><br></span></div><span =
style=3D"font-size:1em;color:rgb(0,0,0)"></span><font face=3D"courier new, =
monospace">=C2=A0 =C2=A0Hosts can use HSTS or HPKP as a &quot;super-cookie&=
quot;, by setting distinct<br>
=C2=A0 =C2=A0policies for a number of subdomains. =C2=A0For example, assume=
 <a href=3D"http://example.com">example.com</a><br>=C2=A0 =C2=A0wishes to t=
rack distinct UAs without explicitly setting a cookie, or<br>=C2=A0 =C2=A0i=
f a previously-set cookie is deleted from the UA&#39;s cookie store.</font>=
<div>
<font face=3D"courier new, monospace"><br></font></div><div><font face=3D"a=
rial, helvetica, sans-serif">Neither of these attacks undermine the protect=
ions afforded by HPKP. Indeed, they exist precisely BECAUSE of HPKP offerin=
g a new means of web storage. Essentially, all storage mechanisms introduce=
d when dealing with sites - whether it be cookies, new APIs like IndexedDB,=
 exposure of persistent storage such as cryptographic keys, or, as in both =
HSTS and HPKP, remembering data about a previously visited site - represent=
 new and potential ways to uniquely identify a user, which the two examples=
 spell out.</font></div>
</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);bo=
rder-left-style:solid;padding-left:1ex">
<br>
For the first example, it seems it is the possibility that a report goes<br=
>
outside out the intended scope is the concern.=C2=A0 The mitigation seems t=
o<br>
be provided in the last sentence of #4, but couldn&#39;t this be other<br>
information leakage and not just privacy?=C2=A0 Let me know if I am missing=
<br>
something that explains why this is privacy specific.<br></blockquote><div>=
<br></div><div><div>I&#39;m not sure how that was reached, as the descripti=
on of the risk was explicitly enumerated</div><div><br></div><span style=3D=
"font-family:&#39;courier new&#39;,monospace">=C2=A0 =C2=A0</span><font fac=
e=3D"courier new, monospace">and the ability to pin arbitrary identifiers t=
o distinguish UAs.</font><div>
<font face=3D"courier new, monospace"><br></font></div><div>This is also re=
iterated in the #2 and #3.</div><div><br></div><div>The same applies to the=
 second example, which hopefully the above explanation is sufficient to dem=
onstrate how the spec already highlights, in several means, how this is a p=
rivacy issue (distinguishing the user independent of cookies, aka a &quot;s=
uper-cookie&quot;)</div>
</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);bo=
rder-left-style:solid;padding-left:1ex">
<br>
In #3 of the second example, the last sentence includes the following<br>
clause:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 and giving some UAs no<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Valid Pinning Header for other subdomain=
s (causing subsequent<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 requests for <a href=3D"http://m.fingerp=
rint.example.com" target=3D"_blank">m.fingerprint.example.com</a> to succee=
d).<br>
<br>
Does this mean that these subdomains are succeeding when they should<br>
fail?=C2=A0 It might just be me, but that is not clear in the text (or if t=
hey<br>
are supposed to succeed).=C2=A0 It sounds like they are not supposed to<br>
succeed and this is the security issue.=C2=A0 How is this privacy specific?=
<br>
Again, this may just be me, but an explanation would be helpful.=C2=A0</blo=
ckquote><div><br></div><div>Do the above references to the existing portion=
s of the spec make this clearer?</div><div><br></div><div>As noted above, t=
he attack is about identifying and tracking users through means other than =
cookies. Such attacks are also known as &quot;super-cookies&quot;, which is=
 the term explicitly used in the introduction of these attacks.</div>
<div><br></div><div>As noted, the attacker is the site serving the headers =
itself, which is why it&#39;s a privacy issue.</div><div>=C2=A0</div><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-w=
idth:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding=
-left:1ex">

<br>
In the last sentence of the privacy considerations section, what is meant<b=
r>
by the description &quot;forensic attacker&quot;?=C2=A0 I find this term co=
nfusing.=C2=A0 Was<br>
this intended to mean that techniques used in forensic analysis could be<br=
>
used by an attacker to discern information that could be of interest?=C2=A0=
 If<br>
that&#39;s the case, I think it would be clearer to the reader if that were=
<br>
stated instead.<br></blockquote><div><br></div><div>This was in response to=
 Alissa Cooper&#39;s YES vote, in which a threat model of an attacker with =
physical access to the machine attempts to recover state of the user&#39;s =
browsing history, which the UA had otherwise cleared.</div>
<div><br></div><div>Per Eric Lawrence&#39;s feedback, this third section wi=
ll be reworked into it&#39;s own privacy consideration bullet, and hopefull=
y you&#39;ll find the clarification suitable.</div><div>=C2=A0</div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-wi=
dth:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-=
left:1ex">

<br>
<br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br>
<br>
I agree with Richard&#39;s comment that the document is well written and an=
<br>
important document, thank you for writing it.=C2=A0 The style changed a lit=
tle<br>
toward the end and I had some trouble with long sentences in the security<b=
r>
&amp; privacy considerations sections.=C2=A0 This should be easy enough to =
fix and<br>
may be done with the RFC editor anyway.<br>
<br>
To Richard&#39;s point on operational concerns versus security concerns, ar=
e<br>
there explicit security attacks that could occur with the max-age<br>
variations described?<br>
<br>
In 4.2, I can&#39;t see this being more than an operational concern since i=
t<br>
fails when overlapping pin sets are not used.=C2=A0 Are we missing a gap th=
at<br>
leads to a security concern?<br></blockquote><div><br></div><div><div><div>=
I suppose it depends on your threat model and how you view domain authority=
.</div><div><br></div><div>In the example given, <a href=3D"http://subdomai=
n.example.com">subdomain.example.com</a> is bypassing the pins set for <a h=
ref=3D"http://example.com">example.com</a>+includeSubDomains, depending on =
timing. That is, if <a href=3D"http://example.com">example.com</a> is visit=
ed first, then <a href=3D"http://subdomain.example.com">subdomain.example.c=
om</a> MUST be equal-to-or-a-subset-of the pins for <a href=3D"http://examp=
le.com">example.com</a>, by virtue of the known pinned host evaluation.</di=
v>
<div><br></div><div>Thus if <a href=3D"http://example.com">example.com</a> =
wishes to administer pins for their domain (and all subdomains), it&#39;s n=
ecessary for them to prevent subdomains from setting the header.</div><div>
<br></div><div>Now, you can see this as an operational concern if you view =
the <a href=3D"http://example.com">example.com</a> and <a href=3D"http://su=
bdomain.example.com">subdomain.example.com</a> as the same administrative e=
ntity, but that&#39;s sometimes not the case (e.g. shared hosting sites lik=
e Amazon AWS, GitHub&#39;s pages, or Google AppEngine)</div>
</div></div><div><br></div><div>=C2=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-colo=
r:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
4.3 makes sense to me as a security concern that drives operational<br>
practices.<br>
<br>
<br>
</blockquote></div><br></div></div>

--089e011765b9a6459605016dac3e--


From nobody Mon Aug 25 01:24:21 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F3AA1A8A63 for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 22:52:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fkW2NlTQTHbt for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 22:52:13 -0700 (PDT)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 005D91A8A65 for <websec@ietf.org>; Sun, 24 Aug 2014 22:51:52 -0700 (PDT)
Received: by mail-vc0-f172.google.com with SMTP id im17so14644951vcb.31 for <websec@ietf.org>; Sun, 24 Aug 2014 22:51:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=huJmF/UN7+UDPJHeBzm9fBWD3X6bXGW6s/Q17EwaUqU=; b=l//9BtTorkJxkkK99ssyoPy9bC/A4/WwGHG1Mmtm1VFW2TrQqCpmCxVvEge53OFH1n x80AN1FCmBkDEhM79czJgqzQs0rUUGhw1nipJ90Up0tZsuMJYYTR+cP4MOkc8SesjEBX 2EurotXoFvS2IgVlw6lcZSo6CTnCidLnTg3H8D5mdaurKrrH0Cz+O4ej9/+Pd9ZIC3Ug W6yNI77aVA2IH0ldShrH/994TbrxyfEXGex4dM0PiaTJoYHSMq5q9CaQPdWMASl0lTst /qXaMG1LqMNcrxklfosyeC405Eai8d5wCTXyK0FHgwZ9IpRu4pqum47yhmVpjrgjAsSj gljQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=huJmF/UN7+UDPJHeBzm9fBWD3X6bXGW6s/Q17EwaUqU=; b=b6gDYDysH6paFAK6hZVCqEmCkKuo4//Wquyp/lFCfvoDrKuv8LPKQcU+s+rAYc0kQe mutzt/ucm0/H/iXF4LsvRFhOOfG/zcyS9rovVKH0u7CY1tPQmzXe4dY8nH5MGZPcQP3m hR4GSiu6OJTA1X5RNOu+iXJO5zHKusJPJRtEX+adQIElzYfBKsOH4yKbXWtP0XS1ntPM 8LmEr6Ig9bdv08R4rzhZ4K6DwjN8Wkwx2jpB4U1VpjuXfOdVGoJ10JUrD2L4uGCCODwU f2hRvic9VGslvIKyq59j5T5tx822AUKdN43UlN6BcR6epI7KJFeolp1lIJuGPBqyPjL4 Y6Hg==
X-Gm-Message-State: ALoCoQnXuAFxEDqj5fwuicixZJJVCQy744mE7vF84mbIQQVHL4Q9m+zZm1l78iuWaU2ZNc89Nk68
MIME-Version: 1.0
X-Received: by 10.221.21.201 with SMTP id qt9mr4061462vcb.39.1408945912182; Sun, 24 Aug 2014 22:51:52 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Sun, 24 Aug 2014 22:51:52 -0700 (PDT)
In-Reply-To: <20140807110710.18212.14741.idtracker@ietfa.amsl.com>
References: <20140807110710.18212.14741.idtracker@ietfa.amsl.com>
Date: Sun, 24 Aug 2014 22:51:52 -0700
Message-ID: <CACvaWvZooQ2r6hzBAWy-MHvrc62dMaH8kakEvEEFEG-Eg3fZMw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary=001a1133955c9aa20205016dc83f
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/DViczDjqs2tDEVT3TqE-hgikrq0
X-Mailman-Approved-At: Mon, 25 Aug 2014 01:24:12 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Stephen Farrell's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 05:52:15 -0000

--001a1133955c9aa20205016dc83f
Content-Type: text/plain; charset=UTF-8

On Thu, Aug 7, 2014 at 4:07 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

> Stephen Farrell has entered the following ballot position for
> draft-ietf-websec-key-pinning-19: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
>
>
> Good doc. Two things I'd like to check before moving to a yes
> ballot:
>
> (1) 2.1 - Can a simple-directive start with "pin-"?  Seems like
> yes it can, but then the ABNF is ambiguous about the RHS of the
> "=" I think, is that right? Its no big deal since valid values
> will parse anyway, so only an issue if you ever care about
> simple-directive vs. pin-directive. Ah - does the last para of
> 2.1 mean that this distinction is needed really?
>

>From the ABNF, yes, it does many any simple-directive can start with "pin-".

I suspect the solution is to remove pin-directive entirely from the ABNF,
as it's not necessary, and purely specify in terms of directives. The
concept of a "pin-directive" can be explained via prose, which would be
consistent to how HTTPbis restructured most of the header processing.



>
> (2) 2.1.3 says that "If the scheme in the report-uri is one
> that uses TLS (e.g.  HTTPS), UAs MUST perform Pinning
> Validation when the host in the report-uri is a Known Pinned
> Host;" That's generally ok, however, I think it may break for
> alt-svc, where TLS is used but https is not, or if TCPINC
> decided on a TLS based solution then some coder might get it
> wrong. I think a simple re-statement in terms of http vs. https
> URIs should fix this. I realise that neither alt-svc nor TCPINC
> existed when this work started, but since they now do it'd pay
> to think about them and I don't recall seeing that on the
> websec list (apologies if I'm wrong there).  The IFF in 2.5
> also seems related.  2.2 has same issues about alt-svc and
> TCPINC. I do see that you only say "e.g. TLS" here but
> wonder nonetheless, e.g. would 2.2.1 cover an alt-svc case
> or not?
>

The suggested solution - being explicit that it applies to HTTPS - equally
suffers from the risk of error being seen for alt-svc, in that it fails to
account for schemes such as wss://, for which pinning also should apply.

I realize this is probably something you may not agree with, but I think
the language choice here - that of "secure transport" - is already
sufficient to exclude such proposals as alt-svc, which only provide
encryption. That is, both in practice and intent, alt-svc is not considered
to be a "secure transport" (which is as much evident by the lack of secure
cookies)

For example, with respect to 2.5, the second bullet point describes the
connection as "authenticated", which alt-svc is not.


>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>
>
> abstract and elswhere: SubjectPublicKeyInfo doesn't usually
> have spaces between the terms. No big deal. After the abstract
> would a ref to 5280 be right for SPKI as well?
>

Sure.


>
> general: I think emphasising the backup pin requirement in the
> intro would be good. It's a little hidden now and would be a
> surprise to some I bet.
>
> 2.1 - pin-directive has the literal "pin-" but later you say
> (in bullet #3) that directive names are case insensitive.  Does
> that apply to "pin-" as well or not?
>

It should. The above proposed removal of the ABNF for pin-directive should
remedy this.


>
> 2.1 - has some typos: reistry and hahs
>
> 2.1 - "Known Pinned Host" would be a fine term to define in a
> section 1.1 that was renamed via s/Requirements
> Language/Terminology/
>
> 2.1.1 - max-age is really defined against the time of reception
> and not (in principle) from when its emitted?  I know that
> makes no difference now, but with a sufficient latency (e.g.
> Earth->Mars, min 4 mins, max 20 mins, and yes my DTN heritage
> is showing:-) it could, just about. I think to be pedantically
> correct, max-age ought be defined versus the time of emission
> and not receipt.
>

I don't see how this reasonably can be accomplished, short of requiring
that the Date header ( http://tools.ietf.org/html/rfc7231#section-7.1.1.2 )
be present, which does not seem desirable.


>
> 2.1.2 - uses the term "Pinned Host" which is not the same as
> the previously used "Known Pinned Host" - is the distinction
> meant to be significant or is that a typo?
>

Typo, although the difference is significant enough to provide
clarification, in as much as it applies to PKP-RO (which doesn't note the
pins, as discussed elsewhere)


>
> 2.1.3/section 4 - shouldn't the potential DoS issues be
> discussed for cases where report-uri != same-origin? E.g.  if
> busy-site.example.net (is hacked and) sets report-uri to
> victim.example.com (maybe with some HTML/JS that generates
> loads of queries to the victimj) that'd be like getting /.'d I
> think that's maybe worth noting in the security considerations
> or in 2.1.3 where you (quite properly) say to rate-limit
> reporting. If you'd rather not say why though, that's ok too.
>
>
Sure.

--001a1133955c9aa20205016dc83f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Thu, Aug 7, 2014 at 4:07 AM, Stephen Farrell <span dir=3D"ltr">&=
lt;<a href=3D"mailto:stephen.farrell@cs.tcd.ie" target=3D"_blank">stephen.f=
arrell@cs.tcd.ie</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Stephen Farrell has entered the following ballot position =
for<br>

draft-ietf-websec-key-pinning-19: Discuss<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
DISCUSS:<br>
----------------------------------------------------------------------<br>
<br>
<br>
<br>
Good doc. Two things I&#39;d like to check before moving to a yes<br>
ballot:<br>
<br>
(1) 2.1 - Can a simple-directive start with &quot;pin-&quot;?=C2=A0 Seems l=
ike<br>
yes it can, but then the ABNF is ambiguous about the RHS of the<br>
&quot;=3D&quot; I think, is that right? Its no big deal since valid values<=
br>
will parse anyway, so only an issue if you ever care about<br>
simple-directive vs. pin-directive. Ah - does the last para of<br>
2.1 mean that this distinction is needed really?<br></blockquote><div><br><=
/div><div><div>From the ABNF, yes, it does many any simple-directive can st=
art with &quot;pin-&quot;.</div><div><br></div><div>I suspect the solution =
is to remove pin-directive entirely from the ABNF, as it&#39;s not necessar=
y, and purely specify in terms of directives. The concept of a &quot;pin-di=
rective&quot; can be explained via prose, which would be consistent to how =
HTTPbis restructured most of the header processing.<br>
</div></div><div><br></div><div>=C2=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-colo=
r:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
(2) 2.1.3 says that &quot;If the scheme in the report-uri is one<br>
that uses TLS (e.g.=C2=A0 HTTPS), UAs MUST perform Pinning<br>
Validation when the host in the report-uri is a Known Pinned<br>
Host;&quot; That&#39;s generally ok, however, I think it may break for<br>
alt-svc, where TLS is used but https is not, or if TCPINC<br>
decided on a TLS based solution then some coder might get it<br>
wrong. I think a simple re-statement in terms of http vs. https<br>
URIs should fix this. I realise that neither alt-svc nor TCPINC<br>
existed when this work started, but since they now do it&#39;d pay<br>
to think about them and I don&#39;t recall seeing that on the<br>
websec list (apologies if I&#39;m wrong there).=C2=A0 The IFF in 2.5<br>
also seems related.=C2=A0 2.2 has same issues about alt-svc and<br>
TCPINC. I do see that you only say &quot;e.g. TLS&quot; here but<br>
wonder nonetheless, e.g. would 2.2.1 cover an alt-svc case<br>
or not?<br></blockquote><div><br></div><div><div>The suggested solution - b=
eing explicit that it applies to HTTPS - equally suffers from the risk of e=
rror being seen for alt-svc, in that it fails to account for schemes such a=
s wss://, for which pinning also should apply.</div>
<div><br></div><div>I realize this is probably something you may not agree =
with, but I think the language choice here - that of &quot;secure transport=
&quot; - is already sufficient to exclude such proposals as alt-svc, which =
only provide encryption. That is, both in practice and intent, alt-svc is n=
ot considered to be a &quot;secure transport&quot; (which is as much eviden=
t by the lack of secure cookies)</div>
<div><br></div><div>For example, with respect to 2.5, the second bullet poi=
nt describes the connection as &quot;authenticated&quot;, which alt-svc is =
not.</div></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,2=
04,204);border-left-style:solid;padding-left:1ex">

<br>
<br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br>
<br>
<br>
<br>
abstract and elswhere: SubjectPublicKeyInfo doesn&#39;t usually<br>
have spaces between the terms. No big deal. After the abstract<br>
would a ref to 5280 be right for SPKI as well?<br></blockquote><div><br></d=
iv><div>Sure.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(20=
4,204,204);border-left-style:solid;padding-left:1ex">

<br>
general: I think emphasising the backup pin requirement in the<br>
intro would be good. It&#39;s a little hidden now and would be a<br>
surprise to some I bet.<br>
<br>
2.1 - pin-directive has the literal &quot;pin-&quot; but later you say<br>
(in bullet #3) that directive names are case insensitive.=C2=A0 Does<br>
that apply to &quot;pin-&quot; as well or not?<br></blockquote><div><br></d=
iv><div>It should. The above proposed removal of the ABNF for pin-directive=
 should remedy this.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote=
" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color=
:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<br>
2.1 - has some typos: reistry and hahs<br>
<br>
2.1 - &quot;Known Pinned Host&quot; would be a fine term to define in a<br>
section 1.1 that was renamed via s/Requirements<br>
Language/Terminology/<br>
<br>
2.1.1 - max-age is really defined against the time of reception<br>
and not (in principle) from when its emitted?=C2=A0 I know that<br>
makes no difference now, but with a sufficient latency (e.g.<br>
Earth-&gt;Mars, min 4 mins, max 20 mins, and yes my DTN heritage<br>
is showing:-) it could, just about. I think to be pedantically<br>
correct, max-age ought be defined versus the time of emission<br>
and not receipt.<br></blockquote><div><br></div><div>I don&#39;t see how th=
is reasonably can be accomplished, short of requiring that the Date header =
( <a href=3D"http://tools.ietf.org/html/rfc7231#section-7.1.1.2">http://too=
ls.ietf.org/html/rfc7231#section-7.1.1.2</a> ) be present, which does not s=
eem desirable.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
<br>
2.1.2 - uses the term &quot;Pinned Host&quot; which is not the same as<br>
the previously used &quot;Known Pinned Host&quot; - is the distinction<br>
meant to be significant or is that a typo?<br></blockquote><div><br></div><=
div>Typo, although the difference is significant enough to provide clarific=
ation, in as much as it applies to PKP-RO (which doesn&#39;t note the pins,=
 as discussed elsewhere)</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
<br>
2.1.3/section 4 - shouldn&#39;t the potential DoS issues be<br>
discussed for cases where report-uri !=3D same-origin? E.g.=C2=A0 if<br>
<a href=3D"http://busy-site.example.net" target=3D"_blank">busy-site.exampl=
e.net</a> (is hacked and) sets report-uri to<br>
<a href=3D"http://victim.example.com" target=3D"_blank">victim.example.com<=
/a> (maybe with some HTML/JS that generates<br>
loads of queries to the victimj) that&#39;d be like getting /.&#39;d I<br>
think that&#39;s maybe worth noting in the security considerations<br>
or in 2.1.3 where you (quite properly) say to rate-limit<br>
reporting. If you&#39;d rather not say why though, that&#39;s ok too.<br><b=
r></blockquote><div><br></div><div>Sure.=C2=A0</div></div><br></div></div>

--001a1133955c9aa20205016dc83f--


From nobody Mon Aug 25 01:24:22 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C081A8A68 for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 22:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ys8gJxKfM3-c for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 22:52:23 -0700 (PDT)
Received: from mail-vc0-x22e.google.com (mail-vc0-x22e.google.com [IPv6:2607:f8b0:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB7C41A8A60 for <websec@ietf.org>; Sun, 24 Aug 2014 22:52:22 -0700 (PDT)
Received: by mail-vc0-f174.google.com with SMTP id la4so14408820vcb.5 for <websec@ietf.org>; Sun, 24 Aug 2014 22:52:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zGPj2SBFb0eIxt0deqHPdw9fn5rgEN3OHmbFLGY7gE8=; b=aSemCIpRMDMjv3Ef1o0WgXKQkxCyGAT3L3SzK10vrTyN3oqQig8BCRny6HyJrO1vAR bm0pt2MZDmTTph0iJC1crHrdnBni/DgUZO1hEj/ctxxGrY0WFccwRy6tn+NRAYabcqmT C3Hwib7FC0VKPAOxlyW96BVtCkMAH9KAZuGBcfCS/SGpJdm/pMXEZ7uXWKBn36A/Clua EVGARvXE5jP/9V84iJOwYZ42SOVlgbjuwK7qWqJSiqZS2t3qP3caTbUAJurXh7lP+PQ1 T2tyZ5PetshaDIRtnExGV7QIgkaT81B4D5kC+s9UHOFZJPx5k0Vg3dSZF43yC31K8sk1 Ie0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=zGPj2SBFb0eIxt0deqHPdw9fn5rgEN3OHmbFLGY7gE8=; b=WS4Kx+OR6FVkppLcSfELtD2QUS/ex1+ZQvr4n8SY9Skikgl6lq1pLSMIHsfUAhv/TL S51U6tNeRsUQCcd5IsIhI9UWpGUen5TONI73y772/pkPVmTpN8iMq9JOpXGEk6sed0R1 RcnisBdqxGRwNBM7O04DDRzXTa5BZRMKiyN2aUBK8vp4LWczFoPfX8Kk4oT9fkkBnwWa 83YCYApdqzzMjdQcmwSbmfWDm7Z8/9XwpUcpYBGqV/GE3n3p7z7eZDPgu2Bos9Es+qzN ix4lRFBJd7N0PcXCs7u5Frik5PtuqaigSxUnm025Ozh3tb7v8ILqPPrYVnjoEUT+p0Gt m/3g==
X-Gm-Message-State: ALoCoQnEzL17+iQv6Fn6OiQMzV68eShGwJDCae/i+MLJP3PSnqFHZVFV8zO6nnvRy45VJnxCqLNF
MIME-Version: 1.0
X-Received: by 10.52.162.74 with SMTP id xy10mr3313989vdb.51.1408945942127; Sun, 24 Aug 2014 22:52:22 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Sun, 24 Aug 2014 22:52:22 -0700 (PDT)
In-Reply-To: <20140807135751.6422.30957.idtracker@ietfa.amsl.com>
References: <20140807135751.6422.30957.idtracker@ietfa.amsl.com>
Date: Sun, 24 Aug 2014 22:52:22 -0700
Message-ID: <CACvaWvYTuutQGgkcZN3RraY9+UuRJ5WzBveci5oxrg=q96CdCw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Ted Lemon <ted.lemon@nominum.com>
Content-Type: multipart/alternative; boundary=089e015386486390a605016dcaf9
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/c4HjRkEfUJKPilVI_mHC3JtvV1Q
X-Mailman-Approved-At: Mon, 25 Aug 2014 01:24:12 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Ted Lemon's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 05:52:25 -0000

--089e015386486390a605016dcaf9
Content-Type: text/plain; charset=UTF-8

On Thu, Aug 7, 2014 at 6:57 AM, Ted Lemon <ted.lemon@nominum.com> wrote:

> Ted Lemon has entered the following ballot position for
> draft-ietf-websec-key-pinning-19: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> This mechanism relies on there being no MiTM attack from a compromised
> signing key either prior to a legitimate pinning, or in a situation where
> the host being "protected" doesn't actually do pinning.   I think this
> should be mentioned in the security considerations section.   I raise
> this to the level of DISCUSS because I think this actually creates a new
> attack surface for government censorship: you MiTM the host you're
> attacking, pin it to a cert signed using a compromised CA, and then that
> UA can't communicate with the host again for the duration of the pin.
>
> The scenario would be that the government has a transparent web cache in
> the path between the host and the UA, and the web cache pins false cert
> for hosts that are being censored.   Now even if the user sets up a
> tunnel to bypass the transparent cache, they can't access the censored
> site, so they conclude that the site is down and abandon the tunnel.   I
> could easily see this being used in a scenario like the recent DNS
> censorship in Turkey.
>
> Setting a lower maximum pin age mitigates the damage of such attacks if
> the user keeps the tunnel up for the duration of the pin, but I don't
> think it's realistic to assume that they will.   I think that the only
> way to mitigate this attack is to have a mechanism whereby conflicting
> DANE TLSA information overrides the pin.   This would allow a site being
> attacked in this way to securely inform the UA that the pin was invalid.
>  The government could of course prevent DNSSEC validation, but the UA
> could take this as another signal to drop the pin: if the zone where the
> TLSA record should be fails to validate (as opposed to isn't signed,
> which wouldn't signify anything), the pin is likely a censorship attempt.
>
>

Happy to note "Hostile Pins" as an attack scenario, as it's one we've
discussed at length, however, I find the scenario a bit convoluted, and
worse, the proposed solution (DNSSEC) being worse than the problem that
it's solving.

That is, consider the inverse ordering. A user visits a good site, with the
TRUE certificate chain being sent, and notes the GOOD pins. At some point
later on, a hostile intermediate attempts to MITM the connection. The UA
correctly refuses to connect to the host, because the pins do not match.

The hostile attacker (the government) blocks DNSSEC, which now the UA takes
as a signal to drop the pin. In doing so, they now connect to the BAD site
with the BAD certificates, and note HOSTILE pins.

Or consider the operational risks of DNSSEC, which lacks formalized key
strengths or management lifecycles, and which, as evidence repeatedly shows
for DNS, can be transferred through court order. In this case, if a DNSSEC
TLSA record overrides the pinning, the site is again at the mercy of a
single point of failure. Thus we'd need DNSSEC pinning and DNSSEC
transparency.

I don't mean for this to get into a larger debate about DNSSEC, merely
provide context for why it's not discussed as a mitigation in considering
hostile pins. I think I can fairly certainly say such a mitigation wouldn't
get implemented.

--089e015386486390a605016dcaf9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Thu, Aug 7, 2014 at 6:57 AM, Ted Lemon <span dir=3D"ltr">&lt;<a =
href=3D"mailto:ted.lemon@nominum.com" target=3D"_blank">ted.lemon@nominum.c=
om</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Ted Lemon has entered the following ballot position for<br=
>

draft-ietf-websec-key-pinning-19: Discuss<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
DISCUSS:<br>
----------------------------------------------------------------------<br>
<br>
This mechanism relies on there being no MiTM attack from a compromised<br>
signing key either prior to a legitimate pinning, or in a situation where<b=
r>
the host being &quot;protected&quot; doesn&#39;t actually do pinning.=C2=A0=
 =C2=A0I think this<br>
should be mentioned in the security considerations section.=C2=A0 =C2=A0I r=
aise<br>
this to the level of DISCUSS because I think this actually creates a new<br=
>
attack surface for government censorship: you MiTM the host you&#39;re<br>
attacking, pin it to a cert signed using a compromised CA, and then that<br=
>
UA can&#39;t communicate with the host again for the duration of the pin.<b=
r>
<br>
The scenario would be that the government has a transparent web cache in<br=
>
the path between the host and the UA, and the web cache pins false cert<br>
for hosts that are being censored.=C2=A0 =C2=A0Now even if the user sets up=
 a<br>
tunnel to bypass the transparent cache, they can&#39;t access the censored<=
br>
site, so they conclude that the site is down and abandon the tunnel.=C2=A0 =
=C2=A0I<br>
could easily see this being used in a scenario like the recent DNS<br>
censorship in Turkey.<br>
<br>
Setting a lower maximum pin age mitigates the damage of such attacks if<br>
the user keeps the tunnel up for the duration of the pin, but I don&#39;t<b=
r>
think it&#39;s realistic to assume that they will.=C2=A0 =C2=A0I think that=
 the only<br>
way to mitigate this attack is to have a mechanism whereby conflicting<br>
DANE TLSA information overrides the pin.=C2=A0 =C2=A0This would allow a sit=
e being<br>
attacked in this way to securely inform the UA that the pin was invalid.<br=
>
=C2=A0The government could of course prevent DNSSEC validation, but the UA<=
br>
could take this as another signal to drop the pin: if the zone where the<br=
>
TLSA record should be fails to validate (as opposed to isn&#39;t signed,<br=
>
which wouldn&#39;t signify anything), the pin is likely a censorship attemp=
t.<br><br></blockquote><div><br></div><div><br></div><div>Happy to note &qu=
ot;Hostile Pins&quot; as an attack scenario, as it&#39;s one we&#39;ve disc=
ussed at length, however, I find the scenario a bit convoluted, and worse, =
the proposed solution (DNSSEC) being worse than the problem that it&#39;s s=
olving.<br>
</div><div><br></div><div>That is, consider the inverse ordering. A user vi=
sits a good site, with the TRUE certificate chain being sent, and notes the=
 GOOD pins. At some point later on, a hostile intermediate attempts to MITM=
 the connection. The UA correctly refuses to connect to the host, because t=
he pins do not match.</div>
<div><br></div><div>The hostile attacker (the government) blocks DNSSEC, wh=
ich now the UA takes as a signal to drop the pin. In doing so, they now con=
nect to the BAD site with the BAD certificates, and note HOSTILE pins.</div=
>
<div><br></div><div>Or consider the operational risks of DNSSEC, which lack=
s formalized key strengths or management lifecycles, and which, as evidence=
 repeatedly shows for DNS, can be transferred through court order. In this =
case, if a DNSSEC TLSA record overrides the pinning, the site is again at t=
he mercy of a single point of failure. Thus we&#39;d need DNSSEC pinning an=
d DNSSEC transparency.</div>
<div><br></div><div>I don&#39;t mean for this to get into a larger debate a=
bout DNSSEC, merely provide context for why it&#39;s not discussed as a mit=
igation in considering hostile pins. I think I can fairly certainly say suc=
h a mitigation wouldn&#39;t get implemented.=C2=A0</div>
</div><br></div></div>

--089e015386486390a605016dcaf9--


From nobody Mon Aug 25 01:24:24 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D801A8A63 for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 23:03:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzPTVPBxEuvT for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 23:03:51 -0700 (PDT)
Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7935B1A6FBA for <websec@ietf.org>; Sun, 24 Aug 2014 23:03:51 -0700 (PDT)
Received: by mail-vc0-f175.google.com with SMTP id ik5so14711163vcb.34 for <websec@ietf.org>; Sun, 24 Aug 2014 23:03:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5T5UJU8svgWvod9x9ioIxTYmpTxDoXd0N9xfC3Ps0NE=; b=Hi1tUIWTNZlQ5gDCTRFuELE1/tx5peSXaa/HxRiBp8ZsoKQYkpLZyoG+k/uveVjD6n Wvb64AsnSQTx1JyJ/u1qfrgolLB0YQs/UVYbBWmmfJckBU7R5ZX0nJ0WxrGoYjgPzzI/ 7q8Cm6CNC5m7WmWalmYOIClm+v+7NQHS4AwuGgpeVUwZeD5q9o+V6RmQdSRvYCsGV/04 kUTix605/7FjCvFHdgusx1WACMBQJjrSXVzxexyXCOzr1JOXnqri3YpHnzzv3UeV3Mbf nOW9bkdxYv8N/qnLxNk+NIruEfmbWMQrw6EHbAjhMdXxJNwWkrWT/eDQgdUfrc1DxIcY iysw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5T5UJU8svgWvod9x9ioIxTYmpTxDoXd0N9xfC3Ps0NE=; b=bKI7ptAjXzIIJQl7tCjhAB11C36QZ6SgWO38ErcdfzeHZ7at3kPcH5X7roaiNmyHGe wTU9nN3NSpp4R4oz00C+MS3sflwxG8OV7X47LY8TEpSgQHp/tGFYOsI+xGpQMgggM/Fk Lb+/XaTD1T6Fp40LfGR9+PqLmKC5INK0+Yzgk4486NC0W2tf7anX1cN3+HgUCkU9cd5I lDciQAtKcIE1gJsKTJktYsnc8+x5bejlXfL0a2AvD9gRZAPliuC55BSsyCT61vteryYo gYQHnsMTflrxitMWVV5D8xBwNnIzO7Izwm7npj/vPI1quNMwfSmRAVqWqEak1PxJ1PjA b0uA==
X-Gm-Message-State: ALoCoQlZxBY/JxljjvEGX2VgSaVIsh3JX5ANbpbg8Z+SY4mSP0874t8Ut94suKYfRDX+ZREY6cf3
MIME-Version: 1.0
X-Received: by 10.53.6.132 with SMTP id cu4mr3233979vdd.62.1408946630647; Sun, 24 Aug 2014 23:03:50 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Sun, 24 Aug 2014 23:03:50 -0700 (PDT)
In-Reply-To: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl>
Date: Sun, 24 Aug 2014 23:03:50 -0700
Message-ID: <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Eric Lawrence <ericlaw1979@hotmail.com>
Content-Type: multipart/alternative; boundary=001a1134cc686d7cc305016df30f
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/CCfDiV6Jx2XW0qlciinbu7n4EaY
X-Mailman-Approved-At: Mon, 25 Aug 2014 01:24:12 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 06:03:54 -0000

--001a1134cc686d7cc305016df30f
Content-Type: text/plain; charset=UTF-8

On Fri, Aug 8, 2014 at 1:50 PM, Eric Lawrence <ericlaw1979@hotmail.com>
wrote:

>   Comments on http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20
> -------
> In several places, the text seems to suggest that PKP-RO rules are not
> intended to be cached within the UA. Is that the case? If so, this isn't
> explicit; max-age should be forbidden.
>
> In contrast, if PKP-RO rules are allowed to be cached within the UA, then
> the following should be removed:
>
>    Note: There is no purpose to using the PKP-RO header without the
>    report-uri directive.  User Agents MAY discard such headers without
>    interpreting them further.
>
> ... because the site may wish to disable a previously-cached PKP-RO entry.
>

No, PKP-RO is not meant to be cached. In this respect, it behaves similar
to Content-Security-Policy's reporting mechanism.

I'm not sure if you're suggesting forbidden - such as treating the header
as ill-formed, ergo not sending a report - or merely ignored. I feel like
#6 of Section 2.1 already reflects this, but would be happy to add specific
text directly stating that max-age is IGNORED for PKP-RO.


>
> -------
> 2.3.1.
>
> RO header fieled
> -
> typo, fieled->field
>
> -------
> 2.5
>    If the PKP response header field does not meet all three of these
>    criteria, the UA MUST NOT note the host as a Pinned Host.
> -
> If the failing criteria was "cert chain didn't contain at least one of the
> SPKI signatures", should this trigger a report to the report URI to aid
> developers and/or enable some amount of protection for sloppy attacks (or
> captive/corporate MITM interception, etc) against 1st-time visitors?
>

Doesn't
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#section-2.1.3
already accomplish this?

   When used in the PKP or PKP-RO headers, the presence of a report-uri
   directive indicates to the UA that in the event of Pin Validation
   failure it SHOULD POST a report to the report-uri.  If the header is
   Public-Key-Pins, the UA should do this in addition to terminating the
   connection (as described in Section 2.6
<http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#section-2.6>).



>
> -------
> 2.6.  Validating Pinned Connections
>    When a UA connects to a Pinned Host, if the TLS connection has
>    errors"
> -
> This probably should be "connects to a Pinned host using TLS connection"
> since PKP does not require that the user connect via a secure connection.
>

Thanks, yes.


>
> -------
> "If the connection has no errors, then the UA will determine whether
>    to apply a new, additional correctness check: Pin Validation"
> -
> Should this wait until the TLS validation has fully completed, or should
> it happen before the client potentially responds to a
> clientCertificateRequest from the server?
>

The implementations are already consistently-inconsistent in this respect.
That is, both Chrome and Firefox do this during certificate validation, but
for timing reasons, certificate validation occurs at different times.

Both are currently allowed.


>
> -------
> For example, a UA may disable
>    Pin Validation for Pinned Hosts whose validated certificate chain
>    terminates at a user-defined trust anchor, rather than a trust anchor
>    built-in to the UA.
> -
> Might it be useful to explain the motivation here, however briefly? I'm
> super-happy to see this here (Fiddler!), but most UAs don't have trust
> anchors built-in, they rely on the operating system to provide them.
>
>

Well, this was merely meant as one representative example, not necessarily
a normative recommendation. That is, one could equally add "For example, a
UA without built-in trust anchors may also decide to ..." and still be
consistent with the normative SHOULD - that is, the examples are
non-exhaustive.

Still, happy to expand this text further, as I suspect this is just an
unintentional use of restrictive terminology (i.e. a UA can do this even
when it defers to the OS trust store)


> -------
> The UA MUST ignore superfluous certificates in the chain that do not form
> part of the validating chain.
> -
> As far as I understand things, there can be multiple valid chains to
> multiple roots. Should the validation procedure be required to check each
> possible candidate chain?
>

Neither RFC 5280 nor RFC 5246 require UAs to evaluate all candidate chains.
Indeed, there's enough controversy from parties in TLS that I suspect there
is not clean resolution in either event.

In the UA sphere, not all UAs consider candidate chains. Mozilla Firefox,
before version 31 (implementing mozilla::pkix) did not consider all
candidate chains. 31+, it does, and it does the pinning check during the
evaluation of potentially valid candidate chains.

Google Chrome defers to the OS for the chain building, which OS X does not
consider candidate chains, but Windows does. However, Windows lacks a
suitable means for calling back on evaluating candidate chains. As a
result, Chrome performs validation after the candidate chain has been
declared "successful".

So the answer is "No, it should be required"


>
> -------
> locally-installed anchor
> -
> This should probably be "user-defined trust anchor" to match the earlier
> prose.
>
> -------
> "served-certificate-chain": [
>        pem1, ... pemN
>      ],
> -
> Privacy: This could leak organizationally-private information; say the
> user's company is using BlueCoat or another intercepting proxy with
> interception certificates that contain data that should not leave the
> organization.
>

Funny that this spec would consider the privacy of the attacker (as such
situations are indistinguishable from an attack on the pins).

Still, happy to call it out specifically.


>
> -------
> "include-subdomains": include-subdomains,
> -
> This field could be misleading, as the JSON report contains the hostname
> that the user visited, which may differ than the host that originally set
> the rule if include-Subdomains was set on that rule.
>

Good point. This suggests that the JSON may need to indicate both the
target hostname and the source (of the PKP data) hostname.


>
> -------
> indeed could pin to issuers not in the chain
> -
> Per the spec, they indeed MUST include a pin to an issuer not in the chain
>
> -------
> 4.4.  Interactions With Cookie Scoping
> -
> I'll mention that IE sends cookies to subdomains even when a domain
> attribute isn't present. Q3:
> http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx
>
> This section suffers from the same incompleteness that Section 14 of the
> HSTS spec suffers: Because a rule specified on a subdomain
> (effective-third-level-domain) does not apply to the
> effective-second-level-domain, if a user visits the 3rd-level domain first
> or exclusively, a MITM attacker can perform a cookie-injection by
> generating a phony insecure request to the effective-second-level-domain
> and returning a Set-Cookie header in his poisoned response.
>

I'm not sure I understand your remark with respect to "incompleteness".
This is more of an operational guidance for server operators, correct?


>
> -------
> 5.  Privacy Considerations
> "UAs MAY, therefore, refuse to send reports outside of the origin that set
> the PKP or PKP-RO header."
> -
> 1. It seems odd to put a mitigation inside a description of the attack.
>

Per Stephen's DISCUSS, I think we'll be bringing this mitigation 'out' a
level in the spec.


> 2. Doesn't the proposed mitigation inherently failure-prone, since the
> report would inevitably fail, because the origin's PKP rule would block the
> report?
>

It prevents the collusion, so that seems to effectively mitigate that
particular attack, does it not?


>
> -------
> 5.  Privacy Considerations
> "Conforming implementations..."
> -
> 1. This 3rd privacy attack should be bulleted as a separate point.
>

Agreed


> 2. Earlier, it's stated that PKPs should be stored in "non-volatile
> storage". In practice, I would expect UAs would ignore attempts to update
> PKP/PKP-RO rules while in their respective "Private Mode"s. Is that the
> expectation of the authors?
>

Update the non-volatile storage? Yes, that's what a UA would likely do.
Prevent updates to volatile storage? No, just as UAs in such modes
traditionally allow a degree of volatile storage (since the modes are
primarily meant to prevent disk persistence, rather than tracking). This
allows, for example, session cookies to work.


>
> Thanks!
>
> -Eric Lawrence
>

--001a1134cc686d7cc305016df30f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Aug 8, 2014 at 1:50 PM, Eric Lawrence <span dir=3D"ltr">&lt=
;<a href=3D"mailto:ericlaw1979@hotmail.com" target=3D"_blank">ericlaw1979@h=
otmail.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">
<div dir=3D"ltr">
<div dir=3D"ltr">
<div style=3D"font-size:12pt;font-family:Calibri;color:rgb(0,0,0)">
<div>Comments on <a title=3D"http://tools.ietf.org/html/draft-ietf-websec-k=
ey-pinning-20" href=3D"http://tools.ietf.org/html/draft-ietf-websec-key-pin=
ning-20" target=3D"_blank">http://tools.ietf.org/html/draft-ietf-websec-key=
-pinning-20</a></div>

<div>-------</div>
<div>In several places, the text seems to suggest that PKP-RO rules are not=
=20
intended to be cached within the UA. Is that the case? If so, this isn&#39;=
t=20
explicit; max-age should be forbidden. </div>
<div>=C2=A0</div>
<div>In contrast, if PKP-RO rules are allowed to be cached within the UA, t=
hen=20
the following should be removed:</div>
<div>=C2=A0</div>
<div>=C2=A0=C2=A0 Note: There is no purpose to using the PKP-RO header with=
out=20
the</div>
<div>=C2=A0=C2=A0 report-uri directive.=C2=A0 User Agents MAY discard such=
=20
headers without</div>
<div>=C2=A0=C2=A0 interpreting them further.</div>
<div>=C2=A0</div>
<div>... because the site may wish to disable a previously-cached PKP-RO=20
entry.</div></div></div></div></blockquote><div><br></div><div><div>No, PKP=
-RO is not meant to be cached. In this respect, it behaves similar to Conte=
nt-Security-Policy&#39;s reporting mechanism.</div><div><br></div><div>
I&#39;m not sure if you&#39;re suggesting forbidden - such as treating the =
header as ill-formed, ergo not sending a report - or merely ignored. I feel=
 like #6 of Section 2.1 already reflects this, but would be happy to add sp=
ecific text directly stating that max-age is IGNORED for PKP-RO.</div>
</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);bo=
rder-left-style:solid;padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><=
div style=3D"font-size:12pt;font-family:Calibri;color:rgb(0,0,0)">

<div>=C2=A0</div>
<div>-------</div>
<div>2.3.1.=C2=A0 </div>
<div>=C2=A0</div>
<div>RO header fieled </div>
<div>-</div>
<div>typo, fieled-&gt;field</div>
<div>=C2=A0</div>
<div>-------</div>
<div>2.5</div>
<div>=C2=A0=C2=A0 If the PKP response header field does not meet all three =
of=20
these</div>
<div>=C2=A0=C2=A0 criteria, the UA MUST NOT note the host as a Pinned Host.=
=20
</div>
<div>-</div>
<div>If the failing criteria was &quot;cert chain didn&#39;t contain at lea=
st one of the=20
SPKI signatures&quot;, should this trigger a report to the report URI to ai=
d=20
developers and/or enable some amount of protection for sloppy attacks (or=
=20
captive/corporate MITM interception, etc) against 1st-time visitors?</div><=
/div></div></div></blockquote><div><br></div><div>Doesn&#39;t=C2=A0<a href=
=3D"http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#section-2.1=
.3">http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#section-2.1=
.3</a> already accomplish this?</div>
<div><br></div><div><pre class=3D"" style=3D"font-size:1em;margin-top:0px;m=
argin-bottom:0px;color:rgb(0,0,0)">   When used in the PKP or PKP-RO header=
s, the presence of a report-uri
   directive indicates to the UA that in the event of Pin Validation
   failure it SHOULD POST a report to the report-uri.  If the header is
   Public-Key-Pins, the UA should do this in addition to terminating the
   connection (as described in <a href=3D"http://tools.ietf.org/html/draft-=
ietf-websec-key-pinning-20#section-2.6">Section 2.6</a>).</pre></div><div>=
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-s=
tyle:solid;padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>=C2=A0</div>
<div>-------</div>
<div>2.6.=C2=A0 Validating Pinned Connections</div>
<div>=C2=A0=C2=A0 When a UA connects to a Pinned Host, if the TLS connectio=
n=20
has</div>
<div>=C2=A0=C2=A0 errors&quot;</div>
<div>-</div>
<div>This probably should be &quot;connects to a Pinned host using TLS conn=
ection&quot;=20
since PKP does not require that the user connect via a secure connection.</=
div></div></div></div></blockquote><div><br></div><div>Thanks, yes.</div><d=
iv>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-lef=
t-style:solid;padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>=C2=A0</div>
<div>-------</div>
<div>&quot;If the connection has no errors, then the UA will determine whet=
her</div>
<div>=C2=A0=C2=A0 to apply a new, additional correctness check: Pin=20
Validation&quot;</div>
<div>-</div>
<div>Should this wait until the TLS validation has fully completed, or shou=
ld it=20
happen before the client potentially responds to a clientCertificateRequest=
 from=20
the server?</div></div></div></div></blockquote><div><br></div><div>The imp=
lementations are already consistently-inconsistent in this respect. That is=
, both Chrome and Firefox do this during certificate validation, but for ti=
ming reasons, certificate validation occurs at different times.<br>
</div><div><br></div><div>Both are currently allowed.</div><div>=C2=A0</div=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;=
padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>=C2=A0</div>
<div>-------</div>
<div>For example, a UA may disable</div>
<div>=C2=A0=C2=A0 Pin Validation for Pinned Hosts whose validated certifica=
te=20
chain</div>
<div>=C2=A0=C2=A0 terminates at a user-defined trust anchor, rather than a =
trust=20
anchor</div>
<div>=C2=A0=C2=A0 built-in to the UA.</div>
<div>-</div>
<div>Might it be useful to explain the motivation here, however briefly? I&=
#39;m=20
super-happy to see this here (Fiddler!), but most UAs don&#39;t have trust =
anchors=20
built-in, they rely on the operating system to provide them.</div>
<div>=C2=A0</div></div></div></div></blockquote><div><br></div><div>Well, t=
his was merely meant as one representative example, not necessarily a norma=
tive recommendation. That is, one could equally add &quot;For example, a UA=
 without built-in trust anchors may also decide to ...&quot; and still be c=
onsistent with the normative SHOULD - that is, the examples are non-exhaust=
ive.<br>
</div><div><br class=3D"">Still, happy to expand this text further, as I su=
spect this is just an unintentional use of restrictive terminology (i.e. a =
UA can do this even when it defers to the OS trust store)<br></div><div>=C2=
=A0</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:=
12pt;font-family:Calibri;color:rgb(0,0,0)">

<div>-------</div>
<div>The UA MUST ignore superfluous certificates in the chain that do not f=
orm=20
part of the validating chain. </div>
<div>-</div>
<div>As far as I understand things, there can be multiple valid chains to=
=20
multiple roots. Should the validation procedure be required to check each=
=20
possible candidate chain?</div></div></div></div></blockquote><div><br></di=
v><div>Neither RFC 5280 nor RFC 5246 require UAs to evaluate all candidate =
chains. Indeed, there&#39;s enough controversy from parties in TLS that I s=
uspect there is not clean resolution in either event.</div>
<div><br></div><div>In the UA sphere, not all UAs consider candidate chains=
. Mozilla Firefox, before version 31 (implementing mozilla::pkix) did not c=
onsider all candidate chains. 31+, it does, and it does the pinning check d=
uring the evaluation of potentially valid candidate chains.</div>
<div><br></div><div>Google Chrome defers to the OS for the chain building, =
which OS X does not consider candidate chains, but Windows does. However, W=
indows lacks a suitable means for calling back on evaluating candidate chai=
ns. As a result, Chrome performs validation after the candidate chain has b=
een declared &quot;successful&quot;.</div>
<div><br></div><div>So the answer is &quot;No, it should be required&quot;<=
/div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px=
 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);bor=
der-left-style:solid;padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>=C2=A0</div>
<div>-------</div>
<div>locally-installed anchor</div>
<div>-</div>
<div>This should probably be &quot;user-defined trust anchor&quot; to match=
 the earlier=20
prose.</div>
<div>=C2=A0</div>
<div>-------</div>
<div>&quot;served-certificate-chain&quot;: [</div>
<div>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pem1, ... pemN</div>
<div>=C2=A0=C2=A0=C2=A0=C2=A0 ],</div>
<div>-</div>
<div>Privacy: This could leak organizationally-private information; say the=
=20
user&#39;s company is using BlueCoat or another intercepting proxy with int=
erception=20
certificates that contain data that should not leave the organization.</div=
></div></div></div></blockquote><div><br></div><div><div>Funny that this sp=
ec would consider the privacy of the attacker (as such situations are indis=
tinguishable from an attack on the pins).</div>
<div><br></div><div>Still, happy to call it out specifically.</div></div><d=
iv>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-lef=
t-style:solid;padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>=C2=A0</div>
<div>-------</div>
<div>&quot;include-subdomains&quot;: include-subdomains,</div>
<div>- </div>
<div>This field could be misleading, as the JSON report contains the hostna=
me=20
that the user visited, which may differ than the host that originally set t=
he=20
rule if include-Subdomains was set on that rule.</div></div></div></div></b=
lockquote><div><br></div><div>Good point. This suggests that the JSON may n=
eed to indicate both the target hostname and the source (of the PKP data) h=
ostname.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div st=
yle=3D"font-size:12pt;font-family:Calibri;color:rgb(0,0,0)">

<div>=C2=A0</div>
<div>-------</div>
<div>indeed could pin to issuers not in the chain</div>
<div>-</div>
<div>Per the spec, they indeed MUST include a pin to an issuer not in the=
=20
chain</div>
<div>=C2=A0</div>
<div>-------</div>
<div>4.4.=C2=A0 Interactions With Cookie Scoping</div>
<div>-</div>
<div>I&#39;ll mention that IE sends cookies to subdomains even when a domai=
n=20
attribute isn&#39;t present. Q3: <a href=3D"http://blogs.msdn.com/b/ieinter=
nals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx" target=3D"_bl=
ank">http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cook=
ie-internals-faq.aspx</a></div>

<div>=C2=A0</div>
<div>This section suffers from the same incompleteness that Section 14 of t=
he=20
HSTS spec suffers: Because a rule specified on a subdomain=20
(effective-third-level-domain) does not apply to the=20
effective-second-level-domain, if a user visits the 3rd-level domain first =
or=20
exclusively, a MITM attacker can perform a cookie-injection by generating a=
=20
phony insecure request to the effective-second-level-domain and returning a=
=20
Set-Cookie header in his poisoned response.</div></div></div></div></blockq=
uote><div><br></div><div>I&#39;m not sure I understand your remark with res=
pect to &quot;incompleteness&quot;. This is more of an operational guidance=
 for server operators, correct?</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div st=
yle=3D"font-size:12pt;font-family:Calibri;color:rgb(0,0,0)">

<div>=C2=A0</div>
<div>-------</div>
<div>5.=C2=A0 Privacy Considerations</div>
<div>&quot;UAs MAY, therefore, refuse to send reports outside of the origin=
 that set=20
the PKP or PKP-RO header.&quot;</div>
<div>-</div>
<div>1. It seems odd to put a mitigation inside a description of the=20
attack.</div></div></div></div></blockquote><div><br></div><div>Per Stephen=
&#39;s DISCUSS, I think we&#39;ll be bringing this mitigation &#39;out&#39;=
 a level in the spec.</div><div>=C2=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-colo=
r:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>2. Doesn&#39;t the proposed mitigation inherently failure-prone, since=
 the=20
report would inevitably fail, because the origin&#39;s PKP rule would block=
 the=20
report?</div></div></div></div></blockquote><div><br></div><div>It prevents=
 the collusion, so that seems to effectively mitigate that particular attac=
k, does it not?</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(=
204,204,204);border-left-style:solid;padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>=C2=A0</div>
<div>-------</div>
<div>5.=C2=A0 Privacy Considerations</div>
<div>&quot;Conforming implementations...&quot;</div>
<div>-</div>
<div>1. This 3rd privacy attack should be bulleted as a separate point.</di=
v></div></div></div></blockquote><div><br></div><div>Agreed</div><div>=C2=
=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-styl=
e:solid;padding-left:1ex">
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12pt;font-family:=
Calibri;color:rgb(0,0,0)">
<div>2. Earlier, it&#39;s stated that PKPs should be stored in &quot;non-vo=
latile=20
storage&quot;. In practice, I would expect UAs would ignore attempts to upd=
ate=20
PKP/PKP-RO rules while in their respective &quot;Private Mode&quot;s. Is th=
at the=20
expectation of the authors?</div></div></div></div></blockquote><div><br></=
div><div>Update the non-volatile storage? Yes, that&#39;s what a UA would l=
ikely do.</div><div>Prevent updates to volatile storage? No, just as UAs in=
 such modes traditionally allow a degree of volatile storage (since the mod=
es are primarily meant to prevent disk persistence, rather than tracking). =
This allows, for example, session cookies to work.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div st=
yle=3D"font-size:12pt;font-family:Calibri;color:rgb(0,0,0)">

<div>=C2=A0</div>
<div>Thanks!</div><span class=3D""><font color=3D"#888888">
<div>=C2=A0</div>
<div>-Eric Lawrence</div></font></span></div></div></div>
</blockquote></div><br></div></div>

--001a1134cc686d7cc305016df30f--


From nobody Mon Aug 25 01:24:26 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E4B01A6FC0 for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 23:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xP3dq8mWe7U8 for <websec@ietfa.amsl.com>; Sun, 24 Aug 2014 23:09:36 -0700 (PDT)
Received: from mail-vc0-x231.google.com (mail-vc0-x231.google.com [IPv6:2607:f8b0:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D7BB1A8A69 for <websec@ietf.org>; Sun, 24 Aug 2014 23:09:36 -0700 (PDT)
Received: by mail-vc0-f177.google.com with SMTP id hy4so14613269vcb.36 for <websec@ietf.org>; Sun, 24 Aug 2014 23:09:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=SNm6zii+diEpimmNzAJB5KR4n6O/IdAkjDmxpBxmMi0=; b=In8ryNhIOIPHgQzeHC0sv+Ki75Sr4EJTauyRlpSHA35j7pSKk5uCxnFIVnP3uDiN8L U8/80BtZsq7E4cP7RwxNe9w1N5QK7jeNZfKruBj/XUeg5+NbWKVaPaw0PBtH90oFtf5j EFkLPHa/XR+FgVjoZ4hsLMgh5pwc5hWIKEs0WdoNZLZnXmvdd9e/k0jvJ4KroFkUdXHS 6Jztn9R9uNss9buabfaIxByYWoNCSg+SDqSzHlEKJ99stAbK/E5drcOpMmzo3UL6OJ/5 tuF8V3jngq7cJSO4h8cvzX6+psLuENBjDH744ma3mDxltatyZfMqKN3nQtLSfNvpFwSZ HlQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=SNm6zii+diEpimmNzAJB5KR4n6O/IdAkjDmxpBxmMi0=; b=lyYPzjNnFRJOaCsEbEM86Ri5VNtG1PxdJaKuHxmFSr99agnEhWTDX/Yl1R1PtuGdjM OKT886G/SAuGCrwELbnR4zgfI0SN13H2U3eAt8WZCJzUicfSLJuMORzN3KuufVxaB+zB FhSWRtOXmtQYf5yWm15lCNfWGuzeHfmbJkq16kHxPMd8ZZ9fP5LgOPY8pcHtT6jXTkma 0b/+oq5bvQFxVMRBbY3pqlwiJFqaC37MHBq8Qh6wXjosjoyL7n8Ijl67b8DwnmBx+dLH HiW00swkTNizNC6sIqe092r1Z38EYB74x3M/zBZA39W1IimRtR/qZlfJv3K8HKj1J5Sm jv3g==
X-Gm-Message-State: ALoCoQkSTJGqjfbdOHGTXY5ogNngOh2+tzIBuM6fkXbyehMuaa9FhVW652QGWT4RiUhDxIiIUPCo
MIME-Version: 1.0
X-Received: by 10.52.36.80 with SMTP id o16mr3278555vdj.58.1408946975415; Sun, 24 Aug 2014 23:09:35 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Sun, 24 Aug 2014 23:09:35 -0700 (PDT)
Date: Sun, 24 Aug 2014 23:09:35 -0700
Message-ID: <CACvaWvawc2YTi0RxEr7POdx2r8WQgwBG5b4h-N8Xd6pcd9EMdA@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: "<websec@ietf.org>" <websec@ietf.org>
Content-Type: multipart/alternative; boundary=20cf307c9f10fa3fde05016e0712
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/27dwUQJk_SrQ1E4ZonEfCjwwLWo
X-Mailman-Approved-At: Mon, 25 Aug 2014 01:24:12 -0700
Subject: [websec] User interactivity requirements
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 06:09:38 -0000

--20cf307c9f10fa3fde05016e0712
Content-Type: text/plain; charset=UTF-8

>From someone who sent directly to the editors, and thus I've omitted their
address/name on the assumption of privacy.

In section "2.6. Validating Pinned Connections" there is written:
>    When a UA connects to a Pinned Host, if the TLS connection has
>    errors, the UA MUST terminate the connection without allowing the
>    user to proceed anyway.  (This behavior is the same as that required
>    by [RFC6797].)
> I think that "(This behavior is the same as that required by [RFC6797].)"
> is misleading, because RFC6797 states that its section 12 (which contains
> "12.1. No User Recourse") is non-normative.
> http://tools.ietf.org/html/rfc6797#section-12


Indeed, this is an oversight, and one that's arguably in conceptual
conflict with the paragraph that follows, which describes Pin Validation as
a SHOULD.

That is, one can imagine that a TLS connection that is being actively
MITM'd by a locally-installed trust anchor MAY induce other TLS errors. As
the UA will not be performing pin validation, it's not clear that the UA
should also be inheriting the requirement for non-procession.

That is, HSTS DOES have a normative requirement on termination (see
http://tools.ietf.org/html/rfc6797#section-8.4 ), which HPKP should also
have, but whether or not a user can proceed is non-normative and up to
implementations (with a general recommendation that the user should not be
permitted to proceed)

--20cf307c9f10fa3fde05016e0712
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div style=3D"font-family:arial,sans-serif;font-size:13px"=
><div>From someone who sent directly to the editors, and thus I&#39;ve omit=
ted their address/name on the assumption of privacy.</div><div><br></div><b=
lockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;pad=
ding-left:1ex">
In section &quot;2.6. Validating Pinned Connections&quot; there is written:=
<br>=C2=A0=C2=A0 When a UA connects to a Pinned Host, if the TLS connection=
 has<br>=C2=A0=C2=A0 errors, the UA MUST terminate the connection without a=
llowing the<br>=C2=A0=C2=A0 user to proceed anyway.=C2=A0 (This behavior is=
 the same as that required<br>
=C2=A0=C2=A0 by [RFC6797].)<br>I think that &quot;(This behavior is the sam=
e as that required by [RFC6797].)&quot; is misleading, because RFC6797 stat=
es that its section 12 (which contains &quot;12.1. No User Recourse&quot;) =
is non-normative.<br>
<a href=3D"http://tools.ietf.org/html/rfc6797#section-12" target=3D"_blank"=
>http://tools.ietf.org/html/rfc6797#section-12</a></blockquote><div><br></d=
iv>Indeed, this is an oversight, and one that&#39;s arguably in conceptual =
conflict with the paragraph that follows, which describes Pin Validation as=
 a SHOULD.</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">That is, one can imagi=
ne that a TLS connection that is being actively MITM&#39;d by a locally-ins=
talled trust anchor MAY induce other TLS errors. As the UA will not be perf=
orming pin validation, it&#39;s not clear that the UA should also be inheri=
ting the requirement for non-procession.</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px">That is, HSTS DOES hav=
e a normative requirement on termination (see=C2=A0<a href=3D"http://tools.=
ietf.org/html/rfc6797#section-8.4">http://tools.ietf.org/html/rfc6797#secti=
on-8.4</a> ), which HPKP should also have, but whether or not a user can pr=
oceed is non-normative and up to implementations (with a general recommenda=
tion that the user should not be permitted to proceed)</div>
</div>

--20cf307c9f10fa3fde05016e0712--


From nobody Mon Aug 25 01:44:18 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 911641A86F0; Mon, 25 Aug 2014 01:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qm2ryj7WwuZe; Mon, 25 Aug 2014 01:44:15 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17B491A702D; Mon, 25 Aug 2014 01:44:14 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id hi2so2169639wib.5 for <multiple recipients>; Mon, 25 Aug 2014 01:44:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=IgBEI6JXMMQJ9ap41ilJRIoCtQPRlpPq1rP2HLIQpLg=; b=mwU0msVattpnBdLxqYo8w5d/hh6fmLJjftTKzUOlbPY5+xRwXLAasShLokpx6rT1ui bTUcpA8A28Hu4GSIVvV2uUSgp0aa/TJVPU0KR9Lz2t2N45rcy3K0PgdSVxflj7UFYSMn X9Sj4GMMbLV5CjO2vB4sNpdyJ7tlRGPBBKTcbEwlZs5O0Yj2G0iNFXkorINzhyKhE0pq 44ZRWzxljHBKIkIvmQzyNN+ZroZCpgk/3JACl/A0hWRbMwNu5CJhafF8HKvp5/O8UXYa Mi0c+syFAnRPQr4b6anuLqC+e30MZNALfKyf4m5gA/yxZVTBSfaX4gDUA7wFEXgRqRAL sNVA==
X-Received: by 10.194.186.178 with SMTP id fl18mr21358390wjc.8.1408956253754;  Mon, 25 Aug 2014 01:44:13 -0700 (PDT)
Received: from [172.24.248.61] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id dc9sm29492794wib.5.2014.08.25.01.44.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Aug 2014 01:44:13 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_6065A492-04F5-4AD2-BDD4-55C454C9FBFF"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACvaWvYTuutQGgkcZN3RraY9+UuRJ5WzBveci5oxrg=q96CdCw@mail.gmail.com>
Date: Mon, 25 Aug 2014 11:44:09 +0300
Message-Id: <F61F6156-2B24-4076-95D8-9811CBBDA9CD@gmail.com>
References: <20140807135751.6422.30957.idtracker@ietfa.amsl.com> <CACvaWvYTuutQGgkcZN3RraY9+UuRJ5WzBveci5oxrg=q96CdCw@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/q5_GlzLBxty_oOw4cW33Yhxtkjs
Cc: websec-chairs@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, Ted Lemon <ted.lemon@nominum.com>, draft-ietf-websec-key-pinning@tools.ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [websec] Ted Lemon's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 08:44:17 -0000

--Apple-Mail=_6065A492-04F5-4AD2-BDD4-55C454C9FBFF
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


On Aug 25, 2014, at 8:52 AM, Ryan Sleevi <sleevi@google.com> wrote:

>=20
>=20
>=20
> On Thu, Aug 7, 2014 at 6:57 AM, Ted Lemon <ted.lemon@nominum.com> =
wrote:
> Ted Lemon has entered the following ballot position for
> draft-ietf-websec-key-pinning-19: Discuss
>=20
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut =
this
> introductory paragraph, however.)
>=20
>=20
> Please refer to =
http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>=20
>=20
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>=20
>=20
>=20
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>=20
> This mechanism relies on there being no MiTM attack from a compromised
> signing key either prior to a legitimate pinning, or in a situation =
where
> the host being "protected" doesn't actually do pinning.   I think this
> should be mentioned in the security considerations section.   I raise
> this to the level of DISCUSS because I think this actually creates a =
new
> attack surface for government censorship: you MiTM the host you're
> attacking, pin it to a cert signed using a compromised CA, and then =
that
> UA can't communicate with the host again for the duration of the pin.
>=20
> The scenario would be that the government has a transparent web cache =
in
> the path between the host and the UA, and the web cache pins false =
cert
> for hosts that are being censored.   Now even if the user sets up a
> tunnel to bypass the transparent cache, they can't access the censored
> site, so they conclude that the site is down and abandon the tunnel.   =
I
> could easily see this being used in a scenario like the recent DNS
> censorship in Turkey.
>=20
> Setting a lower maximum pin age mitigates the damage of such attacks =
if
> the user keeps the tunnel up for the duration of the pin, but I don't
> think it's realistic to assume that they will.   I think that the only
> way to mitigate this attack is to have a mechanism whereby conflicting
> DANE TLSA information overrides the pin.   This would allow a site =
being
> attacked in this way to securely inform the UA that the pin was =
invalid.
>  The government could of course prevent DNSSEC validation, but the UA
> could take this as another signal to drop the pin: if the zone where =
the
> TLSA record should be fails to validate (as opposed to isn't signed,
> which wouldn't signify anything), the pin is likely a censorship =
attempt.
>=20
>=20
>=20
> Happy to note "Hostile Pins" as an attack scenario, as it's one we've =
discussed at length, however, I find the scenario a bit convoluted, and =
worse, the proposed solution (DNSSEC) being worse than the problem that =
it's solving.

+1 but for a slightly different reason.

If you have a functioning DNSSEC, you don=92t need HPKP. Just use DANE.=20=


HPKP is the TOFU stop-gap measure for an Internet that does not have =
DNSSEC everywhere.

Yoav


--Apple-Mail=_6065A492-04F5-4AD2-BDD4-55C454C9FBFF
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;"><br><div><div>On Aug 25, 2014, at 8:52 AM, Ryan =
Sleevi &lt;<a href=3D"mailto:sleevi@google.com">sleevi@google.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div=
 class=3D"gmail_quote">On Thu, Aug 7, 2014 at 6:57 AM, Ted Lemon <span =
dir=3D"ltr">&lt;<a href=3D"mailto:ted.lemon@nominum.com" =
target=3D"_blank">ted.lemon@nominum.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left=
-style:solid;padding-left:1ex">Ted Lemon has entered the following =
ballot position for<br>

draft-ietf-websec-key-pinning-19: Discuss<br>
<br>
When responding, please keep the subject line intact and reply to =
all<br>
email addresses included in the To and CC lines. (Feel free to cut =
this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a =
href=3D"http://www.ietf.org/iesg/statement/discuss-criteria.html" =
target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-criteria.html=
</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/"=
 =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pi=
nning/</a><br>
<br>
<br>
<br>
=
----------------------------------------------------------------------<br>=

DISCUSS:<br>
=
----------------------------------------------------------------------<br>=

<br>
This mechanism relies on there being no MiTM attack from a =
compromised<br>
signing key either prior to a legitimate pinning, or in a situation =
where<br>
the host being "protected" doesn't actually do pinning.&nbsp; &nbsp;I =
think this<br>
should be mentioned in the security considerations section.&nbsp; =
&nbsp;I raise<br>
this to the level of DISCUSS because I think this actually creates a =
new<br>
attack surface for government censorship: you MiTM the host you're<br>
attacking, pin it to a cert signed using a compromised CA, and then =
that<br>
UA can't communicate with the host again for the duration of the =
pin.<br>
<br>
The scenario would be that the government has a transparent web cache =
in<br>
the path between the host and the UA, and the web cache pins false =
cert<br>
for hosts that are being censored.&nbsp; &nbsp;Now even if the user sets =
up a<br>
tunnel to bypass the transparent cache, they can't access the =
censored<br>
site, so they conclude that the site is down and abandon the =
tunnel.&nbsp; &nbsp;I<br>
could easily see this being used in a scenario like the recent DNS<br>
censorship in Turkey.<br>
<br>
Setting a lower maximum pin age mitigates the damage of such attacks =
if<br>
the user keeps the tunnel up for the duration of the pin, but I =
don't<br>
think it's realistic to assume that they will.&nbsp; &nbsp;I think that =
the only<br>
way to mitigate this attack is to have a mechanism whereby =
conflicting<br>
DANE TLSA information overrides the pin.&nbsp; &nbsp;This would allow a =
site being<br>
attacked in this way to securely inform the UA that the pin was =
invalid.<br>
&nbsp;The government could of course prevent DNSSEC validation, but the =
UA<br>
could take this as another signal to drop the pin: if the zone where =
the<br>
TLSA record should be fails to validate (as opposed to isn't signed,<br>
which wouldn't signify anything), the pin is likely a censorship =
attempt.<br><br></blockquote><div><br></div><div><br></div><div>Happy to =
note "Hostile Pins" as an attack scenario, as it's one we've discussed =
at length, however, I find the scenario a bit convoluted, and worse, the =
proposed solution (DNSSEC) being worse than the problem that it's =
solving.<br></div></div></div></div></blockquote><div><br></div></div><div=
>+1 but for a slightly different reason.</div><div><br></div><div>If you =
have a functioning DNSSEC, you don=92t need HPKP. Just use =
DANE.&nbsp;</div><div><br></div><div>HPKP is the TOFU stop-gap measure =
for an Internet that does not have DNSSEC =
everywhere.</div><div><br></div><div>Yoav</div><div><br></div></body></htm=
l>=

--Apple-Mail=_6065A492-04F5-4AD2-BDD4-55C454C9FBFF--


From nobody Mon Aug 25 01:52:33 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E52A21A702C for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 01:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4b13fs2tbWAy for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 01:52:30 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D75121A86F4 for <websec@ietf.org>; Mon, 25 Aug 2014 01:52:29 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id z12so12685877wgg.0 for <websec@ietf.org>; Mon, 25 Aug 2014 01:52:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=5M+C/OkssjqKg6gu/Yl6amLbJ9Drwy8XLRu7FOgopVc=; b=uPOC3oxl1H4L+NbVAlnMF1GZng5pRTi/eG7af111O4Ip20Ox55kB737md6dXLB0Gco 8qWAcZoli+C5qgRSjC3VT/T2fJknDxqVWej8eQc+5LC1WGEprZ/sWN/EoTpv9JmbLHIQ EMcS2zvAMiIRyqkroisL3PCCqK0Fe5VUdzFTOXRpjB18VXPqS3ZTNyG7RwILIWWo6N6O r6ML4yx6cP9/SSsq08G3Z1mHEuTWp+7/pn/61W8Z+FmOifoVKeQ35snsOMP+Au+6XEni J9UtP4pV2LEEcUgNu71UyMbXgFf80jQfgDffGl4w4wnbW+A67r0212MlYV+uU/0L7qU0 F3ww==
X-Received: by 10.180.99.4 with SMTP id em4mr14001059wib.8.1408956748564; Mon, 25 Aug 2014 01:52:28 -0700 (PDT)
Received: from [172.24.248.61] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id ck5sm68484170wjb.24.2014.08.25.01.52.27 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Aug 2014 01:52:28 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_968DAD25-200F-43D1-93C2-6BE97616E43A"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACvaWvawc2YTi0RxEr7POdx2r8WQgwBG5b4h-N8Xd6pcd9EMdA@mail.gmail.com>
Date: Mon, 25 Aug 2014 11:52:24 +0300
Message-Id: <E3421423-FA5A-42E2-BCB2-714FCD1D3573@gmail.com>
References: <CACvaWvawc2YTi0RxEr7POdx2r8WQgwBG5b4h-N8Xd6pcd9EMdA@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/FPuQVhN4ji26dQfINbu4W0fRCQo
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] User interactivity requirements
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 08:52:32 -0000

--Apple-Mail=_968DAD25-200F-43D1-93C2-6BE97616E43A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


On Aug 25, 2014, at 9:09 AM, Ryan Sleevi <sleevi@google.com> wrote:

> =46rom someone who sent directly to the editors, and thus I've omitted =
their address/name on the assumption of privacy.
>=20
> In section "2.6. Validating Pinned Connections" there is written:
>    When a UA connects to a Pinned Host, if the TLS connection has
>    errors, the UA MUST terminate the connection without allowing the
>    user to proceed anyway.  (This behavior is the same as that =
required
>    by [RFC6797].)
> I think that "(This behavior is the same as that required by =
[RFC6797].)" is misleading, because RFC6797 states that its section 12 =
(which contains "12.1. No User Recourse") is non-normative.
> http://tools.ietf.org/html/rfc6797#section-12
>=20
> Indeed, this is an oversight, and one that's arguably in conceptual =
conflict with the paragraph that follows, which describes Pin Validation =
as a SHOULD.
>=20
> That is, one can imagine that a TLS connection that is being actively =
MITM'd by a locally-installed trust anchor MAY induce other TLS errors. =
As the UA will not be performing pin validation, it's not clear that the =
UA should also be inheriting the requirement for non-procession.
>=20
> That is, HSTS DOES have a normative requirement on termination (see =
http://tools.ietf.org/html/rfc6797#section-8.4 ), which HPKP should also =
have, but whether or not a user can proceed is non-normative and up to =
implementations (with a general recommendation that the user should not =
be permitted to proceed)

I don=92t think they=92re quite the same.=20

HSTS does have to be enforced everywhere, because even if there=92s a =
MitM with a locally-trusted anchor, it is going to give the client TLS, =
and not just any TLS, but TLS with a certificate that chains to a =
trusted anchor, which is all that HSTS requires.

HPKP requires the connection to have a specific public key. A MitM =
cannot use that public key. So if these are both enforced, a MitM =
connection will be OK for HSTS, but fail for HPKP.

So an implementation has no reason to have a =93no HSTS enforced" mode, =
but it may have a reason to have a =93no HPKP enforced=94 mode.  As long =
as you=92re enforcing HPKP, it=92s fine to require no user recourse. If =
you=92re not enforcing HPKP, then of course you=92re not going to =
terminate the connections.

I agree that there is a difference, that HSTS calls non-recourse =
non-normative, while we are making it a MUST requirement. I think that =
is fine, so in my opinion, we can either remove the parenthetical remark =
or just leave it as it is.

Yoav



--Apple-Mail=_968DAD25-200F-43D1-93C2-6BE97616E43A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;"><br><div><div>On Aug 25, 2014, at 9:09 AM, Ryan =
Sleevi &lt;<a href=3D"mailto:sleevi@google.com">sleevi@google.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><div dir=3D"ltr"><div =
style=3D"font-family:arial,sans-serif;font-size:13px"><div>=46rom =
someone who sent directly to the editors, and thus I've omitted their =
address/name on the assumption of =
privacy.</div><div><br></div><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px =
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left=
-style:solid;padding-left:1ex">
In section "2.6. Validating Pinned Connections" there is =
written:<br>&nbsp;&nbsp; When a UA connects to a Pinned Host, if the TLS =
connection has<br>&nbsp;&nbsp; errors, the UA MUST terminate the =
connection without allowing the<br>&nbsp;&nbsp; user to proceed =
anyway.&nbsp; (This behavior is the same as that required<br>
&nbsp;&nbsp; by [RFC6797].)<br>I think that "(This behavior is the same =
as that required by [RFC6797].)" is misleading, because RFC6797 states =
that its section 12 (which contains "12.1. No User Recourse") is =
non-normative.<br>
<a href=3D"http://tools.ietf.org/html/rfc6797#section-12" =
target=3D"_blank">http://tools.ietf.org/html/rfc6797#section-12</a></block=
quote><div><br></div>Indeed, this is an oversight, and one that's =
arguably in conceptual conflict with the paragraph that follows, which =
describes Pin Validation as a SHOULD.</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div =
style=3D"font-family:arial,sans-serif;font-size:13px">That is, one can =
imagine that a TLS connection that is being actively MITM'd by a =
locally-installed trust anchor MAY induce other TLS errors. As the UA =
will not be performing pin validation, it's not clear that the UA should =
also be inheriting the requirement for non-procession.</div>
<div style=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div =
style=3D"font-family:arial,sans-serif;font-size:13px">That is, HSTS DOES =
have a normative requirement on termination (see&nbsp;<a =
href=3D"http://tools.ietf.org/html/rfc6797#section-8.4">http://tools.ietf.=
org/html/rfc6797#section-8.4</a> ), which HPKP should also have, but =
whether or not a user can proceed is non-normative and up to =
implementations (with a general recommendation that the user should not =
be permitted to proceed)</div>
</div></blockquote><br></div><div>I don=92t think they=92re quite the =
same.&nbsp;</div><div><br></div><div>HSTS does have to be enforced =
everywhere, because even if there=92s a MitM with a locally-trusted =
anchor, it is going to give the client TLS, and not just any TLS, but =
TLS with a certificate that chains to a trusted anchor, which is all =
that HSTS requires.</div><div><br></div><div>HPKP requires the =
connection to have a specific public key. A MitM cannot use that public =
key. So if these are both enforced, a MitM connection will be OK for =
HSTS, but fail for HPKP.</div><div><br></div><div>So an implementation =
has no reason to have a =93no HSTS enforced" mode, but it may have a =
reason to have a =93no HPKP enforced=94 mode. &nbsp;As long as you=92re =
enforcing HPKP, it=92s fine to require no user recourse. If you=92re not =
enforcing HPKP, then of course you=92re not going to terminate the =
connections.</div><div><br></div><div>I agree that there is a =
difference, that HSTS calls non-recourse non-normative, while we are =
making it a MUST requirement. I think that is fine, so in my opinion, we =
can either remove the parenthetical remark or just leave it as it =
is.</div><div><br></div><div>Yoav</div><div><br></div><br></body></html>=

--Apple-Mail=_968DAD25-200F-43D1-93C2-6BE97616E43A--


From nobody Mon Aug 25 02:18:50 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BBCF1A89E8 for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 02:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJjF9iHCAqVt for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 02:00:29 -0700 (PDT)
Received: from mail-vc0-x22b.google.com (mail-vc0-x22b.google.com [IPv6:2607:f8b0:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED581A8A14 for <websec@ietf.org>; Mon, 25 Aug 2014 02:00:28 -0700 (PDT)
Received: by mail-vc0-f171.google.com with SMTP id hq11so14954107vcb.30 for <websec@ietf.org>; Mon, 25 Aug 2014 02:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=B91M7WZzrDPSmpJsHl2wE2+t3qxJvTAxUfmXDFmr9og=; b=i6yACZk4HrekXODiqqmFiGQxT9bIfYI5OaDfIZttPPSw6OmtYoSKEduF5deEwyDDom lAdBLAWq2OkpQ7spPQdgghffTZK8iniXpUJP9tULlYO/qlmNNjH384gzUGigmAtM9sU5 dXSlC1/RKchIxZVCd1734bsQRUOMH+DIlLlPqzrl0/dV1qVk+dk5k8McF/rfGCWuYBD0 A0pJn3QvQ7TxjHWoz1aKktVlP4Gs4ZSVpdVdaF1MnfDL84A1nsu1ctdearJKpLcQIumD J6jxTD9JFpCkqTMiSaBNHbWamvk+0O+sWtklNTORTQADEJmud04e11wPC0n66dypN69Y wNZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=B91M7WZzrDPSmpJsHl2wE2+t3qxJvTAxUfmXDFmr9og=; b=XePQyiUlg1WQJA0A+JLLI8/3Dq+6R5KiQaFqq5oElF+ZC/u+qOEXtvt4nKUWsk+x9o GlHM3algiI/JvQzdzlBsioi58a1FZ8oGywUZcOgJ5dBpKt/1uhXIsKoP3SoVjPoRjpiO Btwmcq0cEw2isAqZZrBmSmZdOStr0g5h17vIV5TiTdfduHR05xb7xid+DiR5QO/WqP4a N2ynqHpw9s4HNQrwi3quFnnad3bkTemTIPx2NYYNo3xWRcTZgjtpox1gqJjg1GvqkxhT I66xMsmY3HyNvsVWCL3a2gQfOxTL3Mhr7yXgX21r/ghW2NlRqkKYGnP8+hpDtQZ4LNLi TXug==
X-Gm-Message-State: ALoCoQlaaPz+GZWV3QBKLUc3rBzODzq4z+nrfYGDkv+rYsWtiL/f6CYuza0Hv+BoVh9/lpt265fP
MIME-Version: 1.0
X-Received: by 10.220.30.8 with SMTP id s8mr4452112vcc.58.1408957227934; Mon, 25 Aug 2014 02:00:27 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Mon, 25 Aug 2014 02:00:27 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Mon, 25 Aug 2014 02:00:27 -0700 (PDT)
In-Reply-To: <E3421423-FA5A-42E2-BCB2-714FCD1D3573@gmail.com>
References: <CACvaWvawc2YTi0RxEr7POdx2r8WQgwBG5b4h-N8Xd6pcd9EMdA@mail.gmail.com> <E3421423-FA5A-42E2-BCB2-714FCD1D3573@gmail.com>
Date: Mon, 25 Aug 2014 02:00:27 -0700
Message-ID: <CACvaWvZDQzcSWWjC8VhCMFWvrDhEXDo2b4q4CXOiwg4Bww3=Ew@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c2d0561343860501706b31
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/NDfNyiIG0HDiItPtWVlfmcZxtBo
X-Mailman-Approved-At: Mon, 25 Aug 2014 02:18:47 -0700
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] User interactivity requirements
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 09:00:32 -0000

--001a11c2d0561343860501706b31
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Aug 25, 2014 1:52 AM, "Yoav Nir" <ynir.ietf@gmail.com> wrote:
>
>
> On Aug 25, 2014, at 9:09 AM, Ryan Sleevi <sleevi@google.com> wrote:
>
>> From someone who sent directly to the editors, and thus I've omitted
their address/name on the assumption of privacy.
>>
>>> In section "2.6. Validating Pinned Connections" there is written:
>>>    When a UA connects to a Pinned Host, if the TLS connection has
>>>    errors, the UA MUST terminate the connection without allowing the
>>>    user to proceed anyway.  (This behavior is the same as that required
>>>    by [RFC6797].)
>>> I think that "(This behavior is the same as that required by
[RFC6797].)" is misleading, because RFC6797 states that its section 12
(which contains "12.1. No User Recourse") is non-normative.
>>> http://tools.ietf.org/html/rfc6797#section-12
>>
>>
>> Indeed, this is an oversight, and one that's arguably in conceptual
conflict with the paragraph that follows, which describes Pin Validation as
a SHOULD.
>>
>> That is, one can imagine that a TLS connection that is being actively
MITM'd by a locally-installed trust anchor MAY induce other TLS errors. As
the UA will not be performing pin validation, it's not clear that the UA
should also be inheriting the requirement for non-procession.
>>
>> That is, HSTS DOES have a normative requirement on termination (see
http://tools.ietf.org/html/rfc6797#section-8.4 ), which HPKP should also
have, but whether or not a user can proceed is non-normative and up to
implementations (with a general recommendation that the user should not be
permitted to proceed)
>
>
> I don=E2=80=99t think they=E2=80=99re quite the same.
>
> HSTS does have to be enforced everywhere, because even if there=E2=80=99s=
 a MitM
with a locally-trusted anchor, it is going to give the client TLS, and not
just any TLS, but TLS with a certificate that chains to a trusted anchor,
which is all that HSTS requires.
>
> HPKP requires the connection to have a specific public key. A MitM cannot
use that public key. So if these are both enforced, a MitM connection will
be OK for HSTS, but fail for HPKP.
>
> So an implementation has no reason to have a =E2=80=9Cno HSTS enforced" m=
ode, but
it may have a reason to have a =E2=80=9Cno HPKP enforced=E2=80=9D mode.  As=
 long as you=E2=80=99re
enforcing HPKP, it=E2=80=99s fine to require no user recourse. If you=E2=80=
=99re not
enforcing HPKP, then of course you=E2=80=99re not going to terminate the
connections.
>
> I agree that there is a difference, that HSTS calls non-recourse
non-normative, while we are making it a MUST requirement. I think that is
fine, so in my opinion, we can either remove the parenthetical remark or
just leave it as it is.
>
> Yoav
>
>

Yoav,

UAs today already have "no HSTS enforced" modes. While generally (and
intentionally) not documented, they do exist.

The nature of what is a TLS error here is a broad category, and may include
elements that are policy specific. Most importantly, however, I think it
does not make any sense that if you're talking to a known pinned host, but
for policy reasons disable enforcement of HPKP, that it would suggest a
normative MUST fail. That doesn't seem to jive with the language
recognizing policy exceptions exist.

--001a11c2d0561343860501706b31
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr"><br>
On Aug 25, 2014 1:52 AM, &quot;Yoav Nir&quot; &lt;<a href=3D"mailto:ynir.ie=
tf@gmail.com">ynir.ietf@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt;<br>
&gt; On Aug 25, 2014, at 9:09 AM, Ryan Sleevi &lt;<a href=3D"mailto:sleevi@=
google.com">sleevi@google.com</a>&gt; wrote:<br>
&gt;<br>
&gt;&gt; From someone who sent directly to the editors, and thus I&#39;ve o=
mitted their address/name on the assumption of privacy.<br>
&gt;&gt;<br>
&gt;&gt;&gt; In section &quot;2.6. Validating Pinned Connections&quot; ther=
e is written:<br>
&gt;&gt;&gt; =C2=A0=C2=A0 When a UA connects to a Pinned Host, if the TLS c=
onnection has<br>
&gt;&gt;&gt; =C2=A0=C2=A0 errors, the UA MUST terminate the connection with=
out allowing the<br>
&gt;&gt;&gt; =C2=A0=C2=A0 user to proceed anyway.=C2=A0 (This behavior is t=
he same as that required<br>
&gt;&gt;&gt; =C2=A0=C2=A0 by [RFC6797].)<br>
&gt;&gt;&gt; I think that &quot;(This behavior is the same as that required=
 by [RFC6797].)&quot; is misleading, because RFC6797 states that its sectio=
n 12 (which contains &quot;12.1. No User Recourse&quot;) is non-normative.<=
br>

&gt;&gt;&gt; <a href=3D"http://tools.ietf.org/html/rfc6797#section-12">http=
://tools.ietf.org/html/rfc6797#section-12</a><br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; Indeed, this is an oversight, and one that&#39;s arguably in conce=
ptual conflict with the paragraph that follows, which describes Pin Validat=
ion as a SHOULD.<br>
&gt;&gt;<br>
&gt;&gt; That is, one can imagine that a TLS connection that is being activ=
ely MITM&#39;d by a locally-installed trust anchor MAY induce other TLS err=
ors. As the UA will not be performing pin validation, it&#39;s not clear th=
at the UA should also be inheriting the requirement for non-procession.<br>

&gt;&gt;<br>
&gt;&gt; That is, HSTS DOES have a normative requirement on termination (se=
e=C2=A0<a href=3D"http://tools.ietf.org/html/rfc6797#section-8.4">http://to=
ols.ietf.org/html/rfc6797#section-8.4</a> ), which HPKP should also have, b=
ut whether or not a user can proceed is non-normative and up to implementat=
ions (with a general recommendation that the user should not be permitted t=
o proceed)<br>

&gt;<br>
&gt;<br>
&gt; I don=E2=80=99t think they=E2=80=99re quite the same.=C2=A0<br>
&gt;<br>
&gt; HSTS does have to be enforced everywhere, because even if there=E2=80=
=99s a MitM with a locally-trusted anchor, it is going to give the client T=
LS, and not just any TLS, but TLS with a certificate that chains to a trust=
ed anchor, which is all that HSTS requires.<br>

&gt;<br>
&gt; HPKP requires the connection to have a specific public key. A MitM can=
not use that public key. So if these are both enforced, a MitM connection w=
ill be OK for HSTS, but fail for HPKP.<br>
&gt;<br>
&gt; So an implementation has no reason to have a =E2=80=9Cno HSTS enforced=
&quot; mode, but it may have a reason to have a =E2=80=9Cno HPKP enforced=
=E2=80=9D mode. =C2=A0As long as you=E2=80=99re enforcing HPKP, it=E2=80=99=
s fine to require no user recourse. If you=E2=80=99re not enforcing HPKP, t=
hen of course you=E2=80=99re not going to terminate the connections.<br>

&gt;<br>
&gt; I agree that there is a difference, that HSTS calls non-recourse non-n=
ormative, while we are making it a MUST requirement. I think that is fine, =
so in my opinion, we can either remove the parenthetical remark or just lea=
ve it as it is.<br>

&gt;<br>
&gt; Yoav<br>
&gt;<br>
&gt;</p>
<p dir=3D"ltr">Yoav,</p>
<p dir=3D"ltr">UAs today already have &quot;no HSTS enforced&quot; modes. W=
hile generally (and intentionally) not documented, they do exist.</p>
<p dir=3D"ltr">The nature of what is a TLS error here is a broad category, =
and may include elements that are policy specific. Most importantly, howeve=
r, I think it does not make any sense that if you&#39;re talking to a known=
 pinned host, but for policy reasons disable enforcement of HPKP, that it w=
ould suggest a normative MUST fail. That doesn&#39;t seem to jive with the =
language recognizing policy exceptions exist.</p>


--001a11c2d0561343860501706b31--


From nobody Mon Aug 25 03:07:28 2014
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 706241A8BBE; Mon, 25 Aug 2014 03:07:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level: 
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6bV7MN6YbDwV; Mon, 25 Aug 2014 03:06:47 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 347211A8BC1; Mon, 25 Aug 2014 03:06:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 82E43BE0A; Mon, 25 Aug 2014 11:06:45 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9u3Cy_AqxGmE; Mon, 25 Aug 2014 11:06:42 +0100 (IST)
Received: from [10.87.48.6] (unknown [86.46.18.19]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 81C5DBDD8; Mon, 25 Aug 2014 11:06:42 +0100 (IST)
Message-ID: <53FB0AB1.1090109@cs.tcd.ie>
Date: Mon, 25 Aug 2014 11:06:41 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Ryan Sleevi <sleevi@google.com>
References: <20140807110710.18212.14741.idtracker@ietfa.amsl.com> <CACvaWvZooQ2r6hzBAWy-MHvrc62dMaH8kakEvEEFEG-Eg3fZMw@mail.gmail.com>
In-Reply-To: <CACvaWvZooQ2r6hzBAWy-MHvrc62dMaH8kakEvEEFEG-Eg3fZMw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/neuc3CWqme-93b0KiWljFjOm2yk
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Stephen Farrell's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 10:07:03 -0000

Hi Ryan,

Thanks for the thorough response. A few bis'n'pieces below but
I'll clear once you've posted the update, so no need to keep on
chatting if you prefer that. (I'm happy to keep chatting too of
course.)

On 25/08/14 06:51, Ryan Sleevi wrote:
> On Thu, Aug 7, 2014 at 4:07 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-websec-key-pinning-19: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>>
>>
>> Good doc. Two things I'd like to check before moving to a yes
>> ballot:
>>
>> (1) 2.1 - Can a simple-directive start with "pin-"?  Seems like
>> yes it can, but then the ABNF is ambiguous about the RHS of the
>> "=" I think, is that right? Its no big deal since valid values
>> will parse anyway, so only an issue if you ever care about
>> simple-directive vs. pin-directive. Ah - does the last para of
>> 2.1 mean that this distinction is needed really?
>>
> 
>>From the ABNF, yes, it does many any simple-directive can start with "pin-".
> 
> I suspect the solution is to remove pin-directive entirely from the ABNF,
> as it's not necessary, and purely specify in terms of directives. The
> concept of a "pin-directive" can be explained via prose, which would be
> consistent to how HTTPbis restructured most of the header processing.
> 

Grand. That'll fix it.

> 
>>
>> (2) 2.1.3 says that "If the scheme in the report-uri is one
>> that uses TLS (e.g.  HTTPS), UAs MUST perform Pinning
>> Validation when the host in the report-uri is a Known Pinned
>> Host;" That's generally ok, however, I think it may break for
>> alt-svc, where TLS is used but https is not, or if TCPINC
>> decided on a TLS based solution then some coder might get it
>> wrong. I think a simple re-statement in terms of http vs. https
>> URIs should fix this. I realise that neither alt-svc nor TCPINC
>> existed when this work started, but since they now do it'd pay
>> to think about them and I don't recall seeing that on the
>> websec list (apologies if I'm wrong there).  The IFF in 2.5
>> also seems related.  2.2 has same issues about alt-svc and
>> TCPINC. I do see that you only say "e.g. TLS" here but
>> wonder nonetheless, e.g. would 2.2.1 cover an alt-svc case
>> or not?
>>
> 
> The suggested solution - being explicit that it applies to HTTPS - equally
> suffers from the risk of error being seen for alt-svc, in that it fails to
> account for schemes such as wss://, for which pinning also should apply.

Fair enough.

> 
> I realize this is probably something you may not agree with, but I think
> the language choice here - that of "secure transport" - is already
> sufficient to exclude such proposals as alt-svc, which only provide
> encryption. That is, both in practice and intent, alt-svc is not considered
> to be a "secure transport" (which is as much evident by the lack of secure
> cookies)
> 
> For example, with respect to 2.5, the second bullet point describes the
> connection as "authenticated", which alt-svc is not.

You're right that I do think some more clarity would be good. Isn't
the fact that we both think coders are likely to make mistakes here
a good indicator of that?

I'd suggest adding something like:

   Note that only server-authenticated TLS or mutually-authenticated
   TLS are considered "secure transports" for the purposes of this
   specification. In particular, any form of unauthenticated TLS such
   as use of *ANON* ciphersuites or opportunistic security for HTTP
   URIs (as in [1]) do not count as "secure transports".

   [1] https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption

I'm sure that's probably broken and needs fixing but some explicit
text would be good. (Nonetheless, since we've discussed it, I will
move to a Yes even if you don't add stuff for this.)

> 
> 
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>>
>>
>> abstract and elswhere: SubjectPublicKeyInfo doesn't usually
>> have spaces between the terms. No big deal. After the abstract
>> would a ref to 5280 be right for SPKI as well?
>>
> 
> Sure.
> 
> 
>>
>> general: I think emphasising the backup pin requirement in the
>> intro would be good. It's a little hidden now and would be a
>> surprise to some I bet.
>>
>> 2.1 - pin-directive has the literal "pin-" but later you say
>> (in bullet #3) that directive names are case insensitive.  Does
>> that apply to "pin-" as well or not?
>>
> 
> It should. The above proposed removal of the ABNF for pin-directive should
> remedy this.
> 
> 
>>
>> 2.1 - has some typos: reistry and hahs
>>
>> 2.1 - "Known Pinned Host" would be a fine term to define in a
>> section 1.1 that was renamed via s/Requirements
>> Language/Terminology/
>>
>> 2.1.1 - max-age is really defined against the time of reception
>> and not (in principle) from when its emitted?  I know that
>> makes no difference now, but with a sufficient latency (e.g.
>> Earth->Mars, min 4 mins, max 20 mins, and yes my DTN heritage
>> is showing:-) it could, just about. I think to be pedantically
>> correct, max-age ought be defined versus the time of emission
>> and not receipt.
>>
> 
> I don't see how this reasonably can be accomplished, short of requiring
> that the Date header ( http://tools.ietf.org/html/rfc7231#section-7.1.1.2 )
> be present, which does not seem desirable.

No, I don't think such a change would be needed. You only need
to re-define max-age as an offset from the time of reception.
For the current web that's close enough to the time of emission
that all's well. It'd only make a difference for a DTN-like web.
But, that last of course means that almost nobody cares, so I'll
stop now:-)

Cheers,
S.


> 
> 
>>
>> 2.1.2 - uses the term "Pinned Host" which is not the same as
>> the previously used "Known Pinned Host" - is the distinction
>> meant to be significant or is that a typo?
>>
> 
> Typo, although the difference is significant enough to provide
> clarification, in as much as it applies to PKP-RO (which doesn't note the
> pins, as discussed elsewhere)
> 
> 
>>
>> 2.1.3/section 4 - shouldn't the potential DoS issues be
>> discussed for cases where report-uri != same-origin? E.g.  if
>> busy-site.example.net (is hacked and) sets report-uri to
>> victim.example.com (maybe with some HTML/JS that generates
>> loads of queries to the victimj) that'd be like getting /.'d I
>> think that's maybe worth noting in the security considerations
>> or in 2.1.3 where you (quite properly) say to rate-limit
>> reporting. If you'd rather not say why though, that's ok too.
>>
>>
> Sure.
> 


From nobody Mon Aug 25 04:39:37 2014
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25A5E1A9041; Mon, 25 Aug 2014 04:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level: 
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7BtofCKuskC; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from shell-too.nominum.com (shell-too.nominum.com [64.89.228.229]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFDDF1A9040; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id AF1371B8467; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id 731A953E070; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from [10.0.10.40] (71.233.43.215) by CAS-02.WIN.NOMINUM.COM (192.168.1.101) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 25 Aug 2014 04:39:34 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <CACvaWvYTuutQGgkcZN3RraY9+UuRJ5WzBveci5oxrg=q96CdCw@mail.gmail.com>
Date: Mon, 25 Aug 2014 07:39:18 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <3B6D8F39-468E-45ED-B9AD-9FCE8F2FC55A@nominum.com>
References: <20140807135751.6422.30957.idtracker@ietfa.amsl.com> <CACvaWvYTuutQGgkcZN3RraY9+UuRJ5WzBveci5oxrg=q96CdCw@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [71.233.43.215]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/s5T66LldjBQYbjF0f-s7X96uc4A
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Ted Lemon's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 11:39:36 -0000

On Aug 25, 2014, at 1:52 AM, Ryan Sleevi <sleevi@google.com> wrote:
> The hostile attacker (the government) blocks DNSSEC, which now the UA =
takes as a signal to drop the pin. In doing so, they now connect to the =
BAD site with the BAD certificates, and note HOSTILE pins.

If I'd suggested that this be how DNSSEC is used, that would definitely =
be a problem.   What I actually suggested though was that DNSSEC be =
checked to see if a conflicting key can be securely shown to exist.

> Or consider the operational risks of DNSSEC, which lacks formalized =
key strengths or management lifecycles, and which, as evidence =
repeatedly shows for DNS, can be transferred through court order. In =
this case, if a DNSSEC TLSA record overrides the pinning, the site is =
again at the mercy of a single point of failure. Thus we'd need DNSSEC =
pinning and DNSSEC transparency.

Which we already have, in the form of trust anchors and validation =
chains.   Your court order attack works just as well for pinning as it =
does for DNSSEC, so I don't see how this is relevant.

> I don't mean for this to get into a larger debate about DNSSEC, merely =
provide context for why it's not discussed as a mitigation in =
considering hostile pins. I think I can fairly certainly say such a =
mitigation wouldn't get implemented.=20

That may be true.   The point of suggesting DNSSEC as a mitigation =
strategy is that if we start to see hostile key pinning (nice term, =
BTW), is not that it would necessarily get implemented today, but that =
once hostile key pinning becomes a common attack, which I expect will =
happen shortly after key pinning becomes widely deployed in its =
vulnerable state, there will be a stronger motivation to implement some =
kind of strategy for detecting it.

It may be that DNSSEC isn't the right strategy, but not having any =
strategy at all seems like a bad idea.   Richard suggested offline that =
certificate transparency might work; my concern with that is that =
there's no way that I know of (not an expert, so maybe I just don't =
know) to detect that you are being prevented from doing certificate =
transparency, and not just unable to reach a server that does =
transparency.   If in fact hostile key pinning can be mitigated using =
certificate transparency, that would also address my discuss.

Richard also suggested tunneling DANE validation chains over HTTP to =
address the problem, which sounded to me like another good strategy that =
gets around the DNSSEC functionality problem, although it does not get =
around the DNSSEC deployment problem: sites that care to prevent hostile =
pinning would still have to deploy DNSSEC to prevent it.

It may also be that the right thing to do is just discuss the problem in =
the security considerations section and punt on solving it until later.  =
 I can't really force you to address the problem now with a DISCUSS, nor =
would I want to.  The point of the DISCUSS is to talk about it and =
figure out what, if anything can be done.  It may be that there is =
nothing practical that can be done.   It may also be that there is =
something practical that can be done, but it should be done in a =
follow-on document.   Either answer is fine with me if it's true, but =
the case needs to be made.


From nobody Mon Aug 25 06:59:40 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1F71A9062 for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 05:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdoqiNhCjAmr for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 05:26:45 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B00E1A9061 for <websec@ietf.org>; Mon, 25 Aug 2014 05:26:45 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id id10so14748424vcb.7 for <websec@ietf.org>; Mon, 25 Aug 2014 05:26:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=W1TJ62PuFqR4CaCGsVtxOsEHVc+pYt+Kd1+sLACWbtE=; b=JXkhfFyyU4vqayBoQ8xHEOpJJIJ5i7AQGOt42DFskj+zbITnM4qkbNdZ8u1Nb1JAAl 9hmmPcZOCrbyoTRsazqtAVJ71Mf87VH3VYlFZDjpq31C+jTmejKte3jFnW+LcppEvAtW ciyfvOt9i+PjIZdTZQfsbB0JlOr4A0tp9CASoNQhIQA9xfPqxQAKpeX2XHS4XBfjerBp j2DQRcoZ1MmVvZRDFchvEikXpX+6DN0m8GbmW5eflBrv7KjEkR9ABZgCUkpZJw3JwMol r5wIxgW7DY6QpzAS17Bbi0VA3+4WS7e4hzmGn/LmoctMJTfGExD+EQuMlvTpuoretMW8 M6Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=W1TJ62PuFqR4CaCGsVtxOsEHVc+pYt+Kd1+sLACWbtE=; b=NshbfiXBT8tkHWQeBSq0cxeXc1kBaX8+5WwzzxV4Ypj6sbehds9wXbvTlp/nM0ChCb SsixjrI57QmxxxPmoHrVQHegZ4XAukXF1HVSPc3J9Zj43d1awQCPX6oHByyBYfzmdKxs lE8/hz4WP/VPr+YCPL63r6nju1f2CVF444JJsPP3774UDbrbc55klQ4tNF4BqgDJodjv b6w3AJel3gI5InXiBezV2ATnthWF+SC9UHwZKcxHLS1BPPWt39F2PhAxfDNtcmcbVoE6 nbOLnhcmDhscGk4WF6WZQWpvtHlx/8bBRqXM24l55P/K0Gbh3br6RS3j/uo/G3uMRE+A PueQ==
X-Gm-Message-State: ALoCoQnCL+5D7OjoZEtka0tttr/t7Ix4i6zuL2Y04ULZW/Cy/V2y2vsVShmWGlQe0cbA4uDs6H3b
MIME-Version: 1.0
X-Received: by 10.52.179.161 with SMTP id dh1mr1003061vdc.78.1408969604392; Mon, 25 Aug 2014 05:26:44 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Mon, 25 Aug 2014 05:26:44 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Mon, 25 Aug 2014 05:26:44 -0700 (PDT)
In-Reply-To: <3B6D8F39-468E-45ED-B9AD-9FCE8F2FC55A@nominum.com>
References: <20140807135751.6422.30957.idtracker@ietfa.amsl.com> <CACvaWvYTuutQGgkcZN3RraY9+UuRJ5WzBveci5oxrg=q96CdCw@mail.gmail.com> <3B6D8F39-468E-45ED-B9AD-9FCE8F2FC55A@nominum.com>
Date: Mon, 25 Aug 2014 05:26:44 -0700
Message-ID: <CACvaWvap1G-Lz=JQc76PnwomSzRufuZyWR1savaCO5+69MAsbA@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
Content-Type: multipart/alternative; boundary=bcaec51a8e56c50aa40501734c52
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/0ByztmIAWNxi6QBEBiCCArfiCG4
X-Mailman-Approved-At: Mon, 25 Aug 2014 06:59:36 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, websec-chairs@tools.ietf.org, The IESG <iesg@ietf.org>
Subject: Re: [websec] Ted Lemon's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 12:26:47 -0000

--bcaec51a8e56c50aa40501734c52
Content-Type: text/plain; charset=UTF-8

On Aug 25, 2014 4:39 AM, "Ted Lemon" <Ted.Lemon@nominum.com> wrote:
>
> On Aug 25, 2014, at 1:52 AM, Ryan Sleevi <sleevi@google.com> wrote:
> > The hostile attacker (the government) blocks DNSSEC, which now the UA
takes as a signal to drop the pin. In doing so, they now connect to the BAD
site with the BAD certificates, and note HOSTILE pins.
>
> If I'd suggested that this be how DNSSEC is used, that would definitely
be a problem.   What I actually suggested though was that DNSSEC be checked
to see if a conflicting key can be securely shown to exist.

You had originally stated:

The government could of course prevent DNSSEC validation, but the UA
could take this as another signal to drop the pin: if the zone where the
TLSA record should be fails to validate (as opposed to isn't signed,
which wouldn't signify anything), the pin is likely a censorship attempt.

In either case - blocking DNSSEC or mangling - if there is a way for the
attacker to EVER drop a pin, we can presume they will take it and exploit
it.

That's why I think the mitigations here are flawed, especially when they
rest on another network level signal. Dropping a pin - except for max-age -
is tantamount to a downgrade attack. We have seen enough of these in
elements like TLS version negotiation or in revocation checking, and
certainly with DNSSEC deployment, to know that downgrades are bad and
network signals are, at best, unreliable.

>
> > Or consider the operational risks of DNSSEC, which lacks formalized key
strengths or management lifecycles, and which, as evidence repeatedly shows
for DNS, can be transferred through court order. In this case, if a DNSSEC
TLSA record overrides the pinning, the site is again at the mercy of a
single point of failure. Thus we'd need DNSSEC pinning and DNSSEC
transparency.
>
> Which we already have, in the form of trust anchors and validation
chains.   Your court order attack works just as well for pinning as it does
for DNSSEC, so I don't see how this is relevant.

My point was that we have significant mitigations - in operational
requirements (quarterly audits), in business requirements (CA/Browser
Forum), and in technical mitigations (CT) - in place to deal with the court
order, such that there has never been any documentary evidence of one,
whereas such orders are weekly for DNS.

In this model, where again, a downgrade is a full compromise of the system,
I would rather prefer the devil I know with the mitigations I control than
that which I do not.

>
> > I don't mean for this to get into a larger debate about DNSSEC, merely
provide context for why it's not discussed as a mitigation in considering
hostile pins. I think I can fairly certainly say such a mitigation wouldn't
get implemented.
>
> That may be true.   The point of suggesting DNSSEC as a mitigation
strategy is that if we start to see hostile key pinning (nice term, BTW),
is not that it would necessarily get implemented today, but that once
hostile key pinning becomes a common attack, which I expect will happen
shortly after key pinning becomes widely deployed in its vulnerable state,
there will be a stronger motivation to implement some kind of strategy for
detecting it.
>

Can you describe why you believe it likely? Key pinning has been
implemented for some time in UAs, and we have yet to see any evidence of
this.

Its important to remember that hostile key pinning is solely a DOS vector,
AND it requires the attacker hold a valid cert that meets the UAs policy
requirements. Pinning exists as a means to reduce that risk further, and
works because the assumption is that the likelihood of such an event is
small that a TOFU solution can mitigate it to begin with.

> It may be that DNSSEC isn't the right strategy, but not having any
strategy at all seems like a bad idea.   Richard suggested offline that
certificate transparency might work; my concern with that is that there's
no way that I know of (not an expert, so maybe I just don't know) to detect
that you are being prevented from doing certificate transparency, and not
just unable to reach a server that does transparency.

I suspect you may misunderstand how CT works, but there is no extra "reach
a server doing CT" phase. To talk to the target is to talk to the server
doing CT.

> If in fact hostile key pinning can be mitigated using certificate
transparency, that would also address my discuss.
>
> Richard also suggested tunneling DANE validation chains over HTTP to
address the problem, which sounded to me like another good strategy that
gets around the DNSSEC functionality problem, although it does not get
around the DNSSEC deployment problem: sites that care to prevent hostile
pinning would still have to deploy DNSSEC to prevent it.
>
> It may also be that the right thing to do is just discuss the problem in
the security considerations section and punt on solving it until later.   I
can't really force you to address the problem now with a DISCUSS, nor would
I want to.  The point of the DISCUSS is to talk about it and figure out
what, if anything can be done.  It may be that there is nothing practical
that can be done.   It may also be that there is something practical that
can be done, but it should be done in a follow-on document.   Either answer
is fine with me if it's true, but the case needs to be made.
>

Sure, so it sounds like merely a description of hostile key pinning is
sufficient.

--bcaec51a8e56c50aa40501734c52
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr"><br>
On Aug 25, 2014 4:39 AM, &quot;Ted Lemon&quot; &lt;<a href=3D"mailto:Ted.Le=
mon@nominum.com">Ted.Lemon@nominum.com</a>&gt; wrote:<br>
&gt;<br>
&gt; On Aug 25, 2014, at 1:52 AM, Ryan Sleevi &lt;<a href=3D"mailto:sleevi@=
google.com">sleevi@google.com</a>&gt; wrote:<br>
&gt; &gt; The hostile attacker (the government) blocks DNSSEC, which now th=
e UA takes as a signal to drop the pin. In doing so, they now connect to th=
e BAD site with the BAD certificates, and note HOSTILE pins.<br>
&gt;<br>
&gt; If I&#39;d suggested that this be how DNSSEC is used, that would defin=
itely be a problem.=C2=A0 =C2=A0What I actually suggested though was that D=
NSSEC be checked to see if a conflicting key can be securely shown to exist=
.</p>

<p dir=3D"ltr">You had originally stated:</p>
<p dir=3D"ltr">The government could of course prevent DNSSEC validation, bu=
t the UA<br>
could take this as another signal to drop the pin: if the zone where the<br=
>
TLSA record should be fails to validate (as opposed to isn&#39;t signed,<br=
>
which wouldn&#39;t signify anything), the pin is likely a censorship attemp=
t.<br></p>
<p dir=3D"ltr">In either case - blocking DNSSEC or mangling - if there is a=
 way for the attacker to EVER drop a pin, we can presume they will take it =
and exploit it.</p>
<p dir=3D"ltr">That&#39;s why I think the mitigations here are flawed, espe=
cially when they rest on another network level signal. Dropping a pin - exc=
ept for max-age - is tantamount to a downgrade attack. We have seen enough =
of these in elements like TLS version negotiation or in revocation checking=
, and certainly with DNSSEC deployment, to know that downgrades are bad and=
 network signals are, at best, unreliable.<br>
</p>
<p dir=3D"ltr">&gt;<br>
&gt; &gt; Or consider the operational risks of DNSSEC, which lacks formaliz=
ed key strengths or management lifecycles, and which, as evidence repeatedl=
y shows for DNS, can be transferred through court order. In this case, if a=
 DNSSEC TLSA record overrides the pinning, the site is again at the mercy o=
f a single point of failure. Thus we&#39;d need DNSSEC pinning and DNSSEC t=
ransparency.<br>

&gt;<br>
&gt; Which we already have, in the form of trust anchors and validation cha=
ins.=C2=A0 =C2=A0Your court order attack works just as well for pinning as =
it does for DNSSEC, so I don&#39;t see how this is relevant.</p>
<p dir=3D"ltr">My point was that we have significant mitigations - in opera=
tional requirements (quarterly audits), in business requirements (CA/Browse=
r Forum), and in technical mitigations (CT) - in place to deal with the cou=
rt order, such that there has never been any documentary evidence of one, w=
hereas such orders are weekly for DNS.</p>

<p dir=3D"ltr">In this model, where again, a downgrade is a full compromise=
 of the system, I would rather prefer the devil I know with the mitigations=
 I control than that which I do not.</p>
<p dir=3D"ltr">&gt;<br>
&gt; &gt; I don&#39;t mean for this to get into a larger debate about DNSSE=
C, merely provide context for why it&#39;s not discussed as a mitigation in=
 considering hostile pins. I think I can fairly certainly say such a mitiga=
tion wouldn&#39;t get implemented.<br>

&gt;<br>
&gt; That may be true.=C2=A0 =C2=A0The point of suggesting DNSSEC as a miti=
gation strategy is that if we start to see hostile key pinning (nice term, =
BTW), is not that it would necessarily get implemented today, but that once=
 hostile key pinning becomes a common attack, which I expect will happen sh=
ortly after key pinning becomes widely deployed in its vulnerable state, th=
ere will be a stronger motivation to implement some kind of strategy for de=
tecting it.<br>

&gt;</p>
<p dir=3D"ltr">Can you describe why you believe it likely? Key pinning has =
been implemented for some time in UAs, and we have yet to see any evidence =
of this.</p>
<p dir=3D"ltr">Its important to remember that hostile key pinning is solely=
 a DOS vector, AND it requires the attacker hold a valid cert that meets th=
e UAs policy requirements. Pinning exists as a means to reduce that risk fu=
rther, and works because the assumption is that the likelihood of such an e=
vent is small that a TOFU solution can mitigate it to begin with.<br>
</p>
<p dir=3D"ltr">&gt; It may be that DNSSEC isn&#39;t the right strategy, but=
 not having any strategy at all seems like a bad idea.=C2=A0 =C2=A0Richard =
suggested offline that certificate transparency might work; my concern with=
 that is that there&#39;s no way that I know of (not an expert, so maybe I =
just don&#39;t know) to detect that you are being prevented from doing cert=
ificate transparency, and not just unable to reach a server that does trans=
parency.=C2=A0 </p>

<p dir=3D"ltr">I suspect you may misunderstand how CT works, but there is n=
o extra &quot;reach a server doing CT&quot; phase. To talk to the target is=
 to talk to the server doing CT.</p>
<p dir=3D"ltr">&gt;=C2=A0If in fact hostile key pinning can be mitigated us=
ing certificate transparency, that would also address my discuss.<br>
&gt;<br>
&gt; Richard also suggested tunneling DANE validation chains over HTTP to a=
ddress the problem, which sounded to me like another good strategy that get=
s around the DNSSEC functionality problem, although it does not get around =
the DNSSEC deployment problem: sites that care to prevent hostile pinning w=
ould still have to deploy DNSSEC to prevent it.<br>

&gt;<br>
&gt; It may also be that the right thing to do is just discuss the problem =
in the security considerations section and punt on solving it until later.=
=C2=A0 =C2=A0I can&#39;t really force you to address the problem now with a=
 DISCUSS, nor would I want to.=C2=A0 The point of the DISCUSS is to talk ab=
out it and figure out what, if anything can be done.=C2=A0 It may be that t=
here is nothing practical that can be done.=C2=A0 =C2=A0It may also be that=
 there is something practical that can be done, but it should be done in a =
follow-on document.=C2=A0 =C2=A0Either answer is fine with me if it&#39;s t=
rue, but the case needs to be made.<br>

&gt;</p>
<p dir=3D"ltr">Sure, so it sounds like merely a description of hostile key =
pinning is sufficient.</p>

--bcaec51a8e56c50aa40501734c52--


From nobody Mon Aug 25 09:51:57 2014
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 105771A90B6; Mon, 25 Aug 2014 08:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MA5MXWx0yWCQ; Mon, 25 Aug 2014 08:18:52 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1071E1A89A9; Mon, 25 Aug 2014 08:18:01 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id hz20so12892819lab.8 for <multiple recipients>; Mon, 25 Aug 2014 08:18:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pg7EReP0v1JNwBiseZG/jpAlVpZIDu0EXM9TTu60Jwc=; b=tiOMEknnKNUsobob3H2VtqnXpKrNHRFixaf3nztfTitrbXVo6E0dnQ/hxE//kvRHni QhZzHQS159InfZWj5/+5nnebfWNwfpGK5VmIfLcCj5+EV1JMMh1iv1vyNmfp9aPWqp5A 5ljAEZ1ULT5QD1wv+WzbqSb3a5WPy6M5ZVGTbnk+0oTlcxjqoh2gn53Or9evPEbOxKQL 7ByN91gYoHeuFZo5Vskb4ds/oBqK0s24bUkUEobQseK9txki7E0Xap3Z+L4uZYodY0cA DnUV0Bqp3unVpLBRH2wZMBxcthL9RotBMRyd0dOUifz/nTRvozcxl5XONLoFDhZ8jfo6 1c/w==
MIME-Version: 1.0
X-Received: by 10.112.138.102 with SMTP id qp6mr20718884lbb.60.1408979880204;  Mon, 25 Aug 2014 08:18:00 -0700 (PDT)
Received: by 10.112.64.170 with HTTP; Mon, 25 Aug 2014 08:18:00 -0700 (PDT)
In-Reply-To: <CACvaWvYfEtHCHc8xFWg=W5AUzqNEAZjHzXn5YX8Sdzyumf-7ug@mail.gmail.com>
References: <20140807031550.1175.40039.idtracker@ietfa.amsl.com> <CACvaWvYfEtHCHc8xFWg=W5AUzqNEAZjHzXn5YX8Sdzyumf-7ug@mail.gmail.com>
Date: Mon, 25 Aug 2014 11:18:00 -0400
Message-ID: <CAHbuEH7jZg5oOR5UH7AKX6M78hKzA0gXEYmwagctgoyOYwKoaQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Content-Type: multipart/alternative; boundary=089e01183292415eed050175b16f
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/nLKaBIKze-fk9Bl8ugEYHdpmukc
X-Mailman-Approved-At: Mon, 25 Aug 2014 09:51:50 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, The IESG <iesg@ietf.org>, websec-chairs@tools.ietf.org
Subject: Re: [websec] Kathleen Moriarty's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 15:18:57 -0000

--089e01183292415eed050175b16f
Content-Type: text/plain; charset=UTF-8

Helo Ryan,

Thank you for your response.  Please keep in mind that in most cases, I am
trying to help you clear up the language and ensure that the security and
privacy concerns are clearly understood in the draft to readers that might
include security professionals, CSIRT teams, security administration staff,
and others.  I do think the draft is good and would like to help progress
it, but do think some language fixes would be beneficial.

I read the draft again and will try to clarify the points below providing
suggested language where possible.


On Mon, Aug 25, 2014 at 1:44 AM, Ryan Sleevi <sleevi@google.com> wrote:

>
>
>
> On Wed, Aug 6, 2014 at 8:15 PM, Kathleen Moriarty <
> Kathleen.Moriarty.ietf@gmail.com> wrote:
>
>> Kathleen Moriarty has entered the following ballot position for
>> draft-ietf-websec-key-pinning-19: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>> Overall the draft is very good, thank you for writing it.  I just wanted
>> to discuss some of the security/privacy considerations and see if we
>> could improve the language and make sure the set of concerns are clear.
>>
>> The privacy consideration section reads more like possible attack
>> scenarios that would fit into the security considerations.  What privacy
>> related concerns result from these attacks?  Having that spelled out to
>> differentiate the risks as privacy only would be helpful (if appropriate)
>> or moving this into the security consideration section *IF* it is more
>> generically applicable.  If I am missing something and this is only
>> privacy related, it would be good to understand that in this discussion.
>>  Adding some text on how these attacks could be used to expose privacy
>> related information would be helpful too.
>>
>
> The first paragraph spells out precisely why this is listed as a privacy
> consideration:
>
>    Hosts can use HSTS or HPKP as a "super-cookie", by setting distinct
>    policies for a number of subdomains.  For example, assume example.com
>    wishes to track distinct UAs without explicitly setting a cookie, or
>    if a previously-set cookie is deleted from the UA's cookie store.
>
> Neither of these attacks undermine the protections afforded by HPKP.
> Indeed, they exist precisely BECAUSE of HPKP offering a new means of web
> storage. Essentially, all storage mechanisms introduced when dealing with
> sites - whether it be cookies, new APIs like IndexedDB, exposure of
> persistent storage such as cryptographic keys, or, as in both HSTS and
> HPKP, remembering data about a previously visited site - represent new and
> potential ways to uniquely identify a user, which the two examples spell
> out.
>
>
>>
>> For the first example, it seems it is the possibility that a report goes
>> outside out the intended scope is the concern.  The mitigation seems to
>> be provided in the last sentence of #4, but couldn't this be other
>> information leakage and not just privacy?  Let me know if I am missing
>> something that explains why this is privacy specific.
>>
>
> I'm not sure how that was reached, as the description of the risk was
> explicitly enumerated
>
>    and the ability to pin arbitrary identifiers to distinguish UAs.
>
> This is also reiterated in the #2 and #3.
>
> The same applies to the second example, which hopefully the above
> explanation is sufficient to demonstrate how the spec already highlights,
> in several means, how this is a privacy issue (distinguishing the user
> independent of cookies, aka a "super-cookie")
>

In reading the draft again, the language issue for me was with the usage of
"report" in the text.  After looking at this draft again, it seems the only
report type discussed is a "pin validation failure report", in reading up
on other uses of report-uri (W3C) it seems to be tied to a header, in this
case PKP-RO response header.  The term report is pretty generic on it's own
and this is where my confusion came in, since that wasn't explicitly stated
(these are tied together and it's the only report discussed).  When you get
to the privacy section, it just lists the term report on it's own and not
as a specific report.  There is no mention of the report type in that
section, and yes, I probably should have realized that it was tied to the
response header.  I do see that is the only report discussed in the draft,
but was not well-versed in this area, so it wasn't clear to me on first
read.  That may be fine for most readers, but it wouldn't hurt to state the
use of the term 'report' in this draft is specific to "pin validation
failure report" in section 2.1.3 or to mention the report type again in the
privacy section.  My discuss comments above were all related to the generic
term "report".  I'll let it go if you feel strongly that this is not
necessary since I was able to figure it out on a second read.

>
>
>>
>> In #3 of the second example, the last sentence includes the following
>> clause:
>>           and giving some UAs no
>>           Valid Pinning Header for other subdomains (causing subsequent
>>           requests for m.fingerprint.example.com to succeed).
>>
>> Does this mean that these subdomains are succeeding when they should
>> fail?  It might just be me, but that is not clear in the text (or if they
>> are supposed to succeed).  It sounds like they are not supposed to
>> succeed and this is the security issue.  How is this privacy specific?
>> Again, this may just be me, but an explanation would be helpful.
>
>
> Do the above references to the existing portions of the spec make this
> clearer?
>

In this case, I'd like to see clearer language that describes the issue and
includes why it is an issue.  I am okay on the privacy specific questions
as that was because of the generic use of the term "report" and I was able
to figure out that was the cause of my concerns from my first read of the
draft. Bullet #3 is a run-on sentence and both fixing that and including
implications would go a long way.  Here is the current bullet:

      3.  example.com can distinguish 2^N UAs by serving Valid Pinning
          Headers from an arbitrary number N distinct subdomains, giving
          some UAs Valid Pinning Headers for some, but not all
          subdomains (causing subsequent requests for
          n.fingerprint.example.com to fail), and giving some UAs no
          Valid Pinning Header for other subdomains (causing subsequent
          requests for m.fingerprint.example.com to succeed).


Here is a suggestion, please teak the language if I didn't get this quite right:


      3.  example.com can distinguish 2^N UAs by serving Valid Pinning
          Headers from an arbitrary number N distinct subdomains.

          Assume in this example, Valid Pinning headers are assigned

          for subdomains n.fingerprint.example.com and the includeSubDomain

          directive was intended to cover all subdomains

          m.fingerprint.example.com. Where Valid Pinning Headers were

          assigned, some were given to UAs but not for all subdomains causing

                    subsequent requests for n.fingerprint.example.com
to fail.  Valid Pinning Header are

                    not given to some UAs for other subdomains,
causing subsequent

          requests for m.fingerprint.example.com to succeed.


> As noted above, the attack is about identifying and tracking users through
> means other than cookies. Such attacks are also known as "super-cookies",
> which is the term explicitly used in the introduction of these attacks.
>
> As noted, the attacker is the site serving the headers itself, which is
> why it's a privacy issue.
>
Thanks.

>
>
>>
>> In the last sentence of the privacy considerations section, what is meant
>> by the description "forensic attacker"?  I find this term confusing.  Was
>> this intended to mean that techniques used in forensic analysis could be
>> used by an attacker to discern information that could be of interest?  If
>> that's the case, I think it would be clearer to the reader if that were
>> stated instead.
>>
>
> This was in response to Alissa Cooper's YES vote, in which a threat model
> of an attacker with physical access to the machine attempts to recover
> state of the user's browsing history, which the UA had otherwise cleared.
>

Sure, I have no problem with the point, but would like to see the commonly
used terms for this attack type to avoid confusion for the reader.  The
term "forensic attacker" isn't one used in the incident response space, so
if you could replace that term with what I think is the intended meaning,
"forensic analysis techniques could be used by an attacker to discern this
information that could be of interest (or useful)", would help.  We don't
usually cover attack types that require full exploit of the system or
physical access, so if this got dropped, that would be fine too.  The use
of such tools isn't limited to physical access, but also is possible once
the host is compromised and such tools can be installed and used by an
attacker (much higher likelihood than a physical access attack).  The
current text does not make a distinction and that is good, I don't think
you should be getting too deep here anyway.

Propose change from:

   A forensic attacker might
   find this information useful, even if the user has cleared other
   parts of the UA's state.


To:

     Forensic analysis techniques could be used by an attacker to
discern this information and

     may find it useful, even if the user has cleared other
   parts of the UA's state.



> Per Eric Lawrence's feedback, this third section will be reworked into
> it's own privacy consideration bullet, and hopefully you'll find the
> clarification suitable.
>
>
Thanks for you work on this section.

>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> I agree with Richard's comment that the document is well written and an
>> important document, thank you for writing it.  The style changed a little
>> toward the end and I had some trouble with long sentences in the security
>> & privacy considerations sections.  This should be easy enough to fix and
>> may be done with the RFC editor anyway.
>>
>> To Richard's point on operational concerns versus security concerns, are
>> there explicit security attacks that could occur with the max-age
>> variations described?
>>
>> In 4.2, I can't see this being more than an operational concern since it
>> fails when overlapping pin sets are not used.  Are we missing a gap that
>> leads to a security concern?
>>
>
> I suppose it depends on your threat model and how you view domain
> authority.
>
> In the example given, subdomain.example.com is bypassing the pins set for
> example.com+includeSubDomains, depending on timing. That is, if
> example.com is visited first, then subdomain.example.com MUST be
> equal-to-or-a-subset-of the pins for example.com, by virtue of the known
> pinned host evaluation.
>
> Thus if example.com wishes to administer pins for their domain (and all
> subdomains), it's necessary for them to prevent subdomains from setting the
> header.
>
> Now, you can see this as an operational concern if you view the
> example.com and subdomain.example.com as the same administrative entity,
> but that's sometimes not the case (e.g. shared hosting sites like Amazon
> AWS, GitHub's pages, or Google AppEngine)
>

Thanks for the explanation, it would be helpful to have something along
those lines in the draft This is a non-blocking comment, so ignore if you
so choose, but here is a suggestion to clarify this as a security concern
(in addition to an operational one).  Perhaps if you explicitly stated that
a denial of service could result from this configuration issue, that would
help.  Also stating the concern is heightened in a service provider
environment or one where a single domain is used across administratively
distinct applications, recommending that the includeSubDomain directive
should not be used in such circumstances to avoid this issue.

>
>
>
>>
>> 4.3 makes sense to me as a security concern that drives operational
>> practices.
>>
>>
>>
> Thanks!


-- 

Best regards,
Kathleen

--089e01183292415eed050175b16f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Helo Ryan,<div><br></div><div>Thank you for your response.=
 =C2=A0Please keep in mind that in most cases, I am trying to help you clea=
r up the language and ensure that the security and privacy concerns are cle=
arly understood in the draft to readers that might include security profess=
ionals, CSIRT teams, security administration staff, and others. =C2=A0I do =
think the draft is good and would like to help progress it, but do think so=
me language fixes would be beneficial.=C2=A0</div>
<div><br></div><div>I read the draft again and will try to clarify the poin=
ts below providing suggested language where possible.</div><div class=3D"gm=
ail_extra"><br><br><div class=3D"gmail_quote">On Mon, Aug 25, 2014 at 1:44 =
AM, Ryan Sleevi <span dir=3D"ltr">&lt;<a href=3D"mailto:sleevi@google.com" =
target=3D"_blank">sleevi@google.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><d=
iv class=3D"gmail_quote">
<div><div class=3D"h5">On Wed, Aug 6, 2014 at 8:15 PM, Kathleen Moriarty <s=
pan dir=3D"ltr">&lt;<a href=3D"mailto:Kathleen.Moriarty.ietf@gmail.com" tar=
get=3D"_blank">Kathleen.Moriarty.ietf@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex">Kathleen Moriarty has entered the following ballot positio=
n for<br>


draft-ietf-websec-key-pinning-19: Discuss<br>
<br>
When responding, please keep the subject line intact and reply to all<br>
email addresses included in the To and CC lines. (Feel free to cut this<br>
introductory paragraph, however.)<br>
<br>
<br>
Please refer to <a href=3D"http://www.ietf.org/iesg/statement/discuss-crite=
ria.html" target=3D"_blank">http://www.ietf.org/iesg/statement/discuss-crit=
eria.html</a><br>
for more information about IESG DISCUSS and COMMENT positions.<br>
<br>
<br>
The document, along with other ballot positions, can be found here:<br>
<a href=3D"http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/" =
target=3D"_blank">http://datatracker.ietf.org/doc/draft-ietf-websec-key-pin=
ning/</a><br>
<br>
<br>
<br>
----------------------------------------------------------------------<br>
DISCUSS:<br>
----------------------------------------------------------------------<br>
<br>
Overall the draft is very good, thank you for writing it.=C2=A0 I just want=
ed<br>
to discuss some of the security/privacy considerations and see if we<br>
could improve the language and make sure the set of concerns are clear.<br>
<br>
The privacy consideration section reads more like possible attack<br>
scenarios that would fit into the security considerations.=C2=A0 What priva=
cy<br>
related concerns result from these attacks?=C2=A0 Having that spelled out t=
o<br>
differentiate the risks as privacy only would be helpful (if appropriate)<b=
r>
or moving this into the security consideration section *IF* it is more<br>
generically applicable.=C2=A0 If I am missing something and this is only<br=
>
privacy related, it would be good to understand that in this discussion.<br=
>
=C2=A0Adding some text on how these attacks could be used to expose privacy=
<br>
related information would be helpful too.<br></blockquote><div><br></div></=
div></div><div><div><span style=3D"font-family:arial,sans-serif;font-size:1=
3px">The first paragraph spells out precisely why this is listed as a priva=
cy consideration:</span></div>

<div><span style=3D"color:rgb(0,0,0);font-size:1em"><br></span></div><span =
style=3D"font-size:1em;color:rgb(0,0,0)"></span><font face=3D"courier new, =
monospace">=C2=A0 =C2=A0Hosts can use HSTS or HPKP as a &quot;super-cookie&=
quot;, by setting distinct<br>

=C2=A0 =C2=A0policies for a number of subdomains. =C2=A0For example, assume=
 <a href=3D"http://example.com" target=3D"_blank">example.com</a><br>=C2=A0=
 =C2=A0wishes to track distinct UAs without explicitly setting a cookie, or=
<br>=C2=A0 =C2=A0if a previously-set cookie is deleted from the UA&#39;s co=
okie store.</font><div>

<font face=3D"courier new, monospace"><br></font></div><div><font face=3D"a=
rial, helvetica, sans-serif">Neither of these attacks undermine the protect=
ions afforded by HPKP. Indeed, they exist precisely BECAUSE of HPKP offerin=
g a new means of web storage. Essentially, all storage mechanisms introduce=
d when dealing with sites - whether it be cookies, new APIs like IndexedDB,=
 exposure of persistent storage such as cryptographic keys, or, as in both =
HSTS and HPKP, remembering data about a previously visited site - represent=
 new and potential ways to uniquely identify a user, which the two examples=
 spell out.</font></div>

</div><div class=3D""><div>=C2=A0</div><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb=
(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
For the first example, it seems it is the possibility that a report goes<br=
>
outside out the intended scope is the concern.=C2=A0 The mitigation seems t=
o<br>
be provided in the last sentence of #4, but couldn&#39;t this be other<br>
information leakage and not just privacy?=C2=A0 Let me know if I am missing=
<br>
something that explains why this is privacy specific.<br></blockquote><div>=
<br></div></div><div><div>I&#39;m not sure how that was reached, as the des=
cription of the risk was explicitly enumerated</div><div><br></div><span st=
yle=3D"font-family:&#39;courier new&#39;,monospace">=C2=A0 =C2=A0</span><fo=
nt face=3D"courier new, monospace">and the ability to pin arbitrary identif=
iers to distinguish UAs.</font><div>

<font face=3D"courier new, monospace"><br></font></div><div>This is also re=
iterated in the #2 and #3.</div><div><br></div><div>The same applies to the=
 second example, which hopefully the above explanation is sufficient to dem=
onstrate how the spec already highlights, in several means, how this is a p=
rivacy issue (distinguishing the user independent of cookies, aka a &quot;s=
uper-cookie&quot;)</div>
</div></div></div></div></blockquote><div><br></div><div>In reading the dra=
ft again, the language issue for me was with the usage of &quot;report&quot=
; in the text. =C2=A0After looking at this draft again, it seems the only r=
eport type discussed is a &quot;pin validation failure report&quot;, in rea=
ding up on other uses of report-uri (W3C) it seems to be tied to a header, =
in this case PKP-RO response header. =C2=A0The term report is pretty generi=
c on it&#39;s own and this is where my confusion came in, since that wasn&#=
39;t explicitly stated (these are tied together and it&#39;s the only repor=
t discussed). =C2=A0When you get to the privacy section, it just lists the =
term report on it&#39;s own and not as a specific report. =C2=A0There is no=
 mention of the report type in that section, and yes, I probably should hav=
e realized that it was tied to the response header. =C2=A0I do see that is =
the only report discussed in the draft, but was not well-versed in this are=
a, so it wasn&#39;t clear to me on first read. =C2=A0That may be fine for m=
ost readers, but it wouldn&#39;t hurt to state the use of the term &#39;rep=
ort&#39; in this draft is specific to &quot;pin validation failure report&q=
uot; in section 2.1.3 or to mention the report type again in the privacy se=
ction. =C2=A0My discuss comments above were all related to the generic term=
 &quot;report&quot;. =C2=A0I&#39;ll let it go if you feel strongly that thi=
s is not necessary since I was able to figure it out on a second read.=C2=
=A0</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"=
gmail_quote">
<div>
</div><div class=3D""><div>=C2=A0</div><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb=
(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
In #3 of the second example, the last sentence includes the following<br>
clause:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 and giving some UAs no<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Valid Pinning Header for other subdomain=
s (causing subsequent<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 requests for <a href=3D"http://m.fingerp=
rint.example.com" target=3D"_blank">m.fingerprint.example.com</a> to succee=
d).<br>
<br>
Does this mean that these subdomains are succeeding when they should<br>
fail?=C2=A0 It might just be me, but that is not clear in the text (or if t=
hey<br>
are supposed to succeed).=C2=A0 It sounds like they are not supposed to<br>
succeed and this is the security issue.=C2=A0 How is this privacy specific?=
<br>
Again, this may just be me, but an explanation would be helpful.=C2=A0</blo=
ckquote><div><br></div></div><div>Do the above references to the existing p=
ortions of the spec make this clearer?</div></div></div></div></blockquote>
<div>=C2=A0</div><div>In this case, I&#39;d like to see clearer language th=
at describes the issue and includes why it is an issue. =C2=A0I am okay on =
the privacy specific questions as that was because of the generic use of th=
e term &quot;report&quot; and I was able to figure out that was the cause o=
f my concerns from my first read of the draft. Bullet #3 is a run-on senten=
ce and both fixing that and including implications would go a long way. =C2=
=A0Here is the current bullet:</div>
<div><br></div><div><pre style=3D"line-height:1.2em;margin-top:0px;margin-b=
ottom:0px;color:rgb(0,0,0);font-size:12.727272033691406px">      3.  <a hre=
f=3D"http://example.com">example.com</a> can distinguish 2^N UAs by serving=
 Valid Pinning
          Headers from an arbitrary number N distinct subdomains, giving
          some UAs Valid Pinning Headers for some, but not all
          subdomains (causing subsequent requests for
          <a href=3D"http://n.fingerprint.example.com">n.fingerprint.exampl=
e.com</a> to fail), and giving some UAs no
          Valid Pinning Header for other subdomains (causing subsequent
          requests for <a href=3D"http://m.fingerprint.example.com">m.finge=
rprint.example.com</a> to succeed).</pre><pre style=3D"line-height:1.2em;ma=
rgin-top:0px;margin-bottom:0px;color:rgb(0,0,0);font-size:12.72727203369140=
6px">
<br></pre><pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;=
color:rgb(0,0,0);font-size:12.727272033691406px">Here is a suggestion, plea=
se teak the language if I didn&#39;t get this quite right:</pre><pre style=
=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0);fon=
t-size:12.727272033691406px">
<br></pre><pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;=
color:rgb(0,0,0);font-size:12.727272033691406px"><pre style=3D"line-height:=
1.2em;margin-top:0px;margin-bottom:0px;font-size:12.727272033691406px">    =
  3.  <a href=3D"http://example.com">example.com</a> can distinguish 2^N UA=
s by serving Valid Pinning
          Headers from an arbitrary number N distinct subdomains.</pre><pre=
 style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;font-size:12.7=
27272033691406px">          Assume in this example, Valid Pinning headers a=
re assigned</pre>
<pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;font-size:=
12.727272033691406px">          for subdomains <a href=3D"http://n.fingerpr=
int.example.com">n.fingerprint.example.com</a> and the includeSubDomain</pr=
e>
<pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;font-size:=
12.727272033691406px">          directive was intended to cover all subdoma=
ins</pre><pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;f=
ont-size:12.727272033691406px">
          <a href=3D"http://m.fingerprint.example.com">m.fingerprint.exampl=
e.com</a>. Where Valid Pinning Headers were</pre><pre style=3D"line-height:=
1.2em;margin-top:0px;margin-bottom:0px;font-size:12.727272033691406px">    =
      assigned, some were given to UAs but<span style=3D"font-size:12.72727=
2033691406px;line-height:1.2em;font-family:arial"> not for all subdomains <=
/span><span style=3D"font-size:12.727272033691406px;line-height:1.2em;font-=
family:arial">causing</span></pre>
<pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;font-size:=
12.727272033691406px"><span style=3D"font-size:12.727272033691406px;line-he=
ight:1.2em;font-family:arial">                    subsequent requests for <=
/span><span style=3D"font-size:12.727272033691406px;line-height:1.2em;font-=
family:arial"><a href=3D"http://n.fingerprint.example.com">n.fingerprint.ex=
ample.com</a> to fail. </span><span style=3D"font-size:12.727272033691406px=
;line-height:1.2em;font-family:arial"> Valid Pinning Header are</span></pre=
>
<pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;font-size:=
12.727272033691406px"><span style=3D"font-size:12.727272033691406px;line-he=
ight:1.2em;font-family:arial">                    not given to some UAs for=
 other subdomains, causing subsequent</span></pre>
<pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;font-size:=
12.727272033691406px">          requests for <a href=3D"http://m.fingerprin=
t.example.com">m.fingerprint.example.com</a> to succeed.</pre></pre></div><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;pa=
dding-left:1ex">
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div=
><br></div><div>As noted above, the attack is about identifying and trackin=
g users through means other than cookies. Such attacks are also known as &q=
uot;super-cookies&quot;, which is the term explicitly used in the introduct=
ion of these attacks.</div>

<div><br></div><div>As noted, the attacker is the site serving the headers =
itself, which is why it&#39;s a privacy issue.</div></div></div></div></blo=
ckquote><div>Thanks.=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,20=
4,204);border-left-style:solid;padding-left:1ex">
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div=
 class=3D""><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,2=
04);border-left-style:solid;padding-left:1ex">


<br>
In the last sentence of the privacy considerations section, what is meant<b=
r>
by the description &quot;forensic attacker&quot;?=C2=A0 I find this term co=
nfusing.=C2=A0 Was<br>
this intended to mean that techniques used in forensic analysis could be<br=
>
used by an attacker to discern information that could be of interest?=C2=A0=
 If<br>
that&#39;s the case, I think it would be clearer to the reader if that were=
<br>
stated instead.<br></blockquote><div><br></div></div><div>This was in respo=
nse to Alissa Cooper&#39;s YES vote, in which a threat model of an attacker=
 with physical access to the machine attempts to recover state of the user&=
#39;s browsing history, which the UA had otherwise cleared.</div>
</div></div></div></blockquote><div><br></div><div>Sure, I have no problem =
with the point, but would like to see the commonly used terms for this atta=
ck type to avoid confusion for the reader. =C2=A0The term &quot;forensic at=
tacker&quot; isn&#39;t one used in the incident response space, so if you c=
ould replace that term with what I think is the intended meaning, &quot;for=
ensic analysis techniques could be used by an attacker to discern this info=
rmation that could be of interest (or useful)&quot;, would help. =C2=A0We d=
on&#39;t usually cover attack types that require full exploit of the system=
 or physical access, so if this got dropped, that would be fine too. =C2=A0=
The use of such tools isn&#39;t limited to physical access, but also is pos=
sible once the host is compromised and such tools can be installed and used=
 by an attacker (much higher likelihood than a physical access attack). =C2=
=A0The current text does not make a distinction and that is good, I don&#39=
;t think you should be getting too deep here anyway.</div>
<div><br></div><div>Propose change from:</div><div><pre style=3D"line-heigh=
t:1.2em;margin-top:0px;margin-bottom:0px;color:rgb(0,0,0);font-size:12.7272=
72033691406px">   A forensic attacker might
   find this information useful, even if the user has cleared other
   parts of the UA&#39;s state.</pre><pre style=3D"line-height:1.2em;margin=
-top:0px;margin-bottom:0px;color:rgb(0,0,0);font-size:12.727272033691406px"=
><br></pre><pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px=
;color:rgb(0,0,0);font-size:12.727272033691406px">
To:</pre><pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;c=
olor:rgb(0,0,0);font-size:12.727272033691406px"><pre style=3D"line-height:1=
.2em;margin-top:0px;margin-bottom:0px;font-size:12.727272033691406px"><span=
 style=3D"color:rgb(34,34,34);font-family:arial;font-size:small;line-height=
:normal;white-space:normal">=C2=A0 =C2=A0 =C2=A0Forensic analysis technique=
s could be used by an attacker to discern this information and</span></pre>
<pre style=3D"line-height:1.2em;margin-top:0px;margin-bottom:0px;font-size:=
12.727272033691406px"><span style=3D"color:rgb(34,34,34);font-family:arial;=
font-size:small;line-height:normal;white-space:normal">=C2=A0 =C2=A0 =C2=A0=
may find it useful</span>, even if the user has cleared other
   parts of the UA&#39;s state.</pre><pre style=3D"line-height:1.2em;margin=
-top:0px;margin-bottom:0px;font-size:12.727272033691406px"><br></pre></pre>=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:s=
olid;padding-left:1ex">
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">
<div><br></div><div>Per Eric Lawrence&#39;s feedback, this third section wi=
ll be reworked into it&#39;s own privacy consideration bullet, and hopefull=
y you&#39;ll find the clarification suitable.</div><div class=3D""><div>
=C2=A0</div></div></div></div></div></blockquote><div>Thanks for you work o=
n this section.=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204=
);border-left-style:solid;padding-left:1ex">
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div=
 class=3D""><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-s=
tyle:solid;padding-left:1ex">


<br>
<br>
----------------------------------------------------------------------<br>
COMMENT:<br>
----------------------------------------------------------------------<br>
<br>
I agree with Richard&#39;s comment that the document is well written and an=
<br>
important document, thank you for writing it.=C2=A0 The style changed a lit=
tle<br>
toward the end and I had some trouble with long sentences in the security<b=
r>
&amp; privacy considerations sections.=C2=A0 This should be easy enough to =
fix and<br>
may be done with the RFC editor anyway.<br>
<br>
To Richard&#39;s point on operational concerns versus security concerns, ar=
e<br>
there explicit security attacks that could occur with the max-age<br>
variations described?<br>
<br>
In 4.2, I can&#39;t see this being more than an operational concern since i=
t<br>
fails when overlapping pin sets are not used.=C2=A0 Are we missing a gap th=
at<br>
leads to a security concern?<br></blockquote><div><br></div></div><div><div=
><div>I suppose it depends on your threat model and how you view domain aut=
hority.</div><div><br></div><div>In the example given, <a href=3D"http://su=
bdomain.example.com" target=3D"_blank">subdomain.example.com</a> is bypassi=
ng the pins set for <a href=3D"http://example.com" target=3D"_blank">exampl=
e.com</a>+includeSubDomains, depending on timing. That is, if <a href=3D"ht=
tp://example.com" target=3D"_blank">example.com</a> is visited first, then =
<a href=3D"http://subdomain.example.com" target=3D"_blank">subdomain.exampl=
e.com</a> MUST be equal-to-or-a-subset-of the pins for <a href=3D"http://ex=
ample.com" target=3D"_blank">example.com</a>, by virtue of the known pinned=
 host evaluation.</div>

<div><br></div><div>Thus if <a href=3D"http://example.com" target=3D"_blank=
">example.com</a> wishes to administer pins for their domain (and all subdo=
mains), it&#39;s necessary for them to prevent subdomains from setting the =
header.</div>
<div>
<br></div><div>Now, you can see this as an operational concern if you view =
the <a href=3D"http://example.com" target=3D"_blank">example.com</a> and <a=
 href=3D"http://subdomain.example.com" target=3D"_blank">subdomain.example.=
com</a> as the same administrative entity, but that&#39;s sometimes not the=
 case (e.g. shared hosting sites like Amazon AWS, GitHub&#39;s pages, or Go=
ogle AppEngine)</div>
</div></div></div></div></div></blockquote><div><br></div><div>Thanks for t=
he explanation, it would be helpful to have something along those lines in =
the draft This is a non-blocking comment, so ignore if you so choose, but h=
ere is a suggestion to clarify this as a security concern (in addition to a=
n operational one). =C2=A0Perhaps if you explicitly stated that a denial of=
 service could result from this configuration issue, that would help. =C2=
=A0Also stating the concern is heightened in a service provider environment=
 or one where a single domain is used across administratively distinct appl=
ications, recommending that the includeSubDomain directive should not be us=
ed in such circumstances to avoid this issue.</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"=
gmail_quote">
<div><div>
</div></div><div class=3D""><div><br></div><div>=C2=A0</div><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;=
border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex=
">
<br>
4.3 makes sense to me as a security concern that drives operational<br>
practices.<br>
<br>
<br>
</blockquote></div></div><br></div></div>
</blockquote></div>Thanks!<br><br clear=3D"all"><div><br></div>-- <br><div =
dir=3D"ltr"><br><div>Best regards,</div><div>Kathleen</div></div>
</div></div>

--089e01183292415eed050175b16f--


From ericlaw1979@hotmail.com  Mon Aug 25 11:07:40 2014
Return-Path: <ericlaw1979@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08BC51A01D5 for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 11:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.364
X-Spam-Level: *
X-Spam-Status: No, score=1.364 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0YbgOam0XiF for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 11:07:37 -0700 (PDT)
Received: from BAY004-OMC1S1.hotmail.com (bay004-omc1s1.hotmail.com [65.54.190.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0D791A00DC for <websec@ietf.org>; Mon, 25 Aug 2014 11:07:37 -0700 (PDT)
Received: from BAY169-DS45 ([65.54.190.60]) by BAY004-OMC1S1.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22712);  Mon, 25 Aug 2014 11:07:37 -0700
X-TMN: [ShSZKK4Qdaw7yHimgdhk23oT6xwF664o]
X-Originating-Email: [ericlaw1979@hotmail.com]
Message-ID: <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl>
From: "Eric Lawrence" <ericlaw1979@hotmail.com>
To: "Ryan Sleevi" <sleevi@google.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com>
In-Reply-To: <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com>
Date: Mon, 25 Aug 2014 13:07:36 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01CFC065.8A6C0A80"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 25 Aug 2014 18:07:37.0319 (UTC) FILETIME=[73D46770:01CFC08F]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/qvnqLlxNo_KSTjtFbiRMvO1vNWM
X-Mailman-Approved-At: Mon, 25 Aug 2014 11:35:51 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, websec@ietf.org
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 18:25:17 -0000

This is a multi-part message in MIME format.

------=_NextPart_000_000D_01CFC065.8A6C0A80
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Thanks, Ryan! A few remarks inline...
> No, PKP-RO is not meant to be cached. In this respect, it behaves =
similar to Content-Security-Policy's reporting mechanism.
Ah, interesting. I=E2=80=99m curious why not? Is there no use-case for =
allowing =E2=80=9Creport-only=E2=80=9D pins to be persisted?
If PKP-RO is not meant to persist, then I=E2=80=99d suggest that this =
sentence should be significantly altered: =E2=80=9CIf a host sets the =
PKP-RO header, the UA SHOULD note the Pins and directives given in the =
PKP-RO header as specified by the max-age directive.=E2=80=9D The pins =
aren=E2=80=99t being =E2=80=9Cnoted=E2=80=9D (recorded) anywhere, and =
=E2=80=9Cspecified by the max-age directive=E2=80=9D has no meaning.
Furthermore, saying that =E2=80=9Cmax-age is OPTIONAL within a =
"Public-Key-Pins- Report-Only" header field.=E2=80=9D  implies to me =
that the intent is that supplying a max-age would have some function.
     If the PKP response header field does not meet all three of these
     criteria, the UA MUST NOT note the host as a Pinned Host.=20
  -
  If the failing criteria was "cert chain didn't contain at least one of =
the SPKI signatures", should this trigger a report to the report URI to =
aid developers and/or enable some amount of protection for sloppy =
attacks (or captive/corporate MITM interception, etc) against 1st-time =
visitors?

> Doesn't =
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#section-2.1.3=
 already accomplish this?

Perhaps?  To me, the =E2=80=9CUA MUST NOT note the host as a Pinned =
Host=E2=80=9D suggests that the pin is deemed entirely invalid and no =
further processing is warranted. That assumption is based on the text =
that follows:

=E2=80=9Cthe UA MUST NOT note the host as a Pinned Host. A PKP response =
header field that meets all these critera is known as a Valid Pinning =
Header.=E2=80=9D

It seems odd to take action based on anything that is not a =
=E2=80=9CValid Pinning Header.=E2=80=9D

Perhaps one of my confusions around the prose is the use of the term =
=E2=80=9Cnote=E2=80=9D as a verb. =E2=80=9CNote=E2=80=9D could mean =
=E2=80=9Cpreserve a rule for the future=E2=80=9D or it could mean =
=E2=80=9Capply the rule for now and into the future.=E2=80=9D

Incidentally, typo: =
=E2=80=9Ccritera=E2=80=9D->=E2=80=9Dcriteria=E2=80=9D in section 2.5.

  "If the connection has no errors, then the UA will determine whether
     to apply a new, additional correctness check: Pin Validation"
  -
  Should this wait until the TLS validation has fully completed, or =
should it happen before the client potentially responds to a =
clientCertificateRequest from the server?
> Both are currently allowed.

Interesting. It seems worthwhile to at least note that there=E2=80=99s a =
benefit of performing the check before the TLS handshake responds to a =
clientCertificateRequest message.

>>As far as I understand things, there can be multiple valid chains to =
multiple roots. Should the validation procedure be required to check =
each possible candidate chain?
>So the answer is "No, it should be required"

Based on context, I /think/ this was a typo, missing the word =
=E2=80=9Cnot=E2=80=9D?=20

  4.4.  Interactions With Cookie Scoping
  This section suffers from the same incompleteness that Section 14 of =
the HSTS spec suffers: Because a rule specified on a subdomain =
(effective-third-level-domain) does not apply to the =
effective-second-level-domain, if a user visits the 3rd-level domain =
first or exclusively, a MITM attacker can perform a cookie-injection by =
generating a phony insecure request to the effective-second-level-domain =
and returning a Set-Cookie header in his poisoned response.

> I'm not sure I understand your remark with respect to =
"incompleteness". This is more of an operational guidance for server =
operators, correct?

Section 4.4 describes how PKP interacts with =E2=80=9CCookie =
Scoping=E2=80=9D but it only describes interaction with SUBDOMAINS of =
the target host, omitting entirely mention of the scoping of cookies to =
the target host=E2=80=99s PARENT. It=E2=80=99s unclear why the spec =
should mention one but not the other.

> It prevents the collusion, so that seems to effectively mitigate that =
particular attack, does it not?

As far as I can tell, yes, this approach prevents collusion, but only by =
completely disabling the reportURI feature. There are two possible =
scenarios:

  Case 1: ReportURI is cross-origin to target. Outcome: UA blocks for =
privacy reasons.
  Case 2: ReportURI is same-origin to target. Outcome: UA blocks reports =
to the ReportURI because the ReportURI refers to a host with a failing =
PKP rule.

Have I overlooked something?


thx,
Eric
------=_NextPart_000_000D_01CFC065.8A6C0A80
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD>
<BODY dir=3Dltr>
<DIV dir=3Dltr>
<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>Thanks,=20
Ryan! A few remarks inline...</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>&nbsp;</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>&gt;=20
No, PKP-RO is not meant to be cached. In this respect, it behaves =
similar to=20
Content-Security-Policy's reporting mechanism.</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>&nbsp;</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>Ah,=20
interesting. I=E2=80=99m curious why not? Is there no use-case for =
allowing=20
=E2=80=9Creport-only=E2=80=9D pins to be persisted?</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>&nbsp;</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>If=20
PKP-RO is not meant to persist, then I=E2=80=99d suggest that this =
sentence should be=20
significantly altered: </DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>=E2=80=9C</DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'><FONT=20
face=3D""><FONT style=3D"FONT-SIZE: 9.8pt">If a host sets the PKP-RO =
header, the UA=20
SHOULD note the Pins and directives given in the PKP-RO header as =
specified by=20
the max-age directive.</FONT></FONT></DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>=E2=80=9D=20
The pins aren=E2=80=99t being =E2=80=9Cnoted=E2=80=9D (recorded) =
anywhere, and =E2=80=9Cspecified by the max-age=20
directive=E2=80=9D has no meaning.</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>&nbsp;</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>Furthermore,=20
saying that =E2=80=9Cmax-age <FONT face=3D""><FONT style=3D"FONT-SIZE: =
9.8pt">is OPTIONAL=20
within a "Public-Key-Pins- Report-Only" header field.=E2=80=9D<FONT =
size=3D3>&nbsp;=20
</FONT></FONT></FONT></DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>implies=20
to me that the intent is that supplying a max-age would have some=20
function.</DIV></DIV>
<DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'></DIV>
<DIV dir=3Dltr>
<DIV class=3Dgmail_extra>
<DIV class=3Dgmail_quote>
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: =
rgb(204,204,204) 1px solid">
  <DIV dir=3Dltr>
  <DIV dir=3Dltr>
  <DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: calibri; COLOR: =
rgb(0,0,0)">
  <DIV>&nbsp;&nbsp; If the PKP response header field does not meet all =
three of=20
  these</DIV>
  <DIV>&nbsp;&nbsp; criteria, the UA MUST NOT note the host as a Pinned =
Host.=20
  </DIV>
  <DIV>-</DIV>
  <DIV>If the failing criteria was "cert chain didn't contain at least =
one of=20
  the SPKI signatures", should this trigger a report to the report URI =
to aid=20
  developers and/or enable some amount of protection for sloppy attacks =
(or=20
  captive/corporate MITM interception, etc) against 1st-time=20
  visitors?</DIV></DIV></DIV></DIV></BLOCKQUOTE>
<DIV>&nbsp;</DIV>
<DIV>&gt; Doesn't <A=20
href=3D"http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#secti=
on-2.1.3">http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#sec=
tion-2.1.3</A>=20
already accomplish this?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Perhaps?&nbsp; To me, the =E2=80=9CUA MUST NOT note the host as a =
Pinned Host=E2=80=9D=20
suggests that the pin is deemed entirely invalid and no further =
processing is=20
warranted. That assumption is based on the text that follows:</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3D""><FONT style=3D"FONT-SIZE: 9.8pt">=E2=80=9Cthe UA =
MUST NOT note the host=20
as a Pinned Host. A PKP response header field that meets all these =
critera is=20
known as a Valid Pinning Header.=E2=80=9D</FONT></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>It seems odd to take action based on anything that is not a =
=E2=80=9CValid Pinning=20
Header.=E2=80=9D</DIV>
<DIV>&nbsp;</DIV>
<DIV>Perhaps one of my confusions around the prose is the use of the =
term =E2=80=9Cnote=E2=80=9D=20
as a verb. =E2=80=9CNote=E2=80=9D could mean =E2=80=9Cpreserve a rule =
for the future=E2=80=9D or it could mean=20
=E2=80=9Capply the rule for now and into the future.=E2=80=9D</DIV>
<DIV>&nbsp;</DIV>
<DIV>Incidentally, typo: =
=E2=80=9Ccritera=E2=80=9D-&gt;=E2=80=9Dcriteria=E2=80=9D in section =
2.5.</DIV>
<DIV>&nbsp;</DIV>
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: =
rgb(204,204,204) 1px solid">
  <DIV dir=3Dltr>
  <DIV dir=3Dltr>
  <DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: calibri; COLOR: =
rgb(0,0,0)">
  <DIV>"If the connection has no errors, then the UA will determine=20
whether</DIV>
  <DIV>&nbsp;&nbsp; to apply a new, additional correctness check: Pin=20
  Validation"</DIV>
  <DIV>-</DIV>
  <DIV>Should this wait until the TLS validation has fully completed, or =
should=20
  it happen before the client potentially responds to a =
clientCertificateRequest=20
  from the server?</DIV></DIV></DIV></DIV></BLOCKQUOTE>
<DIV>&gt; Both are currently allowed.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Interesting. It seems worthwhile to at least note that =
there=E2=80=99s a benefit of=20
performing the check before the TLS handshake responds to a=20
clientCertificateRequest message.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&gt;&gt;As far as I understand things, there can be multiple valid =
chains=20
to multiple roots. Should the validation procedure be required to check =
each=20
possible candidate chain?</DIV>
<DIV>&gt;So the answer is "No, it should be required"</DIV>
<DIV>&nbsp;</DIV>
<DIV>Based on context, I /think/ this was a typo, missing the word =
=E2=80=9Cnot=E2=80=9D? </DIV>
<DIV>&nbsp;</DIV>
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: =
rgb(204,204,204) 1px solid">
  <DIV dir=3Dltr>
  <DIV dir=3Dltr>4.4.&nbsp; Interactions With Cookie=20
Scoping</DIV></DIV></BLOCKQUOTE>
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: =
rgb(204,204,204) 1px solid">
  <DIV dir=3Dltr>
  <DIV dir=3Dltr>
  <DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: calibri; COLOR: =
rgb(0,0,0)">
  <DIV>This section suffers from the same incompleteness that Section 14 =
of the=20
  HSTS spec suffers: Because a rule specified on a subdomain=20
  (effective-third-level-domain) does not apply to the=20
  effective-second-level-domain, if a user visits the 3rd-level domain =
first or=20
  exclusively, a MITM attacker can perform a cookie-injection by =
generating a=20
  phony insecure request to the effective-second-level-domain and =
returning a=20
  Set-Cookie header in his poisoned =
response.</DIV></DIV></DIV></DIV></BLOCKQUOTE>
<DIV>&nbsp;</DIV>
<DIV>&gt; I'm not sure I understand your remark with respect to=20
"incompleteness". This is more of an operational guidance for server =
operators,=20
correct?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Section 4.4 describes how PKP interacts with =E2=80=9CCookie =
Scoping=E2=80=9D but it only=20
describes interaction with SUBDOMAINS of the target host, omitting =
entirely=20
mention of the scoping of cookies to the target host=E2=80=99s PARENT. =
It=E2=80=99s unclear why=20
the spec should mention one but not the other.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&gt; It prevents the collusion, so that seems to effectively =
mitigate that=20
particular attack, does it not?</DIV>
<DIV>&nbsp;</DIV>
<DIV>As far as I can tell, yes, this approach prevents collusion, but =
only by=20
completely disabling the reportURI feature. There are two possible=20
scenarios:</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp; Case 1: ReportURI is cross-origin to target. Outcome: UA =
blocks for=20
privacy reasons.</DIV>
<DIV>&nbsp; Case 2: ReportURI is same-origin to target. Outcome: UA =
blocks=20
reports to the ReportURI because the ReportURI refers to a host with a =
failing=20
PKP rule.</DIV>
<DIV>&nbsp;</DIV>
<DIV><SPAN>Have I overlooked something?</SPAN></DIV>
<DIV><SPAN></SPAN>&nbsp;</DIV>
<DIV><SPAN></SPAN>&nbsp;</DIV>
<DIV><SPAN>thx,</SPAN></DIV>
<DIV><SPAN>Eric</SPAN></DIV></DIV></DIV></DIV></DIV></DIV></DIV></BODY></=
HTML>

------=_NextPart_000_000D_01CFC065.8A6C0A80--


From nobody Mon Aug 25 13:24:02 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0656B1A0320 for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 13:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.653
X-Spam-Level: 
X-Spam-Status: No, score=0.653 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2aEP_oP22fqF for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 13:23:58 -0700 (PDT)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 302011A0314 for <websec@ietf.org>; Mon, 25 Aug 2014 13:23:58 -0700 (PDT)
Received: by mail-qg0-f49.google.com with SMTP id j107so13602338qga.36 for <websec@ietf.org>; Mon, 25 Aug 2014 13:23:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4/X6JcmsEBPyvyxqNLvDa/CTH+GWid5Ewri12S6YRIc=; b=H6D67x+VS9bjq2FWC0xVQaobavdH669AD6XVswiDceIJrK3/OwS/1+79va4bsaHiHu JBz913WZ5JP1fpmLs03eMzwrj5pz703l7FaC6cCG+q0M99f99vPIhqquMPf+Hn8hJ0JV 9BHKT3BpLhT5A4kXkiWI8HrhqRTUAqYnMjk5WSOvn0VRK7DjBeKdHNiVz9maJ5Ervvsj OfDcUbgVrOQXr8w9sZlJ98d0WYUxSRwXEiObByWjZIXG6lxSs94QGVMMQCq3motVHXxX 0pziYknZPxpLb3T1ViRRPlw4VSyzperO46izMVPdUCdNY4QppOIJihZo4hFyou5lh40O beKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=4/X6JcmsEBPyvyxqNLvDa/CTH+GWid5Ewri12S6YRIc=; b=jpu5J3gtIWjTnw27mRo956gRvSKSKCfnDb2UvGtKQroLsmHV8pQgu4ZAaRQMknVanH hcI36wqKpdlaznCdYloPAm6tP6F2iQXfN/uMMQ3LauXLSJtQ47UCaJG+/5Gwi4WeUUiO gzGi/yNAhrreliV6FThGMgMOVBihnkqLokAoRk84vectWoVUPitSsXDcGAklhw2u1Lpw UdWgdO8B8Lhl34AFmzupc016O3tlLM97XdOwzWrj54M0Q7Vk9SDr8Rik/rVPoHieLNt9 qw8wq2UaB9z58k8kcPROU5vPSFXYObvEtkTZIPqF4auyadpaCnVJzw593TFfzJ2KoFeU M9JA==
X-Gm-Message-State: ALoCoQkvHqIzwMxl3vPCFakT1+MvNWv/YaTvyBKw04C1gKm7T73G+coFqW7I0nBWka9dcDciir7I
MIME-Version: 1.0
X-Received: by 10.140.97.117 with SMTP id l108mr36202786qge.29.1408998237177;  Mon, 25 Aug 2014 13:23:57 -0700 (PDT)
Received: by 10.229.165.2 with HTTP; Mon, 25 Aug 2014 13:23:57 -0700 (PDT)
In-Reply-To: <53E8DC68.5010803@dial.pipex.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com> <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com> <53E8DC68.5010803@dial.pipex.com>
Date: Mon, 25 Aug 2014 13:23:57 -0700
Message-ID: <CAOuvq23AF3NFGg2HRhWgcg70GaZmQ=ArL-NfUCepN0QGuGEqDQ@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Elwyn Davies <elwynd@dial.pipex.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/tZQIDF-QK2_x60BPz5jJWleWlus
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 20:24:00 -0000

On Mon, Aug 11, 2014 at 8:08 AM, Elwyn Davies <elwynd@dial.pipex.com> wrote:

>>>> s2.1.1: I'm not sure if this could be an issue.. should a maximum
>>>> possible value for max_age
>>>> be specified to avoid UA's being cluttered up with old Pins - this might
>>>> possible be a DoS
>>>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3
>>>> talks about limits.
>>>> A pointer to this discussion would be useful here
>
> A pointer to the discussion in s2.3.3 would still help.

Added.

> Ok.  Accepting that the host is expected normally to send the headers on all
> responses, when SHOULD it not send the headers? (from the previous comments
> a server that knows it is not multiplexed might be a candidate - or if it
> knows it has already responded on this connection?)

I think it's easiest and simplest for servers to simply always send the headers.

>>>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in
>>>> future.  Presumably a
>>>> deprecated algorithm should be treated as an unrecognized directive or
>>>> some such to avoid
>>>> downgrade attacks.  Probably worth being explicit about this.  Also this
>>>> is potentially
>>>> incompatible with the statement that 'UAs MUST recognize "sha256"' (Para
>>>> 3 of s2.4).
>>>> This results in a potential downgrade attack when and if SHA256 is
>>>> deemed to be no longer
>>>> cryptographically effective. I think this statement can be removed as
>>>> presently a UA
>>>> has no other option if it is to implement the specification.
>
> Not addressed as yet.  At least the statement in s2.4 needs to be removed.

Removed.

>>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need
>>>> specific answers.
>
> There are still some of the questions that ought to be explicitly answered.

To me, the only questions that might not have obvious answers are:

   o  Whether the header field is useful or allowable in trailers (see
      Section 4.1 of [RFC7230]).

Surely not? For the same reason we don't want it in meta http-equiv.

   o  Whether the header field ought to be preserved across redirects.

Surely not?

Any others?

> One extra nit:
> s2, para after bullets: s/reistry/registry/

Fixed.

Changes visible at
https://code.google.com/p/key-pinning-draft/source/list. I won't push
a version 21 until I've gone through the rest of the incoming email.

Thank you!


From nobody Mon Aug 25 19:06:18 2014
Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E52BD1A067A for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 19:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gRt-mqOhfeK for <websec@ietfa.amsl.com>; Mon, 25 Aug 2014 19:06:15 -0700 (PDT)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D2051A0678 for <websec@ietf.org>; Mon, 25 Aug 2014 19:06:14 -0700 (PDT)
Received: by mail-ig0-f169.google.com with SMTP id r2so5059304igi.2 for <websec@ietf.org>; Mon, 25 Aug 2014 19:06:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+K1ZLDEno7SbCMJXTFZQkGqYk9ffnhjp45QsexEwZhQ=; b=ODPmAC5uO+xhKp41qGi3sQSQWXudwDXxYwlty2El4Y3yd0JYRWoh7F9MWyaQXXq0jq PsnNk8nPNjY6oz5XdsLWFG4IZa50qJnu4ajYfKuJCAqTSdCpplZUxZ2EX25fh3eKd2A2 +Hb3CvUagh0jK87YSe8FnNyx1A9R6b2AD42T4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=+K1ZLDEno7SbCMJXTFZQkGqYk9ffnhjp45QsexEwZhQ=; b=c7Q3xYZyFxQv85w2wsJfY0CsgbDQvpSgwxRmeuWJd1We2z6SVay3CrKCdWoTjLqzth /sKuP6TqH5CmqJFFC9wB87KymokBEJDDQQNHrCi2X/FAtalGKGdVtxwzQCkUKqm48zm+ 2PyKwD3E0ta5fMq3zGLlxwc6xxLxjcR+Ly7vKdKhrbCL6IOENkmAs5biQ9fDAdekdus9 SYaGwDEuBwQiKlMYjb/W1a72oJB7tDhzS/gb4O8U86mAdWDQ8OmgSu70WgmEBXjXb/wS xQh7r/7uuVkGcuzZEHblogRwss1TCdfcirbQ26mqHUAxC9i38uHAodydzzXzzUTK7Lbn eoBg==
X-Gm-Message-State: ALoCoQl6ERQiocIcZgHzz85C6UlTQV4kHStodrdHOoznsSlaIYFNB/p+7Qx8S1scD7eyodc9U2LF
X-Received: by 10.50.111.80 with SMTP id ig16mr19287148igb.43.1409018774006; Mon, 25 Aug 2014 19:06:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.10.104 with HTTP; Mon, 25 Aug 2014 19:05:53 -0700 (PDT)
In-Reply-To: <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl>
From: Tom Ritter <tom@ritter.vg>
Date: Mon, 25 Aug 2014 21:05:53 -0500
Message-ID: <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com>
To: Eric Lawrence <ericlaw1979@hotmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/x6gUthkBd-hfOJ8l9QHiM5XAu84
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 02:06:16 -0000

On 25 August 2014 13:07, Eric Lawrence <ericlaw1979@hotmail.com> wrote:
>> No, PKP-RO is not meant to be cached. In this respect, it behaves similar
>> to Content-Security-Policy's reporting mechanism.
>
> Ah, interesting. I'm curious why not? Is there no use-case for allowing
> "report-only" pins to be persisted?

I think there definitely are, and I and most organizations I advise
would like that option.

-tom


From nobody Tue Aug 26 01:30:51 2014
Return-Path: <jreschke@adobe.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794BC1A0B0A for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level: 
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IaG_IiRN2jc9 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:20:31 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AD8E1A0B08 for <websec@ietf.org>; Tue, 26 Aug 2014 01:20:31 -0700 (PDT)
Received: from [192.168.2.160] (93.217.108.242) by BL2PR02MB483.namprd02.prod.outlook.com (10.141.95.149) with Microsoft SMTP Server (TLS) id 15.0.1015.19; Tue, 26 Aug 2014 08:20:22 +0000
Message-ID: <53FC4335.2000808@adobe.com>
Date: Tue, 26 Aug 2014 10:20:05 +0200
From: Julian Reschke <jreschke@adobe.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: websec <websec@ietf.org>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [93.217.108.242]
X-ClientProxiedBy: AM2PR06CA002.eurprd06.prod.outlook.com (10.255.61.19) To BL2PR02MB483.namprd02.prod.outlook.com (10.141.95.149)
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-Forefront-PRVS: 03152A99FF
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(6049001)(6009001)(199003)(189002)(110136001)(64706001)(50466002)(4396001)(107886001)(83322001)(65816999)(31966008)(80316001)(74662001)(74502001)(19580395003)(99396002)(107046002)(59896002)(66066001)(229853001)(90102001)(230783001)(47776003)(20776003)(65806001)(54356999)(80022001)(42186005)(23676002)(85306004)(86362001)(46102001)(65956001)(15202345003)(106356001)(92726001)(92566001)(105586002)(101416001)(87976001)(117156001)(33656002)(102836001)(36756003)(76482001)(81542001)(15975445006)(83506001)(87266999)(64126003)(95666004)(21056001)(81342001)(77982001)(83072002)(50986999)(79102001)(77096002)(85852003); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR02MB483; H:[192.168.2.160]; FPR:; MLV:nov; PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/h6C10vhQS5_UXGwAJIhdB-J5uRU
X-Mailman-Approved-At: Tue, 26 Aug 2014 01:30:49 -0700
Subject: [websec] draft-ietf-websec-key-pinning-20 references
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 08:20:33 -0000

Hi there.

Below some nits wrt references....

>    [RFC4627]  Crockford, D., "The application/json Media Type for
>               JavaScript Object Notation (JSON)", RFC 4627, July 2006.

Obsoleted by <http://tools.ietf.org/html/rfc7159>.

>    [RFC4634]  Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
>               (SHA and HMAC-SHA)", RFC 4634, July 2006.

Obsoleted by <http://tools.ietf.org/html/rfc6234>.

>    [RFC3546]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
>               and T. Wright, "Transport Layer Security (TLS)
>               Extensions", RFC 3546, June 2003.

...also obsoleted, in this case apparently by a set of specs.

Best regards, Julian


From nobody Tue Aug 26 01:56:01 2014
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A85141A6ED9 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBZNNiQvPrLm for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:55:59 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B64C1A212D for <websec@ietf.org>; Tue, 26 Aug 2014 01:55:58 -0700 (PDT)
Received: from [192.168.2.160] ([93.217.95.201]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LiTJE-1Wjpuy1vqO-00cjyz for <websec@ietf.org>; Tue, 26 Aug 2014 10:55:56 +0200
Message-ID: <53FC4B98.5020304@gmx.de>
Date: Tue, 26 Aug 2014 10:55:52 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: websec <websec@ietf.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:ze1KIg9aiZILkDumQ1sqGzmQzrcksMK9qBnVe/yHY4Jsv5S+KYW Tnpdf27a3bhgNc+kt6BOQfZG9YstCnanjgmNKmUoCHZnNRmN+R8SkWI/pmd+inLWaxs83Aq LMy2uUdjvXcUK/zz9PvAIxf67/Eb3qUymx6mhkqh5a02n1gb7r1BEHNwGrFnKzGyR6QECFF isDzSLdwpv9gxqlOsehTA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/g17AT4qPn1iziS5lgZwCylaeJ2o
Subject: [websec] draft-ietf-websec-key-pinning-20 references
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 08:56:00 -0000

Hi there.

Below some nits wrt references....

 >    [RFC4627]  Crockford, D., "The application/json Media Type for
 >               JavaScript Object Notation (JSON)", RFC 4627, July 2006.

Obsoleted by <http://tools.ietf.org/html/rfc7159>.

 >    [RFC4634]  Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
 >               (SHA and HMAC-SHA)", RFC 4634, July 2006.

Obsoleted by <http://tools.ietf.org/html/rfc6234>.

 >    [RFC3546]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
 >               and T. Wright, "Transport Layer Security (TLS)
 >               Extensions", RFC 3546, June 2003.

...also obsoleted, in this case apparently by a set of specs.

Best regards, Julian


From nobody Tue Aug 26 01:56:37 2014
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C65B01A6EE7 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:56:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkoXVjmytCtb for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:56:34 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 625CA1A6EE1 for <websec@ietf.org>; Tue, 26 Aug 2014 01:56:32 -0700 (PDT)
Received: from [192.168.2.160] ([93.217.95.201]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0Mb8MV-1X39CH1mhf-00KhEj for <websec@ietf.org>; Tue, 26 Aug 2014 10:56:30 +0200
Message-ID: <53FC4BBA.3080400@gmx.de>
Date: Tue, 26 Aug 2014 10:56:26 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: websec <websec@ietf.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:bta43kbP/4oXedHCiTE+d1fjaw7/+apz1ggh+qNG4TFIY2DPsBE 3FAbIW/wRRNY2ExlqTfgVzkoIBoeOiXXe3ZgtZ9yX23wldrtsuMMLlRj2/MJAKZKJPZ6jfm 6zsUvuACAnqfD/Px3ZVtsB1YuQqiu30kTWzBmLyQ6nvBb2DGaq5DSwljI6VnaZGHSEYYKt0 ofTqpKG6hELIeQH6eCLKQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/O3rRqPE1AqaXCQlDL9muGARNUHg
Subject: [websec] draft-ietf-websec-key-pinning-20 feedback
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 08:56:35 -0000

Hi there.


Some more quick feedback, somewhat unstructured...

Throughout: please say "header field" rather than "header".

 >    The "Public-Key-Pins" and "Public-Key-Pins-Report-Only" header
 >    fields, also referred to within this specification as the PKP and
 >    PKP-RO header fields, respectively, are new response headers defined
 >    in this specification.  They are used by a server to indicate that a

s/server/origin server/ maybe?

 >    Figure 1 describes the syntax (Augmented Backus-Naur Form) of the
 >    header fields, using the grammar defined in [RFC5234] and the rules
 >    defined in Section 3.2 of [RFC7230].  The field values of both header
 >    fields conform to the same rules.
 >
 >    Public-Key-Directives = [ directive ] *( OWS ";" OWS [ directive ] )
 >
 >    directive             = simple-directive
 >                          / pin-directive
 >
 >    simple-directive      = directive-name [ "=" directive-value ]
 >    directive-name        = token
 >    directive-value       = token
 >                          / quoted-string
 >
 >    pin-directive         = "pin-" token "=" quoted-string

1) I would recommend not to special-case pin-directive here, as it makes 
the ABNF ambiguous. Just put the additional requirements into prose.

2) The value of pin-directive ought to allow token syntax as well. 
(Otherwise a conforming parser will need to special-case their parsing 
which doesn't make any sense at all).

 >        given header field.  Directives are either optional or required,
 >        as stipulated in their definitions.

"OPTIONAL or REQUIRED", I assume?

 >    Additional directives extending the semantic functionality of the
 >    header fields can be defined in other specifications.  The first such
 >    specification will need to define a reistry for such directives.

registry.

 >    According to rule 5, above, the UA MUST ignore pin-directives with

Repeats a requirement. Maybe do not use MUST here; instead say "will".

 >    tokens naming hash algorithms it does not recognize.  If the set of
 >    remaining effective pin-directives is empty, and if the host is a
 >    Known Pinned Host, the UA MUST cease to consider the host as a Known
 >    Pinned Host (the UA should fail open).  The UA should indicate to

SHOULD?

 >    UAs SHOULD make their best effort to report Pin Validation failures
 >    to the report-uri, but may fail to report in exceptional conditions.

MAY? (in general: try to avoid lowercase RFC2119 terms)


Best regards, Julian


From nobody Tue Aug 26 01:58:00 2014
Return-Path: <jreschke@adobe.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A22FC1A070B for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.703
X-Spam-Level: 
X-Spam-Status: No, score=-0.703 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVrLBJ3aSOyC for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 01:54:31 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0203.outbound.protection.outlook.com [207.46.163.203]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C400B1A0BEA for <websec@ietf.org>; Tue, 26 Aug 2014 01:54:30 -0700 (PDT)
Received: from [192.168.2.160] (93.217.95.201) by BL2PR02MB482.namprd02.prod.outlook.com (10.141.95.144) with Microsoft SMTP Server (TLS) id 15.0.1015.19; Tue, 26 Aug 2014 08:54:28 +0000
Message-ID: <53FC4B34.8050604@adobe.com>
Date: Tue, 26 Aug 2014 10:54:12 +0200
From: Julian Reschke <jreschke@adobe.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: websec <websec@ietf.org>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [93.217.95.201]
X-ClientProxiedBy: AMSPR01CA008.eurprd01.prod.exchangelabs.com (10.255.167.153) To BL2PR02MB482.namprd02.prod.outlook.com (10.141.95.144)
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;UriScan:;
X-Forefront-PRVS: 03152A99FF
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(6049001)(6009001)(51704005)(189002)(199003)(64706001)(102836001)(76482001)(87976001)(230783001)(92566001)(4396001)(92726001)(85306004)(101416001)(47776003)(77982001)(81342001)(46102001)(33656002)(21056001)(90102001)(117156001)(83072002)(85852003)(66066001)(79102001)(65956001)(80022001)(20776003)(86362001)(95666004)(99396002)(107886001)(107046002)(105586002)(36756003)(50466002)(23676002)(83322001)(80316001)(77096002)(106356001)(65806001)(74662001)(64126003)(65816999)(81542001)(42186005)(229853001)(83506001)(87266999)(74502001)(54356999)(50986999)(110136001)(31966008); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR02MB482; H:[192.168.2.160]; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en; 
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/JHcDd4mSDVORKne5StsxQAYQJvA
X-Mailman-Approved-At: Tue, 26 Aug 2014 01:57:59 -0700
Subject: [websec] draft-ietf-websec-key-pinning-20 feedback
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 08:54:34 -0000

Hi there.


Some more quick feedback, somewhat unstructured...

Throughout: please say "header field" rather than "header".

>    The "Public-Key-Pins" and "Public-Key-Pins-Report-Only" header
>    fields, also referred to within this specification as the PKP and
>    PKP-RO header fields, respectively, are new response headers defined
>    in this specification.  They are used by a server to indicate that a

s/server/origin server/ maybe?

>    Figure 1 describes the syntax (Augmented Backus-Naur Form) of the
>    header fields, using the grammar defined in [RFC5234] and the rules
>    defined in Section 3.2 of [RFC7230].  The field values of both header
>    fields conform to the same rules.
>
>    Public-Key-Directives = [ directive ] *( OWS ";" OWS [ directive ] )
>
>    directive             = simple-directive
>                          / pin-directive
>
>    simple-directive      = directive-name [ "=" directive-value ]
>    directive-name        = token
>    directive-value       = token
>                          / quoted-string
>
>    pin-directive         = "pin-" token "=" quoted-string

1) I would recommend not to special-case pin-directive here, as it makes 
the ABNF ambiguous. Just put the additional requirements into prose.

2) The value of pin-directive ought to allow token syntax as well. 
(Otherwise a conforming parser will need to special-case their parsing 
which doesn't make any sense at all).

>        given header field.  Directives are either optional or required,
>        as stipulated in their definitions.

"OPTIONAL or REQUIRED", I assume?

>    Additional directives extending the semantic functionality of the
>    header fields can be defined in other specifications.  The first such
>    specification will need to define a reistry for such directives.

registry.

>    According to rule 5, above, the UA MUST ignore pin-directives with

Repeats a requirement. Maybe do not use MUST here; instead say "will".

>    tokens naming hash algorithms it does not recognize.  If the set of
>    remaining effective pin-directives is empty, and if the host is a
>    Known Pinned Host, the UA MUST cease to consider the host as a Known
>    Pinned Host (the UA should fail open).  The UA should indicate to

SHOULD?

>    UAs SHOULD make their best effort to report Pin Validation failures
>    to the report-uri, but may fail to report in exceptional conditions.

MAY? (in general: try to avoid lowercase RFC2119 terms)



From nobody Tue Aug 26 03:19:50 2014
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3E41A6F4A for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 03:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMGV5ne93quZ for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 03:19:42 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F249C1A6F1D for <websec@ietf.org>; Tue, 26 Aug 2014 03:18:54 -0700 (PDT)
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MKHik-1XLfL8440M-001giK for <websec@ietf.org>; Tue, 26 Aug 2014 12:18:53 +0200
Message-ID: <53FC5F09.7080201@gmx.de>
Date: Tue, 26 Aug 2014 12:18:49 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: websec <websec@ietf.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:2injkcckaike3UoiWayAXQEFagZH3KC3ebOAiCzFiRhk2D5MG/g UxvnJsRQdC2DnHoKUFWskoYA4NCHITqWK6Ib7xV60bM3Nuxh0IHQZJYJr7KhlMjJNMlFReE rn2ozjz465rekXaGRZlbq3W60ZXOekZkmu/wOc0J9qHjxFeZubgxD0rmwe2jRuE5gycobrz rskE+4pFFJ5voaPvfWP4g==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/QwsxOHWGMts0qCTI0rIv2EKHS74
Subject: [websec] draft-ietf-websec-key-pinning-20 POST report format
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 10:19:44 -0000

Hi there,

this is about 
<http://tools.ietf.org/html/draft-ietf-websec-key-pinning-20#section-3>.

1) I believe it would be good if the example actually showed the full 
POST request so that it contains the media type.

2) Speaking of which: I assume the media type is supposed to be 
application/json?

Also, this essentially introduces a mechanism by which the UA will 
automatically send an unsafe HTTP request (POST) to a server which might 
have a different origin than the server triggering this. Are we sure 
that this doesn't introduce a new exploit? Maybe it would be better to 
at least use a non-generic media type instead?

Best regards, Julian


From nobody Tue Aug 26 12:36:11 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7D581A029C for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 12:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level: 
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jKyBgm9wB26A for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 12:36:07 -0700 (PDT)
Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC59B1A0290 for <websec@ietf.org>; Tue, 26 Aug 2014 12:36:06 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id s7so13984800qap.23 for <websec@ietf.org>; Tue, 26 Aug 2014 12:36:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=REdnzFdlFYJBSfIhcQMHVasBLAdHI2gbiC1r4vvoy3Y=; b=JSCTpTQgCuYuEwk7dOE/bQPlgZueGnUrMjWwKa/gY0gTSWK51pjXHFLdLrwHaTJlk9 1Rebc6T46oY3IBzz99KLlh1ccvKmojwX55EZIRLSj4tlR32TAcXf3CIuIuF4RUc6PUrA 7acpCM6q4rtnteKi1HFANEFJ1QKw+jzmOdf2HatsuGojB+5mTZYGy8zD9kgggo+aH89o STsQRUn2plzBsvKPU6c6JMxK46Zn50kLdu5j8viM7JPd4mSB4mkoSi89D72xeBhEazjn S3pTjbm/2Tb49h99j8wVn2TSE46YTo9KxmpzwnYubMv0fpRwhpGAjOPZu/W6QP/CdJb7 o/nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=REdnzFdlFYJBSfIhcQMHVasBLAdHI2gbiC1r4vvoy3Y=; b=GPVy1gTY/LrWp/WQjx70PgBLPtcbNbMRU02RnBOePnJ04ws2xC1QDV8HjmQkgb2Zpm v31WW1GRDK6YC3EoqJ2k3NzJq1hhY3GSMkQQzMZ+gJEfEuDD1kvwxVbJALPfasReIpSZ DXxeNwKCVl4wKsBzTkEdI1BmBJTIFDaMmvB71Jf/wStG3MuKNIx/rxX6QW9PQ8zLkKlA o53RvlRQQ104c71Rs8/c3sFEbNTG00G9oqqp72HoTCZ9gP991MIYs96aPHml4l7Xn8eO wvwhVG5C9aTq0jGOSWgNeorYcutEFuFxuVcqB472qTCjLCO0VxySHzlIdQIDFYIOrlq/ Tpzg==
X-Gm-Message-State: ALoCoQl0kC4TVb9W3PQmRloxbLTW17cdztXoCnQY3c4Kh9P29zAVuW9P46DcqwrSSuWceP0kSKGI
MIME-Version: 1.0
X-Received: by 10.224.137.65 with SMTP id v1mr49257166qat.53.1409081766114; Tue, 26 Aug 2014 12:36:06 -0700 (PDT)
Received: by 10.229.165.2 with HTTP; Tue, 26 Aug 2014 12:36:06 -0700 (PDT)
In-Reply-To: <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com>
Date: Tue, 26 Aug 2014 12:36:06 -0700
Message-ID: <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/tyT6V9KZsst_nAOnQgaN6QNormw
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 19:36:08 -0000

On Mon, Aug 25, 2014 at 7:05 PM, Tom Ritter <tom@ritter.vg> wrote:

>>> No, PKP-RO is not meant to be cached. In this respect, it behaves similar
>>> to Content-Security-Policy's reporting mechanism.
>>
>> Ah, interesting. I'm curious why not? Is there no use-case for allowing
>> "report-only" pins to be persisted?
>
> I think there definitely are, and I and most organizations I advise
> would like that option.

What would they get from it that they would not get from just
consistently serving the PKP-RO header?


From nobody Tue Aug 26 13:34:12 2014
Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10971A8844 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 13:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Az3ewrUWVQkV for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 13:34:11 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 319F61A02F9 for <websec@ietf.org>; Tue, 26 Aug 2014 13:34:11 -0700 (PDT)
Received: by mail-ig0-f179.google.com with SMTP id h18so5126181igc.12 for <websec@ietf.org>; Tue, 26 Aug 2014 13:34:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=n6x6otjO8bLoGindwyptSGsKL1iROZtmz0rr+KUL7+U=; b=zjNCgSdyGgrOi72WtROaU0I/auSYkv/kBRBLpZ9QFgHs4jG/av2OVT9uS7VKFqzk9v bdgdxrhqtkuckHlcRA+gtQTJ9re/7frhue/WXcwsBKQjKznDc4/uABNxoDniGCbEU24u Jhna7wm9tMEjrBjsOotWk9qOXUSm4jJDmAHUE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=n6x6otjO8bLoGindwyptSGsKL1iROZtmz0rr+KUL7+U=; b=DU2HmtiBtW/2QwZvs+Fry+4lt7TPa6Ue1aJTCNj0EIfiCMCxlAzmIzUYPu4vh9/QxO 5yiWCN+j5xe7Z+CjDhowWIYskbyRZOUJ9SZvibDLDBc6erDdiXMkSQ8dMgRf36OOGd3l PhA8AoDsVB2BvJWvzFOwThF/vciT5ftJet3hDIWPnnGWM9TSMoMZVJdIc5/37wJS5m2u Es1aQ7//JEhUVoIaCBbYv9rMgEk8EIL/le9xtu2bWZEm3JLiiNn5AiQ5ns4ct0+HSt31 Yx2gxIW7MRXF30s2pvxdON1/rV2X0uNIiUNdROCj1yh6QBcryxiNY687U96rCSIxBqde g1JA==
X-Gm-Message-State: ALoCoQmEJfXKlK21IGEUynTlkLOYp8JgONd0XDLZ0E9CavwYschXloxiQ+NX31wCKOYaMpM3q9vJ
X-Received: by 10.50.117.106 with SMTP id kd10mr24841946igb.5.1409085250649; Tue, 26 Aug 2014 13:34:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.10.104 with HTTP; Tue, 26 Aug 2014 13:33:50 -0700 (PDT)
In-Reply-To: <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 26 Aug 2014 15:33:50 -0500
Message-ID: <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/VEm5ZzS0AZu-cGi7K5FFfXImy7A
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 20:34:12 -0000

On 26 August 2014 14:36, Chris Palmer <palmer@google.com> wrote:
> On Mon, Aug 25, 2014 at 7:05 PM, Tom Ritter <tom@ritter.vg> wrote:
>
>>>> No, PKP-RO is not meant to be cached. In this respect, it behaves similar
>>>> to Content-Security-Policy's reporting mechanism.
>>>
>>> Ah, interesting. I'm curious why not? Is there no use-case for allowing
>>> "report-only" pins to be persisted?
>>
>> I think there definitely are, and I and most organizations I advise
>> would like that option.
>
> What would they get from it that they would not get from just
> consistently serving the PKP-RO header?

Well the whole threat model of HPKP (without preloading) is an
attacker that can MITM some TLS connections, but not all of them,
right?  Requiring PKP-RO to be on every load would allow an attacker
to strip the header on the connections they MITM. Letting it be cached
allows an organization to put a max-age of 45 days on it, without the
risk of bricking their site if they aren't administratively competent.

Obviously an attacker can also block the reports from being sent, but
I'm hoping that the clause "In any case of report failure, the UA MAY
attempt to re-send the report later" will be considered in this case,
and that UAs will make an attempt at getting potentially blocked
reports out at a later date.

-tom


From nobody Tue Aug 26 13:51:29 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B201A887A for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 13:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level: 
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYWeysIZRgoU for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 13:51:24 -0700 (PDT)
Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E3511A883E for <websec@ietf.org>; Tue, 26 Aug 2014 13:51:24 -0700 (PDT)
Received: by mail-qg0-f47.google.com with SMTP id i50so15205325qgf.6 for <websec@ietf.org>; Tue, 26 Aug 2014 13:51:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tQFde+fabl+F4ki6PdcGWWgQdht0SRn/SrJewJnmjC8=; b=XHFvdjKAF1eHPLJrbmTCofNOcWHTFGO1RCAXnigm5dvzIVZ07CnwZap3EXz39Y5QEU 3ciq0pB3blhQ1PUgdnnTriE+UhYBLbsI+Yub7DxRaa4QbZipyAiXqB8scDMas/zVEUaP DVQWcLbTFIdkWOUdaWaPAUATjr/kBOpgEt3uXUnhJH0n33+jpYNzqxs8Zl4quP9ndecF g/6QilLxje86tkVbewMBXfsxOgQnZWpVZaQi6o7M3RMK5gk5Bg1x1EnzweW+7bEKr4c0 STYiOed3JlGTN765CDeGOLUVNylXn22AkkGcIFXCr9mx2k6CEPgY6bsgKp2ie1TQVEbH JZ9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=tQFde+fabl+F4ki6PdcGWWgQdht0SRn/SrJewJnmjC8=; b=HIUKZGp7Kr4iK3bJ7GyqtTxOxOTqy1m7MwKA5jYd2uyau9zAbWdMz+CmDdn5eZCo6q a082MtpEsnd6scjGucNTlkwcNK9U8LhaCn60sH035vwcLdZdYAmBxvuo0278ne7d4+2S 6f9cjRzqWPOWVmBseExdThv25LOrFJkOQxG4Su90B6qNMhzmICyTVNjudZ9HfcxBsQv0 sTnh3K0U8WZck9bc4VtugoGbqXXT10raC7pJhevRbf/4EDHjQaxpVYJACt0/npVXAsM8 ZEwetQZ8aRLxgmyHBxkSX5SRerVniDjE+spgrJEWICLLFS5en+HLsDtyl90TUcu/WvVT oXcw==
X-Gm-Message-State: ALoCoQlceoff9+Q1sc8kQAeqiefY9bjx69ICY17xeFs0SEFm6qoYPzZl3lA1yfycnHj/SkF426va
MIME-Version: 1.0
X-Received: by 10.140.47.80 with SMTP id l74mr47448469qga.24.1409086283387; Tue, 26 Aug 2014 13:51:23 -0700 (PDT)
Received: by 10.229.165.2 with HTTP; Tue, 26 Aug 2014 13:51:23 -0700 (PDT)
In-Reply-To: <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com>
Date: Tue, 26 Aug 2014 13:51:23 -0700
Message-ID: <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/3tDgkBaQpTKNalgiwonwpI3kMGQ
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 20:51:26 -0000

On Tue, Aug 26, 2014 at 1:33 PM, Tom Ritter <tom@ritter.vg> wrote:

> Well the whole threat model of HPKP (without preloading) is an
> attacker that can MITM some TLS connections, but not all of them,
> right?

"""By effectively reducing the number of authorities who can
authenticate the domain during the lifetime of the pin, pinning may
reduce the incidence of man-in-the-middle attacks due to compromised
Certification Authorities."""

The threat model is that The Alice Foundation wants to trust only
Trents 1, 4, and 9, and no other Trents, to vouch for her identity.
That way, if Trent 6 mis-issues for The Alice Foundation, Mallory
cannot make use of the mis-issued certificate in an attack.

But, yes, Mallory can still attack CarolCorp, if CarolCorp does not
use pinning or pins to Trent 6.

> Requiring PKP-RO to be on every load would allow an attacker
> to strip the header on the connections they MITM.

Only if The Alice Foundation did not also use a regular PKP header.

> Letting it be cached
> allows an organization to put a max-age of 45 days on it, without the
> risk of bricking their site if they aren't administratively competent.
>
> Obviously an attacker can also block the reports from being sent, but
> I'm hoping that the clause "In any case of report failure, the UA MAY
> attempt to re-send the report later" will be considered in this case,
> and that UAs will make an attempt at getting potentially blocked
> reports out at a later date.

Yeah, sort of. But don't think of PKP-RO as a defense against attacks,
even if it might sometimes have that secondary benefit. It is
primarily a debugging aid for The Alice Foundation and BobCorp to get
PKP working. ("What all Trents do we need to trust, anyway?")


From nobody Tue Aug 26 14:04:35 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26BD11A87A3 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level: 
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCrBgvfkbbH9 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:04:33 -0700 (PDT)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10DA61A032F for <websec@ietf.org>; Tue, 26 Aug 2014 14:04:32 -0700 (PDT)
Received: by mail-qg0-f48.google.com with SMTP id i50so15358622qgf.21 for <websec@ietf.org>; Tue, 26 Aug 2014 14:04:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=48siO3FRubaR2RvqOXX7XIIXLK1EBSusmkh9DAbmRLk=; b=Dn07bM6hM4gRMUbnZ82huIzq7av4mP5AM8sCDQqpo4anX2z4BshdL3EOFUEiPYzUhr eJiCJ3zDu3rtrm+dn9BtzNP56ZLMpVvhwx7OWB3W4cr9698HpmUmSTzUcZ//X8EpYTYY kRWPicB/WyyicSfjhlq1vrqmJIfPo3eHLlokY15KOGJwaz3GZJxSC2x8e7K4SLRq+WlI sZ99Lo90woBeTljQi0kBSDEVW+Cts2EKsy9PbokYNxD8FAt3gtYltP4b1mlbo2C3A5BP LcGZYBW6CabP1DkPFuCdvkGwKn7joqcbLXYSgRqge5ycM4FTixO/8LB3WImmPYRswfpi roTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=48siO3FRubaR2RvqOXX7XIIXLK1EBSusmkh9DAbmRLk=; b=NgNkGKOJRWQfhqW+AVfhVYbZ8lNdt6Ki0iu6gvi1VVeys3Ag6qv4U2+fc4xhlVhtDE 3GQZTKbjMfk2MKjnlyo4KPYib6HlyHtvxsKs4GMpAyLQGiYajPBHWLjmD/aBt/KqCq1H n+cJCZHWCwE+QAuDAzlzUKUsujk5AjbEUZSIu+xQHzzubyQ8jKFvlzHm/0LWSR6DtN0F dnlqwmM8p9383xsqnSo3FkirhDvg3p37fhI2hAK9Q7Mtm3NFShtnXSl7y9cM//p0U7HU 5osiqFSCb7w2YJCyAgbRBGwUgxYpEl7rDg704pqs1GVfQbrNvkHSlq9SuNZW2EdvdGDq FBQQ==
X-Gm-Message-State: ALoCoQmBQ5Aycf20zdkPuNvl2cZuX/6dJw8m7Y7LM1IARsQNbuleNgY4k1Qb1zPCea4o9qT6BkIH
MIME-Version: 1.0
X-Received: by 10.224.114.136 with SMTP id e8mr36016689qaq.67.1409087072180; Tue, 26 Aug 2014 14:04:32 -0700 (PDT)
Received: by 10.229.165.2 with HTTP; Tue, 26 Aug 2014 14:04:32 -0700 (PDT)
In-Reply-To: <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl>
Date: Tue, 26 Aug 2014 14:04:32 -0700
Message-ID: <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Eric Lawrence <ericlaw1979@hotmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/YjGftaAT97VBUFWDMDGjwL6HRFM
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 21:04:34 -0000

On Tue, Aug 26, 2014 at 1:58 PM, Eric Lawrence <ericlaw1979@hotmail.com> wrote:

> As a site operator, I'd think of PKP-RO as a debugging aid more along the
> lines of: "If I turn this thing on, will anything break for anyone?"
>
> If PKP-RO doesn't have the same semantics as PKP, its utility for answering
> that question declines.

PKP-RO has the same semantics as PKP, at the time of Pin Validation,
which is what matters.


From nobody Tue Aug 26 14:07:23 2014
Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB901A8876 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.021
X-Spam-Level: 
X-Spam-Status: No, score=0.021 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-L-Ch_8iyhU for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:07:15 -0700 (PDT)
Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DD391A8866 for <websec@ietf.org>; Tue, 26 Aug 2014 14:07:15 -0700 (PDT)
Received: by mail-ig0-f175.google.com with SMTP id uq10so5208599igb.14 for <websec@ietf.org>; Tue, 26 Aug 2014 14:07:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Tzq3stZtDNyPpkGtFcbv/09RL7K1RxzIdplqdnmt3lk=; b=5LxnOlBJ4Q+SLqXRzX7gBpN+vdRJJL9bsmqtSw9fO1FGZkLyO1mC+APbSu5I7m+jxr QJIs8HN64SPeGy7wvQARvIdNnC1Kkv9VZFI3pbftLiKFeKcsYTu1G/8R79mVpZGI66uo fn6wZLBiSEJzMCyzew6PkoUnlxBrikcm3CLjM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Tzq3stZtDNyPpkGtFcbv/09RL7K1RxzIdplqdnmt3lk=; b=NEmO2W5WCVSw17YyeAj1T9u+MBV4n0GpWyBmdyhzWAkvewqYpeN3O/MyklujLVCY4U Ss4dhu4qPWP5/xXtnA6xIpNX71B5D+iHOZwDrHerhiNp2okkguhJTxOik6waWyvPrC4y f/1VYvn6+KvrnTVq9eVjhE+Una3/RL3JzeUkayMpO10oD4QFYxMow/0o8jeXzZxqAnpP FGf7DYplO7ULYLQzPu4QRuUdF2/ErrOdS2r2myRJtipJeqm/Jb1b5+V51DO01gcGPcA8 sTkjsdjzLMrTs6voxNnNn8+GxIS0NlEt1Am/AiMJIzNauzExQK1oF9YQ02T0Apg6k0Dn nz1w==
X-Gm-Message-State: ALoCoQmMYLOoZaNTLIl0kET6S2s70DhaegZe8f1nstDvM4qOJcwhn99WnDrk0SJ8HC66sNjMKrEZ
X-Received: by 10.42.212.146 with SMTP id gs18mr2821475icb.96.1409087234524; Tue, 26 Aug 2014 14:07:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.10.104 with HTTP; Tue, 26 Aug 2014 14:06:54 -0700 (PDT)
In-Reply-To: <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 26 Aug 2014 16:06:54 -0500
Message-ID: <CA+cU71kitObiZM2Lpc1c8f7waY5u2c5YW787w4xqpJNpbc3ENg@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/XdTQc8HirPUgGA2FEm6aCjgVAuk
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 21:07:17 -0000

On 26 August 2014 15:51, Chris Palmer <palmer@google.com> wrote:
>> Requiring PKP-RO to be on every load would allow an attacker
>> to strip the header on the connections they MITM.
>
> Only if The Alice Foundation did not also use a regular PKP header.

Correct.

>> Letting it be cached
>> allows an organization to put a max-age of 45 days on it, without the
>> risk of bricking their site if they aren't administratively competent.
>>
>> Obviously an attacker can also block the reports from being sent, but
>> I'm hoping that the clause "In any case of report failure, the UA MAY
>> attempt to re-send the report later" will be considered in this case,
>> and that UAs will make an attempt at getting potentially blocked
>> reports out at a later date.
>
> Yeah, sort of. But don't think of PKP-RO as a defense against attacks,
> even if it might sometimes have that secondary benefit. It is
> primarily a debugging aid for The Alice Foundation and BobCorp to get
> PKP working. ("What all Trents do we need to trust, anyway?")

I'm not going to put words in your mouth, because different authors
have different opinions about things, but I will quote from another:

> Ryan Sleevi wrote (http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Feb/0001.html)
>> I wrote:
>> 1. A large site that is commonly proxies by corporate and malicious
>> actors wishes to monitor how common this is done.  They place
>> javascript bindings in their code to view the user's certificate and
>> report the observed value.
>> Note this use case has already been performed by Facebook, who had to
>> resort to Flash to do so, because javascript did not provide the
>> functionality.
>
>Use report-uri with HPKP, in report-only mode

I don't consider PKP-RO as a defense, but as an attempt at detection
of attacks, with no risk of breaking your site.  It is extraordinarily
useful to be notified of attacks against your users, even if they are
not prevented. They help you understand where you should invest time
and money.

The foot-gun potential is very high with HPKP, we all know that.  It's
high enough to the point that many organizations, who have someone
maintaining a website part time (or outsource it) may forgoe PKP
entirely because it makes them nervous - but they would be happy to
deploy a no-risk PKP-RO.  But the benefit of doing so if it is not
being cached is extraordinarily low, to the point it's probably not
worth doing.

-tom


From nobody Tue Aug 26 14:07:43 2014
Return-Path: <ericlaw1979@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A5B1A87DF for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 13:58:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.821
X-Spam-Level: 
X-Spam-Status: No, score=0.821 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RqNRCHuhOaNm for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 13:58:55 -0700 (PDT)
Received: from BAY004-OMC1S18.hotmail.com (bay004-omc1s18.hotmail.com [65.54.190.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32FEE1A87E9 for <websec@ietf.org>; Tue, 26 Aug 2014 13:58:55 -0700 (PDT)
Received: from BAY169-DS45 ([65.54.190.60]) by BAY004-OMC1S18.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22712);  Tue, 26 Aug 2014 13:58:54 -0700
X-TMN: [ZnhUthzGYad+LSjMgB96LkXH0ryqQmlC]
X-Originating-Email: [ericlaw1979@hotmail.com]
Message-ID: <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl>
From: "Eric Lawrence" <ericlaw1979@hotmail.com>
To: "Chris Palmer" <palmer@google.com>, "Tom Ritter" <tom@ritter.vg>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl><CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com><BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl><CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com><CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com><CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com>
In-Reply-To: <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com>
Date: Tue, 26 Aug 2014 15:58:54 -0500
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 26 Aug 2014 20:58:54.0921 (UTC) FILETIME=[8C2BC390:01CFC170]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/kIyAtYpIh3Ngdi8Fe_F6iZPMvDg
X-Mailman-Approved-At: Tue, 26 Aug 2014 14:07:37 -0700
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 20:59:00 -0000

> primarily a debugging aid for The Alice Foundation and BobCorp to get
> PKP working. ("What all Trents do we need to trust, anyway?")

As a site operator, I'd think of PKP-RO as a debugging aid more along the 
lines of: "If I turn this thing on, will anything break for anyone?"

If PKP-RO doesn't have the same semantics as PKP, its utility for answering 
that question declines.

-Eric

-----Original Message----- 
From: Chris Palmer
Sent: Tuesday, August 26, 2014 3:51 PM
To: Tom Ritter
Cc: Eric Lawrence ; draft-ietf-websec-key-pinning@tools.ietf.org ; IETF 
WebSec WG ; Ryan Sleevi
Subject: Re: [websec] draft-ietf-websec-key-pinning

On Tue, Aug 26, 2014 at 1:33 PM, Tom Ritter <tom@ritter.vg> wrote:

> Well the whole threat model of HPKP (without preloading) is an
> attacker that can MITM some TLS connections, but not all of them,
> right?

"""By effectively reducing the number of authorities who can
authenticate the domain during the lifetime of the pin, pinning may
reduce the incidence of man-in-the-middle attacks due to compromised
Certification Authorities."""

The threat model is that The Alice Foundation wants to trust only
Trents 1, 4, and 9, and no other Trents, to vouch for her identity.
That way, if Trent 6 mis-issues for The Alice Foundation, Mallory
cannot make use of the mis-issued certificate in an attack.

But, yes, Mallory can still attack CarolCorp, if CarolCorp does not
use pinning or pins to Trent 6.

> Requiring PKP-RO to be on every load would allow an attacker
> to strip the header on the connections they MITM.

Only if The Alice Foundation did not also use a regular PKP header.

> Letting it be cached
> allows an organization to put a max-age of 45 days on it, without the
> risk of bricking their site if they aren't administratively competent.
>
> Obviously an attacker can also block the reports from being sent, but
> I'm hoping that the clause "In any case of report failure, the UA MAY
> attempt to re-send the report later" will be considered in this case,
> and that UAs will make an attempt at getting potentially blocked
> reports out at a later date.

Yeah, sort of. But don't think of PKP-RO as a defense against attacks,
even if it might sometimes have that secondary benefit. It is
primarily a debugging aid for The Alice Foundation and BobCorp to get
PKP working. ("What all Trents do we need to trust, anyway?") 


From nobody Tue Aug 26 14:19:03 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 680171A033C for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VB294hJtpc_V for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:12:37 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3FC11A87C8 for <websec@ietf.org>; Tue, 26 Aug 2014 14:12:36 -0700 (PDT)
Received: by mail-yh0-f49.google.com with SMTP id b6so12456144yha.8 for <websec@ietf.org>; Tue, 26 Aug 2014 14:12:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wwPlsrNdPOA/R60kvrbG9iyAJHRCW+ZHaAg3TSFP9yo=; b=c0i557z1jMWCQoGAEQ3THCMV37DZPgwgVyXt6ic6rLF+0YSACkcMQwYArZs7deekPd Agy0V0q6zPUV9jp7uDH7c40oliN9JUGvilWeKyu7eh/zZNNz4UL7oUmfcJH5BKDpLVhp 1fJPx8D5VpLlqQGlfgVde3tNbjzKcnWQKK1ZN4WLo2VrMn2nps6CsrF/dp3N+vBdgiIH yWZ21HomIe34xoW+MgiMVBIZrT4Gp8i8Q/Vp1vTj/d2ZKqEJZ+01ajv336PZ7S+D+D1a JaNxRGLnSP+FR3hyvU3dAjDPAO6MstA3hlF6dxOR8e6pek0O4itk5ugGBMIHqM9XSRZm AKFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=wwPlsrNdPOA/R60kvrbG9iyAJHRCW+ZHaAg3TSFP9yo=; b=hW3v65JJN08+M8DJfoMSmeIPinsiJ0JeAV1jIPcFBZPYJTPs6Jz28Q1JkmELYEj0mP Vgs3zVYAM7cWwDMYpEFHMmboMmpdwfFFH5rrDBj8m2GuVGt8hrqZIgci2ZqV44Y7o8iO X99T3g/s3/YxJLGnop+FWCAOYelFxVjhLfjkfYR9hZXXLUVm5EavMMEa+bepXWtoK+JM Wv/fJRtPAg3ELqVOXU0r7w/iOEx9X4hr4/JI6EOKm4C4mLFd9Ab1LGgyZHa8SgPgl0CP pw1CSL7iu12H37nBwh086UKXZCWisbpZ+tFnTGUrCxfSHCr2y9i7uZk8WkLyXIYoDgOt Ab4A==
X-Gm-Message-State: ALoCoQnvE/oby+MuxGJupMf/naptIbkdawBiGzU/Po5JNPcQpCFFJoQP+wcq6313XFfWAKkkBvLo
MIME-Version: 1.0
X-Received: by 10.220.250.142 with SMTP id mo14mr13906408vcb.26.1409087556187;  Tue, 26 Aug 2014 14:12:36 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Tue, 26 Aug 2014 14:12:36 -0700 (PDT)
In-Reply-To: <CA+cU71kitObiZM2Lpc1c8f7waY5u2c5YW787w4xqpJNpbc3ENg@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <CA+cU71kitObiZM2Lpc1c8f7waY5u2c5YW787w4xqpJNpbc3ENg@mail.gmail.com>
Date: Tue, 26 Aug 2014 14:12:36 -0700
Message-ID: <CACvaWvYdxoLNx9_+fAETUF-VMqN-paz1JBDzym7P9Kwzkcff7w@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary=089e013cba223e9eae05018ec3d5
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/YN9_HZKqdNpcSza2_cAY2sgRASo
X-Mailman-Approved-At: Tue, 26 Aug 2014 14:18:31 -0700
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 21:12:40 -0000

--089e013cba223e9eae05018ec3d5
Content-Type: text/plain; charset=UTF-8

On Tue, Aug 26, 2014 at 2:06 PM, Tom Ritter <tom@ritter.vg> wrote:

> On 26 August 2014 15:51, Chris Palmer <palmer@google.com> wrote:
> >> Requiring PKP-RO to be on every load would allow an attacker
> >> to strip the header on the connections they MITM.
> >
> > Only if The Alice Foundation did not also use a regular PKP header.
>
> Correct.
>
> >> Letting it be cached
> >> allows an organization to put a max-age of 45 days on it, without the
> >> risk of bricking their site if they aren't administratively competent.
> >>
> >> Obviously an attacker can also block the reports from being sent, but
> >> I'm hoping that the clause "In any case of report failure, the UA MAY
> >> attempt to re-send the report later" will be considered in this case,
> >> and that UAs will make an attempt at getting potentially blocked
> >> reports out at a later date.
> >
> > Yeah, sort of. But don't think of PKP-RO as a defense against attacks,
> > even if it might sometimes have that secondary benefit. It is
> > primarily a debugging aid for The Alice Foundation and BobCorp to get
> > PKP working. ("What all Trents do we need to trust, anyway?")
>
> I'm not going to put words in your mouth, because different authors
> have different opinions about things, but I will quote from another:
>
> > Ryan Sleevi wrote (
> http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Feb/0001.html
> )
> >> I wrote:
> >> 1. A large site that is commonly proxies by corporate and malicious
> >> actors wishes to monitor how common this is done.  They place
> >> javascript bindings in their code to view the user's certificate and
> >> report the observed value.
> >> Note this use case has already been performed by Facebook, who had to
> >> resort to Flash to do so, because javascript did not provide the
> >> functionality.
> >
> >Use report-uri with HPKP, in report-only mode
>
> I don't consider PKP-RO as a defense, but as an attempt at detection
> of attacks, with no risk of breaking your site.  It is extraordinarily
> useful to be notified of attacks against your users, even if they are
> not prevented. They help you understand where you should invest time
> and money.
>

To be clear, I absolutely agree with Chris. You cannot and should not be
seeing PKP-RO as a security mechanism.

Contextually, this also lacks the significant discussion of enterprise
policy and the like. As noted in the spec, UAs MAY disable Pin Validation
according to policy - such as locally trusted authorities, such as
corporate proxies or malicious actors.


>
> The foot-gun potential is very high with HPKP, we all know that.  It's
> high enough to the point that many organizations, who have someone
> maintaining a website part time (or outsource it) may forgoe PKP
> entirely because it makes them nervous - but they would be happy to
> deploy a no-risk PKP-RO.  But the benefit of doing so if it is not
> being cached is extraordinarily low, to the point it's probably not
> worth doing.
>
> -tom
>

--089e013cba223e9eae05018ec3d5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Tue, Aug 26, 2014 at 2:06 PM, Tom Ritter <span dir=3D"ltr">&lt;<=
a href=3D"mailto:tom@ritter.vg" target=3D"_blank">tom@ritter.vg</a>&gt;</sp=
an> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"">On 26 August 2014 15:51, Chr=
is Palmer &lt;<a href=3D"mailto:palmer@google.com">palmer@google.com</a>&gt=
; wrote:<br>

&gt;&gt; Requiring PKP-RO to be on every load would allow an attacker<br>
&gt;&gt; to strip the header on the connections they MITM.<br>
&gt;<br>
&gt; Only if The Alice Foundation did not also use a regular PKP header.<br=
>
<br>
</div>Correct.<br>
<div class=3D""><br>
&gt;&gt; Letting it be cached<br>
&gt;&gt; allows an organization to put a max-age of 45 days on it, without =
the<br>
&gt;&gt; risk of bricking their site if they aren&#39;t administratively co=
mpetent.<br>
&gt;&gt;<br>
&gt;&gt; Obviously an attacker can also block the reports from being sent, =
but<br>
&gt;&gt; I&#39;m hoping that the clause &quot;In any case of report failure=
, the UA MAY<br>
&gt;&gt; attempt to re-send the report later&quot; will be considered in th=
is case,<br>
&gt;&gt; and that UAs will make an attempt at getting potentially blocked<b=
r>
&gt;&gt; reports out at a later date.<br>
&gt;<br>
&gt; Yeah, sort of. But don&#39;t think of PKP-RO as a defense against atta=
cks,<br>
&gt; even if it might sometimes have that secondary benefit. It is<br>
&gt; primarily a debugging aid for The Alice Foundation and BobCorp to get<=
br>
&gt; PKP working. (&quot;What all Trents do we need to trust, anyway?&quot;=
)<br>
<br>
</div>I&#39;m not going to put words in your mouth, because different autho=
rs<br>
have different opinions about things, but I will quote from another:<br>
<br>
&gt; Ryan Sleevi wrote (<a href=3D"http://lists.w3.org/Archives/Public/publ=
ic-webcrypto-comments/2013Feb/0001.html" target=3D"_blank">http://lists.w3.=
org/Archives/Public/public-webcrypto-comments/2013Feb/0001.html</a>)<br>
&gt;&gt; I wrote:<br>
&gt;&gt; 1. A large site that is commonly proxies by corporate and maliciou=
s<br>
&gt;&gt; actors wishes to monitor how common this is done.=C2=A0 They place=
<br>
&gt;&gt; javascript bindings in their code to view the user&#39;s certifica=
te and<br>
&gt;&gt; report the observed value.<br>
&gt;&gt; Note this use case has already been performed by Facebook, who had=
 to<br>
&gt;&gt; resort to Flash to do so, because javascript did not provide the<b=
r>
&gt;&gt; functionality.<br>
&gt;<br>
&gt;Use report-uri with HPKP, in report-only mode<br>
<br>
I don&#39;t consider PKP-RO as a defense, but as an attempt at detection<br=
>
of attacks, with no risk of breaking your site.=C2=A0 It is extraordinarily=
<br>
useful to be notified of attacks against your users, even if they are<br>
not prevented. They help you understand where you should invest time<br>
and money.<br></blockquote><div><br></div><div>To be clear, I absolutely ag=
ree with Chris. You cannot and should not be seeing PKP-RO as a security me=
chanism.</div><div><br></div><div>Contextually, this also lacks the signifi=
cant discussion of enterprise policy and the like. As noted in the spec, UA=
s MAY disable Pin Validation according to policy - such as locally trusted =
authorities, such as corporate proxies or malicious actors.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
The foot-gun potential is very high with HPKP, we all know that.=C2=A0 It&#=
39;s<br>
high enough to the point that many organizations, who have someone<br>
maintaining a website part time (or outsource it) may forgoe PKP<br>
entirely because it makes them nervous - but they would be happy to<br>
deploy a no-risk PKP-RO.=C2=A0 But the benefit of doing so if it is not<br>
being cached is extraordinarily low, to the point it&#39;s probably not<br>
worth doing.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
-tom<br>
</font></span></blockquote></div><br></div></div>

--089e013cba223e9eae05018ec3d5--


From nobody Tue Aug 26 14:20:43 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDA7A1A887C for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level: 
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WI7fLgAudgu for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:20:39 -0700 (PDT)
Received: from mail-qg0-x236.google.com (mail-qg0-x236.google.com [IPv6:2607:f8b0:400d:c04::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47AC61A88CD for <websec@ietf.org>; Tue, 26 Aug 2014 14:20:39 -0700 (PDT)
Received: by mail-qg0-f54.google.com with SMTP id j5so12687783qga.27 for <websec@ietf.org>; Tue, 26 Aug 2014 14:20:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=scdgMkDB7V6OJXym2nq8uVZQBQuP/jIC+5FfT9wICYM=; b=a3OH59rpslBcFGZK3Faf8DAPnbG6MHURc3jKD1SeU4meLYpNbsv10Fk6WbE+dLyEAb Gpyr/ZS9EdaJSlM7AsBUoPIAo5YikXMba77nlWYCTVHWJdUlS9Ex3MoO1Ow5isiALVB6 v5IkXe4poFkJ/OEZsag3r6/RGWTbCtrtLeto7ie7w7q7bzOBCiiytOUeSCqbfUAy6JIr ofQy5+2ELEFjJKFukvX/58zSqeHxiC08pSud7YFL7AJ/d+j9GAuATjUkA2y2eU9ryNY6 J0CQdz6oWKS++FRbPmkZfI1SckXtSce439IEav3gV7RTlR8OJLLiQpVc6FXPUlJrCtiB LBjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=scdgMkDB7V6OJXym2nq8uVZQBQuP/jIC+5FfT9wICYM=; b=ByY8TRWyPH6R6pEW4/dLuUzVDtuNKekU4RgqOKW3eV7egwsSJoowFjABK9pDjoMHPR tXs/1Uqjn4Vp7zdpeMZ//vLRNmZsyJY7zEJKCOzA/YzT9XkzSrlNzK59rNAQP2NM6Ibd jQFt28l5agWaQ3nCuryfuj5D0uBzoKa1NZRyJSpB5wTdNKat8uB+M+4NseKt/aCGvnKo bxMfnLOwaMpA1wVM7ftuX5Cp7agrpZvDddfzAtn7nUvkq/zkQOrUeUZJm+dOgt6l9vdS rhcByVO9Tmd5I3d29P2BqUGb+dJEp3LdARXiWlndDygJhddSOnMpBrAdAneTNZ8YnKs1 zfig==
X-Gm-Message-State: ALoCoQmUPQv1uTFRoxhaBBMCePpqTp/brn7znEM3IQ7PTGQd1V3MgWmi8kDTsHvAIpMut+GBty85
MIME-Version: 1.0
X-Received: by 10.224.79.13 with SMTP id n13mr51132743qak.79.1409088038411; Tue, 26 Aug 2014 14:20:38 -0700 (PDT)
Received: by 10.229.165.2 with HTTP; Tue, 26 Aug 2014 14:20:38 -0700 (PDT)
In-Reply-To: <CA+cU71kitObiZM2Lpc1c8f7waY5u2c5YW787w4xqpJNpbc3ENg@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <CA+cU71kitObiZM2Lpc1c8f7waY5u2c5YW787w4xqpJNpbc3ENg@mail.gmail.com>
Date: Tue, 26 Aug 2014 14:20:38 -0700
Message-ID: <CAOuvq21pYzK3cik7k3BXMoC08aTJKk4Y4RO2cn9XY_8CEYm=tQ@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/DDY3ltfyz_5hUZaJiVN03IMIek0
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 21:20:42 -0000

On Tue, Aug 26, 2014 at 2:06 PM, Tom Ritter <tom@ritter.vg> wrote:

> The foot-gun potential is very high with HPKP, we all know that.  It's
> high enough to the point that many organizations, who have someone
> maintaining a website part time (or outsource it) may forgoe PKP
> entirely because it makes them nervous - but they would be happy to
> deploy a no-risk PKP-RO.  But the benefit of doing so if it is not
> being cached is extraordinarily low, to the point it's probably not
> worth doing.

3 full years ago, HPKP was conceived as a single new directive to
piggyback on HSTS. Now it's a design-by-committee extravaganza with
knobs and bells and whistles all over the place. It also has a jaunty
cap. The cap is not a protective helmet, but hey =E2=80=94 it *is* jaunty a=
s
all get-out. :)

I just want to get something published, even if it's imperfect, so we
can move on. This process is taking my time away from other important
tasks, and I can't let that happen much longer.


From nobody Tue Aug 26 14:38:13 2014
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB4F1A0049 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level: 
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GcGEZ_5N83JA for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:38:10 -0700 (PDT)
Received: from mail-ig0-f171.google.com (mail-ig0-f171.google.com [209.85.213.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74D671A0048 for <websec@ietf.org>; Tue, 26 Aug 2014 14:38:10 -0700 (PDT)
Received: by mail-ig0-f171.google.com with SMTP id l13so5249544iga.4 for <websec@ietf.org>; Tue, 26 Aug 2014 14:38:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ILgQyNrGBx6I+XtHhN4gKvOxrkHsCAoaioPrqM4bXok=; b=RrOVOAtfbFurtLj+9eP1DNHnffO1Ix2NGkVzmIwaE+LcrIikirrU3OHgBn9Fc+y+vu cZmXGzMZnLglGIKAGVl0brfyZwzf0ueR9tG73DSStNkGtjp3NBpSzzqpO2Pe5llIatZ3 Nt6MhTWKHRbubl9ZWf/tQrQr1cVv8gFesIYQf9HnzjwagC4oqbe9VWyvZA3CxRjfkkHf CdcPG9pb8jNyfdpeXdmqrVI7jWvl6zq5d3xudOInlUu4VrzaaBS2AwVidcUKw9eAku6e KxUoLsUOH9ze81dES/ntUzNWDvHTRxvVKnS8c8Kj8mxUo079HLYi/pXpwg6rdbG9GToZ TkSQ==
X-Gm-Message-State: ALoCoQkGAEzQAc1DrTcrm8YvXyCJ7tvrpglpJJJJUxB9eTdF4jyDPMCBFiAGaRD4/7CsG+695TVt
MIME-Version: 1.0
X-Received: by 10.51.17.2 with SMTP id ga2mr25664526igd.2.1409089089793; Tue, 26 Aug 2014 14:38:09 -0700 (PDT)
Received: by 10.107.133.154 with HTTP; Tue, 26 Aug 2014 14:38:09 -0700 (PDT)
X-Originating-IP: [50.1.57.236]
In-Reply-To: <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com>
Date: Tue, 26 Aug 2014 14:38:09 -0700
Message-ID: <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/wcHhaiZjlm-_Xjj9y5AJFmC7-KM
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 21:38:11 -0000

On Tue, Aug 26, 2014 at 2:04 PM, Chris Palmer <palmer@google.com> wrote:
> On Tue, Aug 26, 2014 at 1:58 PM, Eric Lawrence <ericlaw1979@hotmail.com> wrote:
>
>> As a site operator, I'd think of PKP-RO as a debugging aid more along the
>> lines of: "If I turn this thing on, will anything break for anyone?"
>>
>> If PKP-RO doesn't have the same semantics as PKP, its utility for answering
>> that question declines.
>
> PKP-RO has the same semantics as PKP, at the time of Pin Validation,
> which is what matters.

That's not completely true, because PKP affects Pin Validation of
other connections, and PKP-RO doesn't.

So turning on PKP-RO tests "do browsers construct the certificate path
I expect".  It doesn't test "does my site return the correct
certificate for all connections".

So Eric's point is valid: PKP-RO doesn't provide an administrator much
confidence that their site is ready for PKP, and might even mislead
them.


Trevor


From nobody Tue Aug 26 14:42:52 2014
Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03571A0118 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:42:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0L-56KJUQ7O for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 14:42:49 -0700 (PDT)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A09471A0113 for <websec@ietf.org>; Tue, 26 Aug 2014 14:42:49 -0700 (PDT)
Received: by mail-ie0-f177.google.com with SMTP id at20so11766517iec.8 for <websec@ietf.org>; Tue, 26 Aug 2014 14:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=pWTkMhFcqVum94s1+DRXW7pjvI/8xp4PQaMBjciByhc=; b=OvdFLzS+qR4HVYxTWZXWlxk6vZfgvgqtxHJ5F0GhyFSxbWFblyFtnyzP9s42b57mvp vlmxIKmG+ag30mEey2QbvUGVLLKd4RYjbKojc2jIscQoZJ3nHS+zYi53sRhHV96B5HR+ mguAmvkSpU91i9ezYQQ+j/f5Jkxfp5X7GhzNA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=pWTkMhFcqVum94s1+DRXW7pjvI/8xp4PQaMBjciByhc=; b=MRzP92oWx/xP9LquWAnjgFDssVbQMnxvw6Aun4016wGI3CbGpY9fyK1YsDQN16kGBM i9ziZxSYZ+bQmxWUM9AOA4Gc+zuwlxzY2xUQ7GFp0VMOQ6k3r4KxEZfsX9QSQqaSjo1e +QS3v7NtfS8ceKquYboN8ZaIuwjBfQV2u9IyADHRW+Gv0PlKPH2clvUgtP8+is6DC5zS tfFrO0foeXcLxrXCLk+43883st0/yGvY1mteT3ilafOK6t5J+dtnNSqfflk2P+Vk1Fch 1l8596YSYZQDDxVEQ2XIX1vQUh2gGkZoKUX6Q5HW+4HtSGoKFAPW+G1vnCUG4TXae7OH uDaw==
X-Gm-Message-State: ALoCoQkKWm10u5MzPYPoI/nGI06KifEIA+xXkcQBVrYhXJOD5uEBecGfhjsEkKy/4ASxXtxt7yDd
X-Received: by 10.42.216.198 with SMTP id hj6mr10155164icb.65.1409089369100; Tue, 26 Aug 2014 14:42:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.10.104 with HTTP; Tue, 26 Aug 2014 14:42:29 -0700 (PDT)
In-Reply-To: <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 26 Aug 2014 16:42:29 -0500
Message-ID: <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/kITkWQxCVXGuew384hLAPBRG89I
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 21:42:50 -0000

On 26 August 2014 16:38, Trevor Perrin <trevp@trevp.net> wrote:
> That's not completely true, because PKP affects Pin Validation of
> other connections, and PKP-RO doesn't.
>
> ...
>
> So Eric's point is valid: PKP-RO doesn't provide an administrator much
> confidence that their site is ready for PKP, and might even mislead
> them.

This is especially true if includeSubdomains is enabled. It'd be
common for that directive to apply to hosts that the -RO header would
not be included on. In PKP-RO, it would not be applied to them; in PKP
it would.

-tom


From nobody Tue Aug 26 15:10:30 2014
Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D101A00F8 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 15:10:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level: 
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ev_sK86iVylh for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 15:10:26 -0700 (PDT)
Received: from mail-qa0-x22e.google.com (mail-qa0-x22e.google.com [IPv6:2607:f8b0:400d:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9181A01A9 for <websec@ietf.org>; Tue, 26 Aug 2014 15:10:26 -0700 (PDT)
Received: by mail-qa0-f46.google.com with SMTP id v10so14342402qac.19 for <websec@ietf.org>; Tue, 26 Aug 2014 15:10:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZlsDXKm2Jrn4B8JNmBX/ELa+r6cxMf9Fcl1QpSpM7no=; b=WBnoZxDOepnsc0GfFLufy7lY9HRCsbbFAW7Az24OqLW18+ppHrZp/rvqNK7ZUo7ytr zvzmfXdQ6LO5v/f0NZygg2CHoOjMQW+4AC4bLK2k8IsD5HFsrVOQJxYSQ94KU+Kwolk/ dOlRHjYZeVUiktoSCqqQW0Kfu1eaqtWce3i11ZlfJxJJKrWqhGO05QdD0uhFYAUVfckO LxBaInihwZJUr8McYCut/NqhyC6opvkL5Y7r+lmj/569hn4UG2nA3TNn0NOSncX8WHXO w414dWr/J+rUC2vVa46nGsMhWZ3aDgtufjM/OVTfbTVxcPJVsbDKAR1O69uwC1X4VGN6 Ja9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ZlsDXKm2Jrn4B8JNmBX/ELa+r6cxMf9Fcl1QpSpM7no=; b=lzy03x83yxwsiiAhUa8Sdmne+l6DCueeqm0tN1tzNXU7GYa9gBYO3OROmCIR+B5ZqS xejFiYRKvcBj6ZhFXwme/RSdpvW/nsbSWd/tUbwRI218LmU/iYvAZucg42SVfVQflycJ 20suDrkW+VB/CIjDfs9QV6SjmvzGhbdtzfMh325MRlzw+TPawapVyxAE+Zyu6hb7B8CL V/i7AEPvwI3LTyQ3RLV9fm449dA2HNlDO1upwd5ZkHx+YhKBXcx12xuhcP3gAYyJec+D dxKbbOg/b6Qt4IE4VlFx61z6ib66hkmEhSzfk5nY5zooYmzeGcuwft5qE8vlgDzkGpJC ZTww==
X-Gm-Message-State: ALoCoQl0CVkE3PNjp8R2wy6SXN/w59WS4d0yuaz0rgIQsfE7NMKJ4ZgGuXltHyF9s+AVmc30vssU
MIME-Version: 1.0
X-Received: by 10.224.79.13 with SMTP id n13mr51539714qak.79.1409091025367; Tue, 26 Aug 2014 15:10:25 -0700 (PDT)
Received: by 10.229.165.2 with HTTP; Tue, 26 Aug 2014 15:10:25 -0700 (PDT)
In-Reply-To: <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com>
Date: Tue, 26 Aug 2014 15:10:25 -0700
Message-ID: <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/WDT0Cea6plWla_KgEhQ9O74sbXE
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 22:10:27 -0000

On Tue, Aug 26, 2014 at 2:42 PM, Tom Ritter <tom@ritter.vg> wrote:

>> That's not completely true, because PKP affects Pin Validation of
>> other connections, and PKP-RO doesn't.
>>
>> ...
>>
>> So Eric's point is valid: PKP-RO doesn't provide an administrator much
>> confidence that their site is ready for PKP, and might even mislead
>> them.
>
> This is especially true if includeSubdomains is enabled. It'd be
> common for that directive to apply to hosts that the -RO header would
> not be included on. In PKP-RO, it would not be applied to them; in PKP
> it would.

OK, so, what do you want?

Is it even possible for me to write text you would accept?


From nobody Tue Aug 26 15:45:10 2014
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C580E1A0041 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 15:45:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sz6csXodFwQn for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 15:45:08 -0700 (PDT)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E91F11A0030 for <websec@ietf.org>; Tue, 26 Aug 2014 15:45:07 -0700 (PDT)
Received: by mail-yk0-f181.google.com with SMTP id q200so12004154ykb.40 for <websec@ietf.org>; Tue, 26 Aug 2014 15:45:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=hDhl1rL/Xx4a10eC3mTglxxODxp6F9iWh9jZDRTjjSY=; b=lYQX83rkbTIKbn4IZF70uVuUuvi+z9Pz4pdWSExMxBTLAXHnqwSXpLim0ZPuqtW+ms UL9YukTBSlwMN1xE8E1RcBLeS+oChFVMa0QUujO+RV4AWPIDKG95QN88MJNPU8yZYv7W ojkMM0Dz6fZhnZQulQh4nCvu08vo7PUiSfryd7lCSn1TryCkz9GifG3VoOKsOZZnsS2F 9fCaIqPvOOMsM52R0/2ZO3/N2w95tBokR49fKXjrHtg/+AXO9i90K3vjyoyZORnYJvUw 1pu72w2hdNmllXRWBAlbfXVtsAb58FdxhN/BDy2kObHqEoWaKjMvgYrGdCmttumPpfF4 ZgMg==
X-Received: by 10.52.119.229 with SMTP id kx5mr447643vdb.40.1409093107240; Tue, 26 Aug 2014 15:45:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.219.1 with HTTP; Tue, 26 Aug 2014 15:44:46 -0700 (PDT)
In-Reply-To: <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Tue, 26 Aug 2014 18:44:46 -0400
Message-ID: <CAOe4Ui=dSrE5YeRNC301huYaGivqHUjgQ8XdP5wJUk04Ri2ciQ@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Content-Type: multipart/alternative; boundary=047d7bdc99aa1cd4ed0501900e0f
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/lpBl5gPR0wrVw4bcecTMrLCOb1U
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, Ryan Sleevi <sleevi@google.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 22:45:09 -0000

--047d7bdc99aa1cd4ed0501900e0f
Content-Type: text/plain; charset=UTF-8

On Tue, Aug 26, 2014 at 6:10 PM, Chris Palmer <palmer@google.com> wrote:

> On Tue, Aug 26, 2014 at 2:42 PM, Tom Ritter <tom@ritter.vg> wrote:
> > This is especially true if includeSubdomains is enabled. It'd be
> > common for that directive to apply to hosts that the -RO header would
> > not be included on. In PKP-RO, it would not be applied to them; in PKP
> > it would.
>
> OK, so, what do you want?
>
> Is it even possible for me to write text you would accept?


The answer may be "no" here which would suggest dropping PKP-RO completely
as an alternative way forward. Taking a step back, this thread features two
sides arguing that this feature is (largely) useless for what the other
side wants it for (testing vs. security).

As pointed out, the current version is not nearly sufficient for testing a
site's PKP-readiness due to subdomains and (potentially) load-balancing a
domain onto servers with different keys (some of which may not be in the
pin set and not set PKP-RO and be missed by setting the header on other
servers). Testing with -RO is surely better than no testing at all, but it
seems most domains would need to do more extensive testing manually by
crawling/viewing network traffic/etc. at which point they'd gain the
benefit of -RO testing anyways.

Maybe there is some benefit for quick tests to see what certs UAs are
actually receiving, which it was pointed out Facebook used Flash to achieve
(I know of at least two other academic research efforts that have used the
same approach). But if this is the goal, PKP-RO is pretty limited compared
to adding something to JS or WebCrypto which would just ping back with the
exact cert chain received. This use case seems best addressed elsewhere
rather than bolted onto this spec.

Hence, given the concern that this spec is already bloated, I would
advocate we seriously consider dropping -RO mode completely.

--047d7bdc99aa1cd4ed0501900e0f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On T=
ue, Aug 26, 2014 at 6:10 PM, Chris Palmer <span dir=3D"ltr">&lt;<a href=3D"=
mailto:palmer@google.com" target=3D"_blank">palmer@google.com</a>&gt;</span=
> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"">On Tue, Aug 26, 2014 at 2:42=
 PM, Tom Ritter &lt;<a href=3D"mailto:tom@ritter.vg">tom@ritter.vg</a>&gt; =
wrote:<br>


&gt; This is especially true if includeSubdomains is enabled. It&#39;d be<b=
r>
&gt; common for that directive to apply to hosts that the -RO header would<=
br>
&gt; not be included on. In PKP-RO, it would not be applied to them; in PKP=
<br>
&gt; it would.<br>
<br>
</div>OK, so, what do you want?<br>
<br>
Is it even possible for me to write text you would accept?</blockquote><div=
><br></div><div>The answer may be &quot;no&quot; here which would suggest d=
ropping PKP-RO completely as an alternative way forward. Taking a step back=
, this thread features two sides arguing that this feature is (largely) use=
less for what the other side wants it for (testing vs. security).</div>

<div><br></div><div>As pointed out, the current version is not nearly suffi=
cient for testing a site&#39;s PKP-readiness due to subdomains and (potenti=
ally) load-balancing a domain onto servers with different keys (some of whi=
ch may not be in the pin set and not set PKP-RO and be missed by setting th=
e header on other servers). Testing with -RO is surely better than no testi=
ng at all, but it seems most domains would need to do more extensive testin=
g manually by crawling/viewing network traffic/etc. at which point they&#39=
;d gain the benefit of -RO testing anyways.</div>

<div><br></div><div>Maybe there is some benefit for quick tests to see what=
 certs UAs are actually receiving, which it was pointed out Facebook used F=
lash to achieve (I know of at least two other academic research efforts tha=
t have used the same approach). But if this is the goal, PKP-RO is pretty l=
imited compared to adding something to JS or WebCrypto which would just pin=
g back with the exact cert chain received. This use case seems best address=
ed elsewhere rather than bolted onto this spec.</div>

<div><br></div><div>Hence, given the concern that this spec is already bloa=
ted, I would advocate we seriously consider dropping -RO mode completely.</=
div></div></div></div>

--047d7bdc99aa1cd4ed0501900e0f--


From nobody Tue Aug 26 16:08:32 2014
Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4C661A00A6 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 16:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2nqYm7w0fxg for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 16:08:17 -0700 (PDT)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69B901A008F for <websec@ietf.org>; Tue, 26 Aug 2014 16:08:17 -0700 (PDT)
Received: by mail-ie0-f182.google.com with SMTP id y20so12624079ier.13 for <websec@ietf.org>; Tue, 26 Aug 2014 16:08:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=dbDKeBn52D5fCIRGeQgXGR6EOoigkaSFatLig3OSxRU=; b=oZOWG1e0DnBinm1m3pGkoLU29r14qEO9fEVLUJJP0s82i/7takuyPGICYLxDFk5/5Q qagL5Ok7lCaF+m838O9aoIOoSwSZ+Wh5P9PBGq4ZZvle2x4eQBia0shhHKKCI9HfFYIp +8gM3FAhBk8Xla/WxmKKUG9K/fYNcRJGW29/g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=dbDKeBn52D5fCIRGeQgXGR6EOoigkaSFatLig3OSxRU=; b=k75OrtDsO2UD6fvgF+U9T88j3l4O0+ADQHfHpB5rkihFXMrHMCTyRzLiBu1epik/Cj 5VOdEdZWB/U7wJsRqZSvZSr/v9BTdf0Xi0NXLfTZaUJzwdqCiPQ2AAgQtuNJBgYeAF17 q1GN+vYzqGi3RQxKCNGTxB64R2bnZDnHXIzcg8A9cX5XUDzz9o2nqHWbZ1Bbyj+1pPoY gaIe+G7cGt/nZbP4TYNBxVRLHATwiwLrF0sdNvOFuRG11h6JUEQG/hzNlbILA/oHpIYF Wgop1qJyudMz1IdwwlzZsAS+OT8Gx6lQ7nUfJQ3lETKT2zxY+fNWyJakr/bzc7D3Mjbp 9Adw==
X-Gm-Message-State: ALoCoQkNZNZLemDPqhuxeXCwIVsks/SjC60Ae27Q98U4VCDNoQWjME8ZusntCPuK48C/6yMTmsR5
X-Received: by 10.50.111.80 with SMTP id ig16mr25843701igb.43.1409094496735; Tue, 26 Aug 2014 16:08:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.10.104 with HTTP; Tue, 26 Aug 2014 16:07:56 -0700 (PDT)
In-Reply-To: <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 26 Aug 2014 18:07:56 -0500
Message-ID: <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/p1XQlSH1IFXtcAGYAcHZhKTJKbE
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 23:08:19 -0000

On 26 August 2014 17:10, Chris Palmer <palmer@google.com> wrote:
> OK, so, what do you want?
>
> Is it even possible for me to write text you would accept?

Just because I have a concern or preference doesn't mean I don't
really appreciate the work you've done. I do.

I'd like PKP-RO to be cached like PKP and applied the same way, absent
the connection termination (preference). After I realized the
includeSubdomains issue (concern), I want it even more for testing a
deployment than I want it for my prior attack detection arguments
(preference).

I've tried to find all the references someone (e.g. a reviewer) might
want changed to do this.  My suggestions:

----------

The "max-age" directive is REQUIRED to be present within a "Public-
   Key-Pins" header field, and is OPTIONAL within a "Public-Key-Pins-
   Report-Only" header field.

Become

The "max-age" directive is REQUIRED to be present within the "Public-
   Key-Pins" and "Public-Key-Pins-Report-Only" header fields.

----------

Note: There is no purpose to using the PKP-RO header without the
   report-uri directive.  User Agents MAY discard such headers without
   interpreting them further.

Become

Note: The only purpose to using the PKP-RO header without the
   report-uri directive is to include a max-age=0 to clear any previously
   saved PKP-RO directives.  After doing so, User Agents MAY discard
   such headers without interpreting them further.

----------

If a host sets both the PKP header and the PKP-RO header, the UA MUST
   note and enforce Pin Validation as specified by the PKP header, and
   SHOULD process the Pins and directives given in the PKP-RO header.
   If the UA does process the Pins and directives in the PKP-RO header
   it SHOULD evaluate the specified policy and SHOULD report any would-
   be Pin Validation failures that would occur if the report-only policy
   were enforced.

Become

If a host sets both the PKP header and the PKP-RO header, the UA MUST
   note and enforce Pin Validation as specified by the PKP header, and
   SHOULD note and process the Pins and directives given in the PKP-RO header.
   If the UA does process the Pins and directives in the PKP-RO header
   it SHOULD evaluate the specified policy and SHOULD report any would-
   be Pin Validation failures that would occur if the report-only policy
   were enforced.

----------

Upon receipt of the PKP response header field, the UA notes the host
   as a Known Pinned Host, storing the Pins and their associated
   directives in non-volatile storage (for example, along with the HSTS
   metadata).  The Pins and their associated directives are collectively
   known as Pinning Metadata.

Become

Upon receipt of a PKP or PKP-RO response header field, the UA notes the host
   as a Known Pinned Host, storing the Pins and their associated
   directives in non-volatile storage (for example, along with the HSTS
   metadata).  The Pins and their associated directives are collectively
   known as Pinning Metadata.

----------

It received the PKP response header field over an error-free TLS
      connection.

Become

It received the PKP or PKP-RO response header field over an error-free TLS
      connection.

----------

If the PKP response header field does not meet all three of these
   criteria, the UA MUST NOT note the host as a Pinned Host.  A PKP
   response header field that meets all these critera is known as a
   Valid Pinning Header.

Become

If the PKP or PKP-RO response header field does not meet all three of these
   criteria, the UA MUST NOT note the host as a Pinned Host.  A response
   header field that meets all these critera is known as a Valid Pinning Header.

----------

The UA need not note any Pins or other policy expressed in the PKP-RO
   response header field, except for the purpose of determining that it
   has already sent a report for a given policy.  UAs SHOULD make a best
   effort not to inundate report-uris with redundant reports.

be removed entirely. The final sentence is included previously as a
SHOULD at the end of 2.1.3

----------
In Section 2.6:

Otherwise, the UA MUST
   treat this Pin Validation Failure as a non-recoverable error.

Become

Otherwise, if the Pinning Metadata indicates the policy was not set by
   the PKP-RO header, the UA MUST treat this Pin Validation Failure
   as a non-recoverable error.

----------


I believe that Section 2.3.2, paragraph "If a host sets the PKP-RO
header..." is clear enough as is.

-tom


From nobody Tue Aug 26 17:16:19 2014
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 340D41A0277 for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 17:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfGCWsn0MqDm for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 17:16:15 -0700 (PDT)
Received: from mail-yh0-x229.google.com (mail-yh0-x229.google.com [IPv6:2607:f8b0:4002:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFF891A0263 for <websec@ietf.org>; Tue, 26 Aug 2014 17:16:15 -0700 (PDT)
Received: by mail-yh0-f41.google.com with SMTP id b6so12798973yha.0 for <websec@ietf.org>; Tue, 26 Aug 2014 17:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=YPxAlCZJnayJXUcnV05CoiZnkml9d8bXNxrlJUBUpL0=; b=EhRzVpmFn97hPuekeI1WbHo4zZGgvwdwG7UX37uVZhDydySw1/6f2aOs50uNL1qMGf 3aG361NEaZksAGguCQTBYx21IoZ0J5CVWaQBWcZOCKh0kAXZm4ov4NeIN1qxEqun+5Zc REPTFM+aGkkIxq0iZG2Sd8Uvt2jdE7hNqqWtQR3rTh3GdzvFpoYCqWkh4UnsqhxKPIJU b/0tghSNhs/cZ9l5pCxR0CeoHFEzHvWyLmy9YCrj0sTValKEBiuJBLlW8bZkj6l4gFfp 2E4spTSq6P7BOj9DM8bwKvJp9qca3pI9Mzxe1+s7rsbTD8I2UMlY4TxFGZ/932eYPPqx TkzQ==
X-Received: by 10.52.137.2 with SMTP id qe2mr19768768vdb.11.1409098575019; Tue, 26 Aug 2014 17:16:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.219.1 with HTTP; Tue, 26 Aug 2014 17:15:53 -0700 (PDT)
In-Reply-To: <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Tue, 26 Aug 2014 20:15:53 -0400
Message-ID: <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary=bcaec51b161b0484700501915411
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/seoD--rXn-kKvoQr5nbfGcWU0wo
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, IETF WebSec WG <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 00:16:17 -0000

--bcaec51b161b0484700501915411
Content-Type: text/plain; charset=UTF-8

On Tue, Aug 26, 2014 at 7:07 PM, Tom Ritter <tom@ritter.vg> wrote:
>
> Just because I have a concern or preference doesn't mean I don't
> really appreciate the work you've done. I do.
>

Well said.


> I'd like PKP-RO to be cached like PKP and applied the same way, absent
> the connection termination (preference). After I realized the
> includeSubdomains issue (concern), I want it even more for testing a
> deployment than I want it for my prior attack detection arguments
> (preference).
>

My email wasn't very clear but I would also prefer this policy; I was
simply trying to say that if this isn't possible or acceptable dropping it
completely might be preferable to the current version.

--bcaec51b161b0484700501915411
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">=
On Tue, Aug 26, 2014 at 7:07 PM, Tom Ritter <span dir=3D"ltr">&lt;<a href=
=3D"mailto:tom@ritter.vg" target=3D"_blank">tom@ritter.vg</a>&gt;</span> wr=
ote:<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-lef=
t:1px #ccc solid;padding-left:1ex">

Just because I have a concern or preference doesn&#39;t mean I don&#39;t<br=
>
really appreciate the work you&#39;ve done. I do.<br></blockquote><div>=C2=
=A0</div><div>Well said.</div><div>=C2=A0<br></div><blockquote class=3D"gma=
il_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-lef=
t:1ex">
I&#39;d like PKP-RO to be cached like PKP and applied the same way, absent<=
br>
the connection termination (preference). After I realized the<br>
includeSubdomains issue (concern), I want it even more for testing a<br>
deployment than I want it for my prior attack detection arguments<br>
(preference).<br></blockquote><div><br></div><div>My email wasn&#39;t very =
clear but I would also prefer this policy; I was simply trying to say that =
if this isn&#39;t possible or acceptable dropping it completely might be pr=
eferable to the current version.</div>

</div></div></div>

--bcaec51b161b0484700501915411--


From nobody Tue Aug 26 17:46:35 2014
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B0DD1A02CB for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 17:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level: 
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48_3k9Bm6khL for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 17:46:31 -0700 (PDT)
Received: from mail-ie0-f173.google.com (mail-ie0-f173.google.com [209.85.223.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89BFA1A02A2 for <websec@ietf.org>; Tue, 26 Aug 2014 17:46:31 -0700 (PDT)
Received: by mail-ie0-f173.google.com with SMTP id tr6so12471361ieb.4 for <websec@ietf.org>; Tue, 26 Aug 2014 17:46:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=bOx1AdD5+WvhQ+rOiU5xePMAGJZLOSjJ5oFCHEU29AE=; b=VJJbrZeZjjXUf37AkI21kqQDv+VzZCkJIRFUtV+2oE8xvVrpS2R1/5BWg+mWvJgjNN ldL+7lVNyCwmDb09Pk5/U6epasoRPANhu7hbbcUH4VbKGGm/tXwo4LYZna/sxzXBkqkr szCphD4lOvcaPFJClpnqUSouycX9tRYrhvJX1WBPgkgGHODnso02CPPEkncGerZw1oJZ GdFGxogrOzDYn51ATA7BSxrAeX//ZV16EIt4XvxJe3v+0MPmLRjCydpgMmg0Yd879pkN 0az9e8qEuqQQ3iXL8eiWyL7XKq4NS+BYFVPm/55C5xw1O+XH/MPn5EpwsZLklAuE+XUz mahA==
X-Gm-Message-State: ALoCoQnqLiCInhMsg86BqdSm0UWEdQWHAeD6dR0arhMnkUPfJQZavbDVO3xizVjMQMynmmEiojom
MIME-Version: 1.0
X-Received: by 10.43.127.9 with SMTP id gy9mr4902565icc.71.1409100390871; Tue, 26 Aug 2014 17:46:30 -0700 (PDT)
Received: by 10.107.133.154 with HTTP; Tue, 26 Aug 2014 17:46:30 -0700 (PDT)
X-Originating-IP: [50.1.57.236]
In-Reply-To: <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com> <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com>
Date: Tue, 26 Aug 2014 17:46:30 -0700
Message-ID: <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Joseph Bonneau <jbonneau@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/astwKciiwalRtSPMRxL6yn_SdXo
Cc: "draft-ietf-websec-key-pinning@tools.ietf.org" <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, Ryan Sleevi <sleevi@google.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 00:46:33 -0000

On Tue, Aug 26, 2014 at 5:15 PM, Joseph Bonneau <jbonneau@gmail.com> wrote:
>>
>> I'd like PKP-RO to be cached like PKP and applied the same way, absent
>> the connection termination (preference). After I realized the
>> includeSubdomains issue (concern), I want it even more for testing a
>> deployment than I want it for my prior attack detection arguments
>> (preference).
>
>
> My email wasn't very clear but I would also prefer this policy

I'd prefer this as well.  To be even clearer, I think the browser
should treat PKP and PKP-RO headers independently.  I.e., the browser
should maintain separate stores for PKP and PKP-RO data.  PKP headers
only affect the PKP store, and PKP-RO headers only affect the PKP-RO
store.

(For example, PKP max-age=0 doesn't clear PKP-RO, and vice versa).

A browser implementing this probably already has separate stores for
HSTS and HPKP, so this is just adding a third for HPKP-RO, which seems
reasonable to implement.

Trevor


From nobody Tue Aug 26 22:45:07 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E471A03FA for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 22:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1l4KsdE2tzz for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 22:45:03 -0700 (PDT)
Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 881811A03F9 for <websec@ietf.org>; Tue, 26 Aug 2014 22:45:03 -0700 (PDT)
Received: by mail-we0-f180.google.com with SMTP id w61so15591862wes.11 for <websec@ietf.org>; Tue, 26 Aug 2014 22:45:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=from:content-type:content-transfer-encoding:subject:date:message-id :cc:to:mime-version; bh=SeO3c8B47IxhdrY7UQtIZUGb5XZLu8apxtH4K/1HEIA=; b=qxY4lTqCLTzHaYB8LbV25xBbYfA1kTxmHHk7uhbC3ddgEsczymOYucC71airWc/K7N FWSNcgyITGUTDR1ITDn+i1Eocj3naHiZ5Sju4NbSsFW73SZq5kNXWlC61dO84HupkoB9 Duc+wuI2xUyAIOVdl78H1lzZT5yVdYUQbIYmsVykgXDPg8T5YrDMYjeKH8FcqvyjkpaY DOJ7Xo+LwoAEJpTDHq9gQIBTcU8SF67sGBRhnwN0hxURklQzdKlZCyTb01gSkodP1D2N jZ/HcXbTNhVSX9cH5bf7nPmNnuzvA9uYVZOkvu6uRY8zG567usYvNTjfc77KuG+xTkfy FuaA==
X-Received: by 10.194.77.243 with SMTP id v19mr20841085wjw.18.1409118301955; Tue, 26 Aug 2014 22:45:01 -0700 (PDT)
Received: from [10.4.32.194] ([80.179.9.115]) by mx.google.com with ESMTPSA id y5sm14036339wje.32.2014.08.26.22.44.54 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 26 Aug 2014 22:45:01 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Date: Wed, 27 Aug 2014 08:44:43 +0300
Message-Id: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
To: "<websec@ietf.org>" <websec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/3Fd2EzYTBAUQvoD8pZzJ4cIW0Vk
Cc: Barry Leiba <barryleiba@computer.org>
Subject: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 05:45:05 -0000

Hi folks

In the last few days, we=92ve had a bunch of threads re-opening issues =
with key-pinning, mostly around the PKP-RO.

This document has gone through years of discussion on the mailing list, =
a WGLC and an IETF LC.=20

The document is now under review by the IESG. We (the working group) and =
the authors need to address comments and discuss ballots by members of =
the IESG. This is an inappropriate time to raise new substantive issues =
about the document.=20

Fixing editorial issues like Julians=92 comments about references is =
fine, and could even be done *after* IESG review. However, making =
substantive changes like removing PKP-RO or changing the requirements =
for processing it cannot be done at this stage. Deciding to do this =
requires withdrawing the publication request and sending it back to the =
working group.  I do not think this is advisable.

The IETF occasionally publishes documents that are imperfect. Such =
imperfections can be fixed later via errata or -bis documents. For now, =
I think we should publish the document as it is with the changes agreed =
upon in discussions with ADs.

Thanks

Yoav
[with chair hat firmly on]=


From nobody Wed Aug 27 00:36:43 2014
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1CF1A0452 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 00:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level: 
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sfOMOyYyoafi for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 00:36:39 -0700 (PDT)
Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com [209.85.213.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BC061A0459 for <websec@ietf.org>; Wed, 27 Aug 2014 00:36:39 -0700 (PDT)
Received: by mail-ig0-f170.google.com with SMTP id h3so6920511igd.3 for <websec@ietf.org>; Wed, 27 Aug 2014 00:36:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=KxVt4A71WnfhoWeZ4PIEwd58RyG1QcZRbZtKwDMWIfg=; b=EpC324ADuzFEaKNmfHVQT9RZqa7mUcKiz4VKL/nBdoyks7zViMmqfOt0FtfnKyCxtO JouGRvDwj8v3k7BtoTo3crEYf8eqSR+A5xVm04tg3v+3SwC7X705PCh7WLXl9JqG7MG/ 6GKrLvNy2NckjvvYc2AQJMhdDlm46Rc5UyqDKXWvICamtIArtQo1KK2iM7mKRMXhxet1 njt9L35CGK/RzCrTxWGp8ACfxxi5xsbDKGxrgD6PRSOhDDwdKje2azq5wQG9WJrjxhlA b9YJY/V+daeDVDbH6d5Ml75DnsXF4nCGcf07UtTa5nAgqCYmxRKNpY/XJFNYgp2hkeTQ Odqw==
X-Gm-Message-State: ALoCoQlvu5iq4Ygmk7Zr5wL76paYf70kUrsJzRY+rXnsBB4wrzmL0d2xCBGnuVtpDAHKgaeJoGEp
MIME-Version: 1.0
X-Received: by 10.50.122.99 with SMTP id lr3mr27615969igb.10.1409124998828; Wed, 27 Aug 2014 00:36:38 -0700 (PDT)
Received: by 10.107.133.154 with HTTP; Wed, 27 Aug 2014 00:36:38 -0700 (PDT)
X-Originating-IP: [50.1.57.236]
In-Reply-To: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
Date: Wed, 27 Aug 2014 00:36:38 -0700
Message-ID: <CAGZ8ZG03Uy5OdEaEPoX+zvAWQ9cvDYBeufW4CZvLtHN2SFDB8g@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/K5lvSJYitispsjfP-LdM3CNssNg
Cc: Barry Leiba <barryleiba@computer.org>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 07:36:41 -0000

On Tue, Aug 26, 2014 at 10:44 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Hi folks
>
> In the last few days, we=E2=80=99ve had a bunch of threads re-opening iss=
ues with key-pinning, mostly around the PKP-RO.
>
> This document has gone through years of discussion on the mailing list, a=
 WGLC and an IETF LC.
>
> The document is now under review by the IESG. We (the working group) and =
the authors need to address comments and discuss ballots by members of the =
IESG. This is an inappropriate time to raise new substantive issues about t=
he document.


PKP-RO isn't a new issue.

The initial draft of PKP-RO was claimed to "follow the same syntax and
semantics of the Public-Key-Pins header" [1].

But the text was unclear.  When we discussed this in February Ryan
proposed to not store PKP-RO pins [2,3].  Myself, Daniel Kahn-Gillmor,
and Tom Ritter proposed to store them [4,5,6], and Chris added text
for this [7,8,9,10].

I later discussed other cleanup of the PKP-RO text [11].  As part of
that Chris changed some of the wording to *not* store PKP-RO pins
[12].  I pointed out the discrepancy and that "I thought we decided
the opposite" a couple times [13,14], but there was a misunderstanding
and he changed things more towards *not* storing PKP-RO [15].  A
couple days after you declared "this working group has done as much as
we can", and further discussion would be "counter-productive" [16].

But I still think storing PKP-RO would be better, and seemed to be the
group's preference.


Trevor


[1] http://www.ietf.org/mail-archive/web/websec/current/msg01539.html
[2] http://www.ietf.org/mail-archive/web/websec/current/msg02030.html
[3] http://www.ietf.org/mail-archive/web/websec/current/msg02037.html
[4] http://www.ietf.org/mail-archive/web/websec/current/msg02042.html
[5] http://www.ietf.org/mail-archive/web/websec/current/msg02043.html
[6] http://www.ietf.org/mail-archive/web/websec/current/msg02044.html
[7] http://www.ietf.org/mail-archive/web/websec/current/msg02051.html
[8] http://www.ietf.org/mail-archive/web/websec/current/msg02054.html
[9] http://www.ietf.org/mail-archive/web/websec/current/msg02055.html
[10] http://www.ietf.org/mail-archive/web/websec/current/msg02069.html
[11] http://www.ietf.org/mail-archive/web/websec/current/msg02075.html
[12] http://www.ietf.org/mail-archive/web/websec/current/msg02081.html
[13] http://www.ietf.org/mail-archive/web/websec/current/msg02084.html
[14] http://www.ietf.org/mail-archive/web/websec/current/msg02094.html
[15] http://www.ietf.org/mail-archive/web/websec/current/msg02097.html
[16] http://www.ietf.org/mail-archive/web/websec/current/msg02100.html


From nobody Wed Aug 27 03:29:55 2014
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B143C1A056D for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 03:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.323
X-Spam-Level: 
X-Spam-Status: No, score=-97.323 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=1.951, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSATQ5EaUPXk for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 03:29:52 -0700 (PDT)
Received: from lvps5-35-241-16.dedicated.hosteurope.de (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B04F1A0552 for <websec@ietf.org>; Wed, 27 Aug 2014 03:29:52 -0700 (PDT)
Received: from [192.168.2.107] (p57A3067C.dip0.t-ipconnect.de [87.163.6.124]) by lvps5-35-241-16.dedicated.hosteurope.de (Postfix) with ESMTPSA id 0720A62D9D; Wed, 27 Aug 2014 12:29:50 +0200 (CEST)
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws; s=default; d=gondrom.org; b=DsWT/OF9h3YEd0ECiwzbqN9eZGBe/BvXP1LRJTtafEzX1FtIlkIsproYIODvGvGGdUVrIRieijX3pfAcB+4JHBQ1MyM/AqvgAZjqFBb7ywvklA26W2MkE+6Svwg8u0aOMQRtsxslFjWTmlGVBRgj28k6YqL1HcUiZMW5LYI+KZA=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding;
Message-ID: <53FDB31D.50600@gondrom.org>
Date: Wed, 27 Aug 2014 11:29:49 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: ynir.ietf@gmail.com, websec@ietf.org
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
In-Reply-To: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/4ZYyHuU232tflqkDXw-nnuVcGfE
Cc: barryleiba@computer.org
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 10:29:53 -0000

I agree.
Tobias

<with WG chair hat on>


On 27/08/14 06:44, Yoav Nir wrote:
> Hi folks
>
> In the last few days, we’ve had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO.
>
> This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC.
>
> The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document.
>
> Fixing editorial issues like Julians’ comments about references is fine, and could even be done *after* IESG review. However, making substantive changes like removing PKP-RO or changing the requirements for processing it cannot be done at this stage. Deciding to do this requires withdrawing the publication request and sending it back to the working group.  I do not think this is advisable.
>
> The IETF occasionally publishes documents that are imperfect. Such imperfections can be fixed later via errata or -bis documents. For now, I think we should publish the document as it is with the changes agreed upon in discussions with ADs.
>
> Thanks
>
> Yoav
> [with chair hat firmly on]
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec


From nobody Wed Aug 27 03:31:49 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214821A02DA for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 17:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UyX9oSZH6Nhj for <websec@ietfa.amsl.com>; Tue, 26 Aug 2014 17:53:28 -0700 (PDT)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C05D1A02CF for <websec@ietf.org>; Tue, 26 Aug 2014 17:53:28 -0700 (PDT)
Received: by mail-yk0-f170.google.com with SMTP id 9so12302467ykp.29 for <websec@ietf.org>; Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MKVrjk6lGXs0srtGoQe9rBY0XjmNhABmSyBbK0yqWGk=; b=mZXsWJEKe0P9IVKv2rj9ie+Lb5K3xlVd0jvzfRgI9Hbp64oaH7UD4n65CngALaikgL 6TVS1Q6DMzG9z0fNe6E/f6hxuBuE9qYTRKcIdVAk4pEL5yHLHLw4m5jyKuZdCa1/Wumy UVV+yUJDKQmGrpj5wXEa1zPOY+5Bd9rMwUIZtG9ls2YxQBkgUuAAngyV9jnJ2FgKweE5 OSXyT3o4j0ji7f+ZjN1NvFaC7fE4yX0sIp/RcvlCNdtZ6/JQVgZPYpg2HY01x2kdnn3v voLcp2/2qp7cWIesFBuCA0dULoTL/pOMqI+W7SqdBXRlkJhv6h+Uz722x7iH8WUxB7v+ ZuLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=MKVrjk6lGXs0srtGoQe9rBY0XjmNhABmSyBbK0yqWGk=; b=TeC8Ujr51ZzvFh1tpg3yXUFm34xcAepLCz7dcZIpgm2ikbHKzzqWNDKqB2DJ1XVHWk lqIywHE4WE/D3m/LG7YZ1veSlQ8ybfCWRCchY1Bjisy/dfZyau6q/7T+Yg3KvzD53lL9 mEJHulp9ahDIw/ZC9D/omO42IwzoeEswc2stdbJezf+ZwCvwzmCMK8aVfgnR5r48g7rn VZMkXEwiVadAaUZLmj2K7nxAqRsvjyxRPr5zvIldmoRfEp7fcAmil6ZrpcLDfpkCo5Fk aUFAiQ5Twh90t7nr25GvTf+RjGw4r7FeCYC0xO7mlBG3nFz9jwF5PI1Ijcd5Y9HTLJ/9 Emmg==
X-Gm-Message-State: ALoCoQleuqfGd0piYk9fJUHPN6NkEIieGI8K9v+dk+0SVI2/SS/MxV+l4LXSjmRe6wwXviUDalFE
MIME-Version: 1.0
X-Received: by 10.220.168.210 with SMTP id v18mr26315953vcy.3.1409100807697; Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Tue, 26 Aug 2014 17:53:27 -0700 (PDT)
In-Reply-To: <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com> <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com> <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com>
Date: Tue, 26 Aug 2014 17:53:27 -0700
Message-ID: <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary=001a11c247e4189044050191d979
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/BenW7Whw2vEB2bpuML7jmTKljhM
X-Mailman-Approved-At: Wed, 27 Aug 2014 03:31:47 -0700
Cc: "<websec@ietf.org>" <websec@ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, draft-ietf-websec-key-pinning@tools.ietf.org
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 00:53:30 -0000

--001a11c247e4189044050191d979
Content-Type: text/plain; charset=UTF-8

This seems like it would meaningfully necessitate changes to the security
and privacy considerations. In these cases, in specs and in code, my
feeling is that less is more desirable, and I agree with Joe's remarks
about whether or not PKP-RO meets the goals.

Chairs, can you provide feedback on how to progress  with such significant
changes based on post-WGLC feedback: either the removal of or the changing
definition of PKP-RO.
On Aug 26, 2014 5:46 PM, "Trevor Perrin" <trevp@trevp.net> wrote:

> On Tue, Aug 26, 2014 at 5:15 PM, Joseph Bonneau <jbonneau@gmail.com>
> wrote:
> >>
> >> I'd like PKP-RO to be cached like PKP and applied the same way, absent
> >> the connection termination (preference). After I realized the
> >> includeSubdomains issue (concern), I want it even more for testing a
> >> deployment than I want it for my prior attack detection arguments
> >> (preference).
> >
> >
> > My email wasn't very clear but I would also prefer this policy
>
> I'd prefer this as well.  To be even clearer, I think the browser
> should treat PKP and PKP-RO headers independently.  I.e., the browser
> should maintain separate stores for PKP and PKP-RO data.  PKP headers
> only affect the PKP store, and PKP-RO headers only affect the PKP-RO
> store.
>
> (For example, PKP max-age=0 doesn't clear PKP-RO, and vice versa).
>
> A browser implementing this probably already has separate stores for
> HSTS and HPKP, so this is just adding a third for HPKP-RO, which seems
> reasonable to implement.
>
> Trevor
>

--001a11c247e4189044050191d979
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">This seems like it would meaningfully necessitate changes to=
 the security and privacy considerations. In these cases, in specs and in c=
ode, my feeling is that less is more desirable, and I agree with Joe&#39;s =
remarks about whether or not PKP-RO meets the goals.</p>

<p dir=3D"ltr">Chairs, can you provide feedback on how to progress=C2=A0 wi=
th such significant changes based on post-WGLC feedback: either the removal=
 of or the changing definition of PKP-RO.</p>
<div class=3D"gmail_quote">On Aug 26, 2014 5:46 PM, &quot;Trevor Perrin&quo=
t; &lt;<a href=3D"mailto:trevp@trevp.net">trevp@trevp.net</a>&gt; wrote:<br=
 type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0=
 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Aug 26, 2014 at 5:15 PM, Joseph Bonneau &lt;<a href=3D"mailto:jbonn=
eau@gmail.com">jbonneau@gmail.com</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; I&#39;d like PKP-RO to be cached like PKP and applied the same way=
, absent<br>
&gt;&gt; the connection termination (preference). After I realized the<br>
&gt;&gt; includeSubdomains issue (concern), I want it even more for testing=
 a<br>
&gt;&gt; deployment than I want it for my prior attack detection arguments<=
br>
&gt;&gt; (preference).<br>
&gt;<br>
&gt;<br>
&gt; My email wasn&#39;t very clear but I would also prefer this policy<br>
<br>
I&#39;d prefer this as well.=C2=A0 To be even clearer, I think the browser<=
br>
should treat PKP and PKP-RO headers independently.=C2=A0 I.e., the browser<=
br>
should maintain separate stores for PKP and PKP-RO data.=C2=A0 PKP headers<=
br>
only affect the PKP store, and PKP-RO headers only affect the PKP-RO<br>
store.<br>
<br>
(For example, PKP max-age=3D0 doesn&#39;t clear PKP-RO, and vice versa).<br=
>
<br>
A browser implementing this probably already has separate stores for<br>
HSTS and HPKP, so this is just adding a third for HPKP-RO, which seems<br>
reasonable to implement.<br>
<br>
Trevor<br>
</blockquote></div>

--001a11c247e4189044050191d979--


From nobody Wed Aug 27 03:47:06 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABC821A05D3 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 03:47:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7evzb5-hbr_U for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 03:47:03 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BBEF1A05D1 for <websec@ietf.org>; Wed, 27 Aug 2014 03:47:03 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id pi18so23812lab.23 for <websec@ietf.org>; Wed, 27 Aug 2014 03:47:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=PrA8OfJwtDgggwSsbpqAoRlhKS6uTd8ZrnC0YWHTwR4=; b=LXll2ODjp1aNGTZdDFORgmV48E2Yb8pwRTKblB7kEgzGUnGpKdQG2M/L7dhnyMDPLy Zv1in/jXhr2vqGm3lxZGYLr2yGA1R2yrIaxurt3vJloslCjU+gNe4QL0AE/VFg3IZAPD S9ccyGxlqvgRJuIvMx2j03W1paTzmBJLum/XINBjlJA7j3Q8jtJCNS21TLqpRONXHJcG dMPmEZM3fIosoO35uKvOcoP3LX9IPX8tJtoToOrh0RpwNgvvCIsigzqzXIhJYZL38aMN ncHwsR/zdOKFR569aFzV/LZvJ3W4mk3F/rGqNZWOtQXLN7bnsZ60jcWPRdIc8i2kGuuK K2GA==
X-Received: by 10.112.221.37 with SMTP id qb5mr31299232lbc.69.1409136421636; Wed, 27 Aug 2014 03:47:01 -0700 (PDT)
Received: from [172.24.249.230] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id bi5sm25819lbb.18.2014.08.27.03.47.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 27 Aug 2014 03:47:00 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_DB84553F-CCBF-42F9-8BA8-C80C217D10E4"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com>
Date: Wed, 27 Aug 2014 13:46:56 +0300
Message-Id: <0EBE1766-612D-442E-B2B1-149D368144D4@gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com> <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com> <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com> <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/zYrsOtRncN_pxSPcx9WKX6DuOHM
Cc: draft-ietf-websec-key-pinning@tools.ietf.org, Eric Lawrence <ericlaw1979@hotmail.com>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 10:47:04 -0000

--Apple-Mail=_DB84553F-CCBF-42F9-8BA8-C80C217D10E4
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


On Aug 27, 2014, at 3:53 AM, Ryan Sleevi <sleevi@google.com> wrote:

> This seems like it would meaningfully necessitate changes to the =
security and privacy considerations. In these cases, in specs and in =
code, my feeling is that less is more desirable, and I agree with Joe's =
remarks about whether or not PKP-RO meets the goals.
>=20
> Chairs, can you provide feedback on how to progress  with such =
significant changes based on post-WGLC feedback: either the removal of =
or the changing definition of PKP-RO.
>=20
I thought I did, but to re-iterate: We are past WGLC. More importantly, =
we are past IETF LC, and in the middle of IESG evaluation.

At this stage, we can make editorial changes, but we cannot make =
significant changes on our own. We can withdraw the request to publish, =
and take it back to the working group, but I think that would be =
inadvisable.

I think we should proceed, making only editorial changes, and changes =
resulting from discussion with IESG members.

Yoav
(with chair hat on)





--Apple-Mail=_DB84553F-CCBF-42F9-8BA8-C80C217D10E4
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On Aug 27, 2014, at 3:53 AM, Ryan Sleevi &lt;<a href="mailto:sleevi@google.com">sleevi@google.com</a>&gt; wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><p dir="ltr">This seems like it would meaningfully necessitate changes to the security and privacy considerations. In these cases, in specs and in code, my feeling is that less is more desirable, and I agree with Joe's remarks about whether or not PKP-RO meets the goals.</p><p dir="ltr">Chairs, can you provide feedback on how to progress&nbsp; with such significant changes based on post-WGLC feedback: either the removal of or the changing definition of PKP-RO.</p>
</blockquote>I thought I did, but to re-iterate: We are past WGLC. More importantly, we are past IETF LC, and in the middle of IESG evaluation.</div><div><br></div><div>At this stage, we can make editorial changes, but we cannot make significant changes on our own. We can withdraw the request to publish, and take it back to the working group, but I think that would be inadvisable.</div><div><br></div><div>I think we should proceed, making only editorial changes, and changes resulting from discussion with IESG members.</div><div><br></div><div>Yoav</div><div>(with chair hat on)</div><div><br></div><div><br></div><div><br></div><br></body></html>
--Apple-Mail=_DB84553F-CCBF-42F9-8BA8-C80C217D10E4--


From nobody Wed Aug 27 05:26:41 2014
Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96E1D1A0679 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 05:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level: 
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EEGRAvohi59F for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 05:26:36 -0700 (PDT)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B8FE1A0678 for <websec@ietf.org>; Wed, 27 Aug 2014 05:26:36 -0700 (PDT)
Received: by mail-ie0-f177.google.com with SMTP id at20so142288iec.36 for <websec@ietf.org>; Wed, 27 Aug 2014 05:26:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=bIbdE6MUm19PjdvxJQhsMSYSEQD2QgNIFsPs9mdAShc=; b=xfoEBravh1HelQItUJxIbpgYinGo1qSQHKvAgH5bt1ldWLLcrTjGOw8XxmrnYBoZEQ j2Aj7X+8/H1b0OEdQqUv+RdDr7eXZaVdns7gmdLO57uGpvrQealiMGGbvhiht95K3MmR QXFzJzqBw11/rCGF4XxQ2tGSh+FuLsIDbXtCM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=bIbdE6MUm19PjdvxJQhsMSYSEQD2QgNIFsPs9mdAShc=; b=cCbGuGqOo/75dVr7BQRWUEM3NJ27AuR/q1dNZ+MmxnAFFZadJ3a+72tKPhjdJdwEID TcICddJtjEuFGvFQSprpj3tfjG514MtbQQFLj20+BvzGbD2SdYI9Oo0h9RGVA1m/yIkA 6YTPhSrfF2oExmcaKzq5cQumpK/qsHm1ZZXegVCrF6H5uZ5Apy6NbPcrP3x6x5g+OB84 2vpVoPbrCQLbggyAKUH4Dv9Gs0WlHkYdPusGn262sKPZBTK/10u6xtHDvKdn78dfvJDN 4ofow+gBqvhoslxILZZeeWuS61Kr3wIxjstoeRQUdN5qv70VtUadVNSrNdLg3HgNqAVV JBqA==
X-Gm-Message-State: ALoCoQntGQHS3KSromyIt25wsbKKhLtBOzgSuzq/khzYoikf/OH0C1VK7KdMYHdaag24g9TyFvCW
X-Received: by 10.42.247.137 with SMTP id mc9mr35266084icb.13.1409142395752; Wed, 27 Aug 2014 05:26:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.10.104 with HTTP; Wed, 27 Aug 2014 05:26:15 -0700 (PDT)
In-Reply-To: <0EBE1766-612D-442E-B2B1-149D368144D4@gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com> <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com> <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com> <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com> <0EBE1766-612D-442E-B2B1-149D368144D4@gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 27 Aug 2014 07:26:15 -0500
Message-ID: <CA+cU71=gTW1ePN9HX4urTDktF-RohgrmYP_jRgKVStQ4F7QP6w@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/uO0MPPOFiEyPXMFYsBqFaQnz6lg
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, "<websec@ietf.org>" <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 12:26:37 -0000

On 27 August 2014 05:46, Yoav Nir <ynir.ietf@gmail.com> wrote:
> At this stage, we can make editorial changes, but we cannot make significant
> changes on our own. We can withdraw the request to publish, and take it back
> to the working group, but I think that would be inadvisable.
>
> I think we should proceed, making only editorial changes, and changes
> resulting from discussion with IESG members.

If adding a note in 4.2 about includeSubdomains and PKP-RO (for
testing) counts as editorial, I think that is worthwhile.
Otherwise/regardless I also don't want to withdraw.

-tom


From nobody Wed Aug 27 07:55:24 2014
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEC31A0792 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 07:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level: 
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3yRlj1YkjXE for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 07:55:22 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F7681A0739 for <websec@ietf.org>; Wed, 27 Aug 2014 07:55:22 -0700 (PDT)
Received: by mail-lb0-f169.google.com with SMTP id n15so620366lbi.14 for <websec@ietf.org>; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=nwpQsDHGGM/Po+W3DOGYS8gygcv6fIIT7JF4dXzVEEs=; b=Nw/5ntw77s3bwLbUzAeG9hwRWCBN42e0hVgGXg+fgKKNt06rXuj1v2e2f8LlyBfd63 l0fcbtlx+ENOf6PmyJu6aukfXS86p69L6F7AKry/IJwjA/81Ayw/TJ3VBGNgtraaTBnw xt5skfG658QynqfL6bX7EjTmfOhm18md8s2HipLQACHPJpwN49hbwjurmxVY24/awzTP +ZfVU8P7BzqfZVPy7wqnFUxubbB/owoPv8dSv9SiDgYi2Wa4pO4WvlWGyIqloY92QpgU RaWHiWEn0tjjdx6FXX6hXLKtG5zqsGfWT225o8McbMA0AVy4CikSDDJlGMqqBP9qfG4v 7MRA==
MIME-Version: 1.0
X-Received: by 10.112.8.99 with SMTP id q3mr20820174lba.85.1409151320095; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.1.106 with HTTP; Wed, 27 Aug 2014 07:55:20 -0700 (PDT)
In-Reply-To: <CAGZ8ZG03Uy5OdEaEPoX+zvAWQ9cvDYBeufW4CZvLtHN2SFDB8g@mail.gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com> <CAGZ8ZG03Uy5OdEaEPoX+zvAWQ9cvDYBeufW4CZvLtHN2SFDB8g@mail.gmail.com>
Date: Wed, 27 Aug 2014 10:55:20 -0400
X-Google-Sender-Auth: Tgh_6Fj2rT_pRRgrA5McaRmg2EI
Message-ID: <CALaySJ+ZpTy+g2zJdq+V7dbK=hpkRGCBvqdODn6OOzxjz+J=dw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/TvW15tLML1Rh_6FKutIDhme_JZw
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 14:55:23 -0000

Hi, Trevor, and thanks for the note.  A couple of things, as responsible AD:

1. Yoav says, "This is an inappropriate time to raise new substantive
issues about the document."  I agree with the sense of what Yoav is
saying, but let me clarify what that means.  It is *always* an
appropriate time to raise new, substantive issues if those issues are
addressing a serious problem with the document.  The point is that
this stage is not the appropriate time to bring up "we should have
gone in a different direction" issues, whether those are new or
revisited.  Serious problems: OK.  "I'd have done it differently": no.

2. That said, we do need to be sure that issues of any sort that had
been raised before were addressed properly, and it's always
appropriate to have a look at that.  No one's input to the working
group should be sloughed off without proper consideration.

So, let me be clear about what you (Trevor) are saying in your
message, because I'm not sure.

 - Is it that an error was made in document editing, such that
something that you thought was decided one way made it into the
document in a different, incorrect way?

 - Or is it that you think the issue you brought up was not adequately
considered, and editing of the document went off in the wrong
direction because of that?

 - Or is it that you think the issue you brought up was discussed, the
working group decided otherwise, and the editing went in the direction
of consensus that you disagree with.

 - Or is it something else?

Thanks,
Barry, Applications AD

On Wed, Aug 27, 2014 at 3:36 AM, Trevor Perrin <trevp@trevp.net> wrote:
> On Tue, Aug 26, 2014 at 10:44 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> Hi folks
>>
>> In the last few days, we've had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO.
>>
>> This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC.
>>
>> The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document.
>
>
> PKP-RO isn't a new issue.
>
> The initial draft of PKP-RO was claimed to "follow the same syntax and
> semantics of the Public-Key-Pins header" [1].
>
> But the text was unclear.  When we discussed this in February Ryan
> proposed to not store PKP-RO pins [2,3].  Myself, Daniel Kahn-Gillmor,
> and Tom Ritter proposed to store them [4,5,6], and Chris added text
> for this [7,8,9,10].
>
> I later discussed other cleanup of the PKP-RO text [11].  As part of
> that Chris changed some of the wording to *not* store PKP-RO pins
> [12].  I pointed out the discrepancy and that "I thought we decided
> the opposite" a couple times [13,14], but there was a misunderstanding
> and he changed things more towards *not* storing PKP-RO [15].  A
> couple days after you declared "this working group has done as much as
> we can", and further discussion would be "counter-productive" [16].
>
> But I still think storing PKP-RO would be better, and seemed to be the
> group's preference.
>
>
> Trevor
>
>
> [1] http://www.ietf.org/mail-archive/web/websec/current/msg01539.html
> [2] http://www.ietf.org/mail-archive/web/websec/current/msg02030.html
> [3] http://www.ietf.org/mail-archive/web/websec/current/msg02037.html
> [4] http://www.ietf.org/mail-archive/web/websec/current/msg02042.html
> [5] http://www.ietf.org/mail-archive/web/websec/current/msg02043.html
> [6] http://www.ietf.org/mail-archive/web/websec/current/msg02044.html
> [7] http://www.ietf.org/mail-archive/web/websec/current/msg02051.html
> [8] http://www.ietf.org/mail-archive/web/websec/current/msg02054.html
> [9] http://www.ietf.org/mail-archive/web/websec/current/msg02055.html
> [10] http://www.ietf.org/mail-archive/web/websec/current/msg02069.html
> [11] http://www.ietf.org/mail-archive/web/websec/current/msg02075.html
> [12] http://www.ietf.org/mail-archive/web/websec/current/msg02081.html
> [13] http://www.ietf.org/mail-archive/web/websec/current/msg02084.html
> [14] http://www.ietf.org/mail-archive/web/websec/current/msg02094.html
> [15] http://www.ietf.org/mail-archive/web/websec/current/msg02097.html
> [16] http://www.ietf.org/mail-archive/web/websec/current/msg02100.html


From nobody Wed Aug 27 09:53:57 2014
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48CDF1A0005 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 09:53:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level: 
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7i_TEX503GK for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 09:53:54 -0700 (PDT)
Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com [209.85.213.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 600501A0AE8 for <websec@ietf.org>; Wed, 27 Aug 2014 09:53:54 -0700 (PDT)
Received: by mail-ig0-f170.google.com with SMTP id h3so7591216igd.3 for <websec@ietf.org>; Wed, 27 Aug 2014 09:53:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=UOo1VvnK5lU3EzwrqbkR4CtiBr9hYANg2hN5l4TIet0=; b=IGdyfmh+OawM6gTI8uuqVLhlxUIzuYA5qib728Odql5/CWVxwlhXwZuN8ZEtn8c8dt Z2n50OoyD3uv3sE+ANhqB2DHTq2o9k4lEpovjxQlacqgI0dLGNmMo3f1enX7D9afxLxf oZszBEAATt49eFCOUaQFHudhVQpzEA9rrMDAFt5CFNRLs+LfBjepgwfIymiZd4OYER8W soEolkL5V4QbqX0qsEkCPhH8d4AQqZ0Lj82UME1S2Zhon6yKSGnYKOwSt55Wrgouoaym IBmuPlBz2XYZSFger/YCjHPY2IZ/Lue2uIp48fWvIFpdkgTlseGsl40es3k1l0Kkn5KR sizg==
X-Gm-Message-State: ALoCoQlz5Yj2PsvAOP0cWekY8ioDKUWkOcIWpHeDgppEfY2sNS6kU/ZlzOk7H3P7d/QuA6V//Noy
MIME-Version: 1.0
X-Received: by 10.50.57.68 with SMTP id g4mr31676252igq.48.1409158433716; Wed, 27 Aug 2014 09:53:53 -0700 (PDT)
Received: by 10.107.133.154 with HTTP; Wed, 27 Aug 2014 09:53:53 -0700 (PDT)
X-Originating-IP: [50.1.57.236]
In-Reply-To: <CALaySJ+ZpTy+g2zJdq+V7dbK=hpkRGCBvqdODn6OOzxjz+J=dw@mail.gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com> <CAGZ8ZG03Uy5OdEaEPoX+zvAWQ9cvDYBeufW4CZvLtHN2SFDB8g@mail.gmail.com> <CALaySJ+ZpTy+g2zJdq+V7dbK=hpkRGCBvqdODn6OOzxjz+J=dw@mail.gmail.com>
Date: Wed, 27 Aug 2014 09:53:53 -0700
Message-ID: <CAGZ8ZG1-2SrgZXmAQcymWNeWsRvTBSnh1tYuKw2kCgo072GF4Q@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/QFbVA00tSObWicZaQ_c2gMxO-q8
Cc: "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2014 16:53:56 -0000

On Wed, Aug 27, 2014 at 7:55 AM, Barry Leiba <barryleiba@computer.org> wrote:
>
> So, let me be clear about what you (Trevor) are saying in your
> message, because I'm not sure.
>
>  - Is it that an error was made in document editing, such that
> something that you thought was decided one way made it into the
> document in a different, incorrect way?
>
>  - Or is it that you think the issue you brought up was not adequately
> considered, and editing of the document went off in the wrong
> direction because of that?
>
>  - Or is it that you think the issue you brought up was discussed, the
> working group decided otherwise, and the editing went in the direction
> of consensus that you disagree with.


I'd say the first two, not the third.  But it's hard to know what
counts as "decided" or "adequately considered".

The main discussion of this I'm aware of was:

http://www.ietf.org/mail-archive/web/websec/current/msg02034.html

Discussion was light.  One of the editors proposed not storing
PKP-PRO.  I preferred either storing it or not supporting it.  Two
others were in favor of storing it.  The draft was edited seemingly
based on "storing".

I thought the edits were incomplete so pushed for more, but that may
have been misunderstood as it was edited in the other direction,
without the issue being re-discussed.

In any case, I don't think this is "re-litigating" a contentious or
resolved discussion.  It just seems like a lightly-discussed issue
with some communication breakdown between the discussion above and
editing.


Trevor



>
>  - Or is it something else?
>
> Thanks,
> Barry, Applications AD
>
> On Wed, Aug 27, 2014 at 3:36 AM, Trevor Perrin <trevp@trevp.net> wrote:
>> On Tue, Aug 26, 2014 at 10:44 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>>> Hi folks
>>>
>>> In the last few days, we've had a bunch of threads re-opening issues with key-pinning, mostly around the PKP-RO.
>>>
>>> This document has gone through years of discussion on the mailing list, a WGLC and an IETF LC.
>>>
>>> The document is now under review by the IESG. We (the working group) and the authors need to address comments and discuss ballots by members of the IESG. This is an inappropriate time to raise new substantive issues about the document.
>>
>>
>> PKP-RO isn't a new issue.
>>
>> The initial draft of PKP-RO was claimed to "follow the same syntax and
>> semantics of the Public-Key-Pins header" [1].
>>
>> But the text was unclear.  When we discussed this in February Ryan
>> proposed to not store PKP-RO pins [2,3].  Myself, Daniel Kahn-Gillmor,
>> and Tom Ritter proposed to store them [4,5,6], and Chris added text
>> for this [7,8,9,10].
>>
>> I later discussed other cleanup of the PKP-RO text [11].  As part of
>> that Chris changed some of the wording to *not* store PKP-RO pins
>> [12].  I pointed out the discrepancy and that "I thought we decided
>> the opposite" a couple times [13,14], but there was a misunderstanding
>> and he changed things more towards *not* storing PKP-RO [15].  A
>> couple days after you declared "this working group has done as much as
>> we can", and further discussion would be "counter-productive" [16].
>>
>> But I still think storing PKP-RO would be better, and seemed to be the
>> group's preference.
>>
>>
>> Trevor
>>
>>
>> [1] http://www.ietf.org/mail-archive/web/websec/current/msg01539.html
>> [2] http://www.ietf.org/mail-archive/web/websec/current/msg02030.html
>> [3] http://www.ietf.org/mail-archive/web/websec/current/msg02037.html
>> [4] http://www.ietf.org/mail-archive/web/websec/current/msg02042.html
>> [5] http://www.ietf.org/mail-archive/web/websec/current/msg02043.html
>> [6] http://www.ietf.org/mail-archive/web/websec/current/msg02044.html
>> [7] http://www.ietf.org/mail-archive/web/websec/current/msg02051.html
>> [8] http://www.ietf.org/mail-archive/web/websec/current/msg02054.html
>> [9] http://www.ietf.org/mail-archive/web/websec/current/msg02055.html
>> [10] http://www.ietf.org/mail-archive/web/websec/current/msg02069.html
>> [11] http://www.ietf.org/mail-archive/web/websec/current/msg02075.html
>> [12] http://www.ietf.org/mail-archive/web/websec/current/msg02081.html
>> [13] http://www.ietf.org/mail-archive/web/websec/current/msg02084.html
>> [14] http://www.ietf.org/mail-archive/web/websec/current/msg02094.html
>> [15] http://www.ietf.org/mail-archive/web/websec/current/msg02097.html
>> [16] http://www.ietf.org/mail-archive/web/websec/current/msg02100.html


From nobody Thu Aug 28 01:01:29 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C88D1A0712 for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 01:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8jsAz4Z0bdsg for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 01:01:23 -0700 (PDT)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57A381A0479 for <websec@ietf.org>; Thu, 28 Aug 2014 01:01:23 -0700 (PDT)
Received: by mail-lb0-f174.google.com with SMTP id p9so450368lbv.33 for <websec@ietf.org>; Thu, 28 Aug 2014 01:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=07yDD8sysxKLE8o4iSpZZWaZog2w6yrEpXnPSrGwUn0=; b=hWr4BfhngODSWy8iLskPdEnCSDWxCMvVz8M+y32BmzMre11mOHk4jXt/ECUECMhBMg fkBX2xyltMDczuzZiWt0L/V9Dr6/CbhsCZNPCujmJ0p1YrhcPpYHm0CBC/pjmg7yfFuG zEWq+u4deNmsBwxK22uF8F0ApcqvSwa8ZC/XZ1xezLwIjm4ACwDzYGson/h18Xo0QGe6 LCZy5u0trXua7P9JA61VGc286mF6s+ho72QzaxF3/QqnhWCm3zy9oOF38vnFUHMDMjyk Qcj5PZuaUtG4LjAshLvIjEJBy2wx6ZpujDCgZKb+2KOXOLuP48lO3tLrmp8ZS1QI7SoU SOdA==
X-Received: by 10.153.4.39 with SMTP id cb7mr2337307lad.19.1409212881634; Thu, 28 Aug 2014 01:01:21 -0700 (PDT)
Received: from [172.24.249.230] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id vl4sm4698310lbb.36.2014.08.28.01.01.20 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Aug 2014 01:01:21 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53FEC72A.7010605@greenbytes.de>
Date: Thu, 28 Aug 2014 11:01:18 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <6CA0E2AF-C758-4EFF-9506-E2E545FB4EBA@gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com> <53FEC72A.7010605@greenbytes.de>
To: Julian Reschke <julian.reschke@greenbytes.de>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/C7U6AVt4zXjb7ny3iA2bJ1le-2Q
Cc: Barry Leiba <barryleiba@computer.org>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 08:01:26 -0000

On Aug 28, 2014, at 9:07 AM, Julian Reschke =
<julian.reschke@greenbytes.de> wrote:

> On 2014-08-27 07:44, Yoav Nir wrote:
>> ...
>> Fixing editorial issues like Julians=92 comments about references is =
fine, and could even be done *after* IESG review. ...
>> ...
>=20
> FWIW, I believe the ABNF issues (which are *not* editorial) absolutely =
need to be fixed as well.
>=20

Hi, Julian

I don=92t want to nit-pick the meaning of the word =93editorial=94. But =
anyone who=92s read the draft knows what a PKP header looks like. I =
don=92t think there=92s any controversy about what is and is not a valid =
PKP header. So changing the ABNF to reflect this existing understanding, =
is something that I don=92t think requires polling the group.

Cheers

Yoav


From nobody Thu Aug 28 05:40:33 2014
Return-Path: <julian.reschke@gmx.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 981FA1A03DF for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 05:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJSlixgCcO8r for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 05:40:28 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B07E11A03D8 for <websec@ietf.org>; Thu, 28 Aug 2014 05:40:27 -0700 (PDT)
Received: from [192.168.1.26] ([217.91.35.233]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MK17F-1XLbxC37vp-001S6X; Thu, 28 Aug 2014 14:40:23 +0200
Message-ID: <53FF2333.9080804@gmx.de>
Date: Thu, 28 Aug 2014 14:40:19 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com> <53FEC72A.7010605@greenbytes.de> <6CA0E2AF-C758-4EFF-9506-E2E545FB4EBA@gmail.com>
In-Reply-To: <6CA0E2AF-C758-4EFF-9506-E2E545FB4EBA@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:wN47xn+XPPIYe3KI50fclnUYLOKga/TLr17zKnQs0OiSv1c5tGh uWnX0tRm0dljHxaK+vHhNEvRWuLtXY/xcFzqvAinvIPVy4cCmAh8PjMci91KPNRPxKct+sm Z74oJi52PFxPYvl9v56036JOB26wEfYhjya3oOoD96wl0KSwuZcUEvHI/XjdPMtImm4ySLm ggmdRA3GUzbEhFtXCPW9g==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/1p9MD9_RyQFm2Q4pPdafFlXzdik
Cc: Barry Leiba <barryleiba@computer.org>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 12:40:30 -0000

On 2014-08-28 10:01, Yoav Nir wrote:
>
> On Aug 28, 2014, at 9:07 AM, Julian Reschke <julian.reschke@greenbytes.de> wrote:
>
>> On 2014-08-27 07:44, Yoav Nir wrote:
>>> ...
>>> Fixing editorial issues like Julians’ comments about references is fine, and could even be done *after* IESG review. ...
>>> ...
>>
>> FWIW, I believe the ABNF issues (which are *not* editorial) absolutely need to be fixed as well.
>>
>
> Hi, Julian
>
> I don’t want to nit-pick the meaning of the word “editorial”. But anyone who’s read the draft knows what a PKP header looks like. I don’t think there’s any controversy about what is and is not a valid PKP header. So changing the ABNF to reflect this existing understanding, is something that I don’t think requires polling the group.
> ...

The issue is that the ABNF is ambiguous about whether

      Public-Key-Pins: max-age=3000;
        pin-xyz=abc;

is syntactically valid or not. I believe it should be, because otherwise 
parsers would need to special-case the "pin-*" parameters when parsing.

Best regards, Julian


From nobody Thu Aug 28 07:32:43 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B144C1A6F8F for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hu5i2Vl0Wkp3 for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:32:30 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4888B1A6F8A for <websec@ietf.org>; Thu, 28 Aug 2014 07:32:29 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id s18so1069819lam.34 for <websec@ietf.org>; Thu, 28 Aug 2014 07:32:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=c+J0MS/dbFODtl/jyi94pz5DVB36waY02SVcf11fkBs=; b=YoMTdlRYyssaFHbOGOzP2w4j6SXZb/jp2+7XT9nhGde28DJbTdcS5zOs7PfFn7XZrN m/SrRhNThKNS16u0DCqmxRs24pAVfq4/erN7vXZ4iXX6f7rEm5l++qdGlmhVDzn0jRPX Wbq77MNViMcF+JHFRv5Ik49SCMjQlOYYUAe9y7KxQcBrtGKjazAjVOjuSEPmFE8nfkTP 5VTM3gncs27Dr/u49JJdbA+G5bhLnzAekZibKsDSu20ULFO5sBCZ7yHCeycY5k/TWMIU QHxxYVZQfApU9L9I/Z2bSrXEbTogI5FZop5NL8Qcrw2dvhYZEyHw65E2h3zgVrBOzmBF UTXg==
X-Received: by 10.152.44.162 with SMTP id f2mr4741798lam.84.1409236346612; Thu, 28 Aug 2014 07:32:26 -0700 (PDT)
Received: from [172.24.249.230] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id i5sm6222902lbd.27.2014.08.28.07.32.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Aug 2014 07:32:26 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_E1B49EE1-E1DF-4CB2-BD1A-B984832991CA"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <53FF2333.9080804@gmx.de>
Date: Thu, 28 Aug 2014 17:32:23 +0300
Message-Id: <26265CC4-6C48-4518-A177-DD56CC1AC414@gmail.com>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com> <53FEC72A.7010605@greenbytes.de> <6CA0E2AF-C758-4EFF-9506-E2E545FB4EBA@gmail.com> <53FF2333.9080804@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/WzYkvmFvvm24Em99MJO4wJIx3zY
Cc: Barry Leiba <barryleiba@computer.org>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 14:32:35 -0000

--Apple-Mail=_E1B49EE1-E1DF-4CB2-BD1A-B984832991CA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


On Aug 28, 2014, at 3:40 PM, Julian Reschke <julian.reschke@gmx.de> =
wrote:

> On 2014-08-28 10:01, Yoav Nir wrote:
>>=20
>> On Aug 28, 2014, at 9:07 AM, Julian Reschke =
<julian.reschke@greenbytes.de> wrote:
>>=20
>>> On 2014-08-27 07:44, Yoav Nir wrote:
>>>> ...
>>>> Fixing editorial issues like Julians=92 comments about references =
is fine, and could even be done *after* IESG review. ...
>>>> ...
>>>=20
>>> FWIW, I believe the ABNF issues (which are *not* editorial) =
absolutely need to be fixed as well.
>>>=20
>>=20
>> Hi, Julian
>>=20
>> I don=92t want to nit-pick the meaning of the word =93editorial=94. =
But anyone who=92s read the draft knows what a PKP header looks like. I =
don=92t think there=92s any controversy about what is and is not a valid =
PKP header. So changing the ABNF to reflect this existing understanding, =
is something that I don=92t think requires polling the group.
>> ...
>=20
> The issue is that the ABNF is ambiguous about whether
>=20
>     Public-Key-Pins: max-age=3D3000;
>       pin-xyz=3Dabc;
>=20
> is syntactically valid or not. I believe it should be, because =
otherwise parsers would need to special-case the "pin-*" parameters when =
parsing.
>=20
> Best regards, Julian

Well, this might lead to me being proven wrong in my statement that =
everyone agrees what a valid PKP header is, but I also think this should =
be syntactically valid. However, clients that only support *this* =
document (and not =93xyz and its use in key pinning=94) would not pin =
anything based on this header.

Yoav



--Apple-Mail=_E1B49EE1-E1DF-4CB2-BD1A-B984832991CA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;"><br><div><div>On Aug 28, 2014, at 3:40 PM, Julian =
Reschke &lt;<a =
href=3D"mailto:julian.reschke@gmx.de">julian.reschke@gmx.de</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><div style=3D"font-size: 12px; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: auto; text-align: start; text-indent: 0px; =
text-transform: none; white-space: normal; widows: auto; word-spacing: =
0px; -webkit-text-stroke-width: 0px;">On 2014-08-28 10:01, Yoav Nir =
wrote:<br><blockquote type=3D"cite"><br>On Aug 28, 2014, at 9:07 AM, =
Julian Reschke &lt;<a =
href=3D"mailto:julian.reschke@greenbytes.de">julian.reschke@greenbytes.de<=
/a>&gt; wrote:<br><br><blockquote type=3D"cite">On 2014-08-27 07:44, =
Yoav Nir wrote:<br><blockquote type=3D"cite">...<br>Fixing editorial =
issues like Julians=92 comments about references is fine, and could even =
be done *after* IESG review. ...<br>...<br></blockquote><br>FWIW, I =
believe the ABNF issues (which are *not* editorial) absolutely need to =
be fixed as well.<br><br></blockquote><br>Hi, Julian<br><br>I don=92t =
want to nit-pick the meaning of the word =93editorial=94. But anyone =
who=92s read the draft knows what a PKP header looks like. I don=92t =
think there=92s any controversy about what is and is not a valid PKP =
header. So changing the ABNF to reflect this existing understanding, is =
something that I don=92t think requires polling the =
group.<br>...<br></blockquote><br>The issue is that the ABNF is =
ambiguous about whether<br><br>&nbsp;&nbsp;&nbsp;&nbsp;Public-Key-Pins: =
max-age=3D3000;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;pin-xyz=3Dabc;<br><=
br>is syntactically valid or not. I believe it should be, because =
otherwise parsers would need to special-case the "pin-*" parameters when =
parsing.<br><br>Best regards, =
Julian</div></blockquote><br></div><div>Well, this might lead to me =
being proven wrong in my statement that everyone agrees what a valid PKP =
header is, but I also think this should be syntactically valid. However, =
clients that only support *this* document (and not =93xyz and its use in =
key pinning=94) would not pin anything based on this =
header.</div><div><br></div><div>Yoav</div><div><br></div><br></body></htm=
l>=

--Apple-Mail=_E1B49EE1-E1DF-4CB2-BD1A-B984832991CA--


From nobody Thu Aug 28 07:35:44 2014
Return-Path: <ericlaw1979@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2821A0475 for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.418
X-Spam-Level: 
X-Spam-Status: No, score=-0.418 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjLXQsTENz33 for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:26:37 -0700 (PDT)
Received: from BAY004-OMC1S8.hotmail.com (bay004-omc1s8.hotmail.com [65.54.190.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1D8E1A6F7A for <websec@ietf.org>; Thu, 28 Aug 2014 07:26:36 -0700 (PDT)
Received: from BAY169-DS31 ([65.54.190.60]) by BAY004-OMC1S8.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22712);  Thu, 28 Aug 2014 07:26:36 -0700
X-TMN: [yKNAIURI2kui8Avhpw1t7lXwdP2hVGI0]
X-Originating-Email: [ericlaw1979@hotmail.com]
Message-ID: <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl>
From: "Eric Lawrence" <ericlaw1979@hotmail.com>
To: "Ryan Sleevi" <sleevi@google.com>, "Tom Ritter" <tom@ritter.vg>
References: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com>
In-Reply-To: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com>
Date: Thu, 28 Aug 2014 09:26:35 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_002C_01CFC2A2.29DAF660"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 28 Aug 2014 14:26:36.0747 (UTC) FILETIME=[1326F1B0:01CFC2CC]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/vy-7GJ27ESDf1NBDzWdTtJvoDuQ
X-Mailman-Approved-At: Thu, 28 Aug 2014 07:35:26 -0700
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, websec@ietf.org
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 14:26:40 -0000

This is a multi-part message in MIME format.

------=_NextPart_000_002C_01CFC2A2.29DAF660
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I=E2=80=99ll take one last tilt at this, because I think this spec is =
quite important and folks aren=E2=80=99t actually very far apart on =
this.=20

To start, I want to reiterate that Draft #20 was the first time I got =
involved in PKP, so my perspective comes from that draft and not any =
other conversations, tribal knowledge, meetings, etc, that others in the =
group may have been a part of.=20

Here=E2=80=99s how I *thought* Draft #20 specified things to work:

  1> PKP and PKP-RO are equivalent in every way except that PKP mismatch =
triggers a Report *and* fails the connection, while PKP-RO mismatch only =
triggers a Report. That=E2=80=99s why PKP-RO is named =E2=80=9CPublic =
Key Pins Report Only=E2=80=9D and not =E2=80=9CSorta Like Public Key =
Pins But Does Not Break Connections And Does Not Persist =
(SLPKPBDNBCADNP)=E2=80=9D

  2> Site administrators should use PKP-RO to prototype a policy to be =
later deployed PKP. They use PKP-RO first to generate confidence that =
they will not be self-inflicting any broad denial-of-service when =
enabling PKP.

  3> When PKP and PKP-RO headers are initially encountered (pins not =
previously stored), a failure to match the specified policy triggers a =
Report. The mismatched policy is NOT stored, which blocks the DOS bomb =
attack Ryan mentions below.

  4> PKP and PKP-RO only exist as different headers because it allows a =
site to have one policy in force and also prototype proposed policy =
changes.

This design made perfect sense to me, and my feedback on the draft was =
primarily intended to clarify the language around this design.

Instead, it appears that PKP-RO works dramatically differently than PKP, =
in ways that I believe are entirely non-obvious to implementers who only =
read the draft. While I believe it would be possible to editorially =
change the language to make PKP-RO=E2=80=99s different behavior, to me, =
that approach only seems to be codifying a more confusing, less useful =
design, and would require more work on the part of the authors.

I don=E2=80=99t believe there are any privacy or security implications =
in allowing PKP-RO to behave like PKP except that it=E2=80=99s =
=E2=80=9CReport Only.=E2=80=9D Any privacy or security implications in =
PKP-RO are shared by PKP.=20

-Eric Lawrence=20

From: Ryan Sleevi=20
Sent: Wednesday, August 27, 2014 8:14 PM
To: Tom Ritter=20
Cc: Yoav Nir ; draft-ietf-websec-key-pinning ; Eric Lawrence ; =
mailto:websec@ietf.org=20
Subject: Re: [websec] draft-ietf-websec-key-pinning

Right, so, I do agree with Joe that I do think we've reached conclusions =
on the suitability for security and the suitability for testing, and I =
do want to see what can be done to editorially resolve this.=20

Without having fully drafted the text, it seems like one possible =
solution is to describe HOW a site operator might use this to test =
deployment of pins, knowing that it may not be a perfect solution for =
all use cases, it would at least help to clarify both the strengths and =
limitations.

The example I'm thinking of is as follows:

-- Begin
Site operator deploys PKP-RO on their domain
- In order for this to be useful, the assumption here (and which I think =
had always been implicit, but it may help to call this out, in several =
places if necessary) is that PKP-RO does not require that the current =
connection MATCH the pins in order to send a report (otherwise, you'd =
never get a negative report, because you'd never evaluate PKP-RO in the =
negative case)
- They gather data from their users, which may include information about =
possible certificate chain paths that they were not aware of (assuming a =
publicly trusted CA with UAs with different trust stores, etc)

After gathering data, they deploy PKP, which makes the RO now a hard =
fail.
They may still use report-uri with their PKP header, along with shorter =
timeframes, to ensure no critical errors were missed

Now it comes time to gather in the sub-domains, the site operator works =
through their (known) subdomains with PKP-RO, doing the same steps as =
they did for the parent domain, setting PKP on these subdomains.

Believing they have gathered all their subdomains into a unified policy, =
they then work to set PKP on the 'main' domain with includeSubDomains + =
reportURI set.
They likely do this in small bursts, temporarily decreasing the max-age =
of the 'main' domain when setting the includeSubDomains (e.g. perhaps 1 =
day or even 4-12h), examining reportURI for failures, and then turning =
on their sans-includeSubDomains policy with the longer max-age

Finally, believing to have gathered sufficient data, they turn on =
includeSubDomains (with report-URI), and have the whole system protected

-- Fin

As Eric noted in HSTS, this may include having the subdomains either set =
their own policies (for redundancy/safety, but at the tradeoff of =
potentially conflicting pin policies, as already noted), or having the =
subdomains source a resource from the parent domain (which causes them =
to fetch/detect the includeSubDomains from the parent domain)


The assumption here, and I realize is perhaps unfair for some use cases, =
is that you know the sub-domains you wish to protect. Hopefully a =
competant domain administrator was responsible and this information can =
be discovered. The short-lived PKP+includeSubDomains+reportUri provides =
an added means of testing, but is admittedly 'more' heavy-handed than =
simply PKP-RO with persistence.

PKP-RO with persistence is, I think, dangerous. In the naieve form, it =
allows a MITM to setup a DOS bomb against a legitimate server, by =
setting a PKP-RO to report errors. Unlike a PKP policy (which is =
detectable by the user, by virtue of fail-closed), whose fail-closed =
nature may indicate to the user that somebody set them up a bomb, a =
PKP-RO is conceptually and practically silent to the user, which may =
cause the user to flood the legitimate server with reports once they're =
away from the MITM. Now, we could tweak how persistence works for that =
case, but I think as we do, we get further and further into a complexity =
that may require significant edits/reviews. We can do that, but I gather =
the spirit, both of the editors and, from the responses, those involved =
in this discussion, that it's not necessarily something felt too =
strongly about.

The question is, does the above scenario sound reasonable enough to =
include, perhaps in an "operational advice" or some form of appendix, =
that provides guidance on how the existing primitives can be used, but =
also highlights the limitations of the current primitives so as not to =
cause confusion?



On Wed, Aug 27, 2014 at 5:26 AM, Tom Ritter <tom@ritter.vg> wrote:

  On 27 August 2014 05:46, Yoav Nir <ynir.ietf@gmail.com> wrote:
  > At this stage, we can make editorial changes, but we cannot make =
significant
  > changes on our own. We can withdraw the request to publish, and take =
it back
  > to the working group, but I think that would be inadvisable.
  >
  > I think we should proceed, making only editorial changes, and =
changes
  > resulting from discussion with IESG members.


  If adding a note in 4.2 about includeSubdomains and PKP-RO (for
  testing) counts as editorial, I think that is worthwhile.
  Otherwise/regardless I also don't want to withdraw.

  -tom


------=_NextPart_000_002C_01CFC2A2.29DAF660
Content-Type: text/html;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD>
<BODY dir=3Dltr>
<DIV dir=3Dltr>
<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>I=E2=80=99ll take one last tilt at this, because I think this spec =
is quite=20
important and folks aren=E2=80=99t actually very far apart on this. =
</DIV>
<DIV>&nbsp;</DIV>
<DIV>To start, I want to reiterate that Draft #20 was the first time I =
got=20
involved in PKP, so my perspective comes from that draft and not any =
other=20
conversations, tribal knowledge, meetings, etc, that others in the group =
may=20
have been a part of. </DIV>
<DIV>&nbsp;</DIV>
<DIV>Here=E2=80=99s how I *thought* Draft #20 specified things to =
work:</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp; 1&gt; PKP and PKP-RO are equivalent in every way except that =
PKP=20
mismatch triggers a Report *and* fails the connection, while PKP-RO =
mismatch=20
only triggers a Report. That=E2=80=99s why PKP-RO is named =
=E2=80=9CPublic Key Pins Report Only=E2=80=9D=20
and not =E2=80=9CSorta Like Public Key Pins But Does Not Break =
Connections And Does Not=20
Persist (SLPKPBDNBCADNP)=E2=80=9D</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp; 2&gt; Site administrators should use PKP-RO to prototype a =
policy to=20
be later deployed PKP. They use PKP-RO first to generate confidence that =
they=20
will not be self-inflicting any broad denial-of-service when enabling =
PKP.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp; 3&gt; When PKP and PKP-RO headers are initially encountered =
(pins=20
not previously stored), a failure to match the specified policy triggers =
a=20
Report. The mismatched policy is NOT stored, which blocks the DOS bomb =
attack=20
Ryan mentions below.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp; 4&gt; PKP and PKP-RO only exist as different headers because =
it=20
allows a site to have one policy in force and also prototype proposed =
policy=20
changes.</DIV>
<DIV>&nbsp;</DIV>
<DIV>This design made perfect sense to me, and my feedback on the draft =
was=20
primarily intended to clarify the language around this design.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Instead, it appears that PKP-RO works dramatically differently than =
PKP, in=20
ways that I believe are entirely non-obvious to implementers who only =
read the=20
draft. While I believe it would be possible to editorially change the =
language=20
to make PKP-RO=E2=80=99s different behavior, to me, that approach only =
seems to be=20
codifying a more confusing, less useful design, and would require more =
work on=20
the part of the authors.</DIV>
<DIV>&nbsp;</DIV>
<DIV>I don=E2=80=99t believe there are any privacy or security =
implications in allowing=20
PKP-RO to behave like PKP except that it=E2=80=99s =E2=80=9CReport =
Only.=E2=80=9D Any privacy or=20
security implications in PKP-RO are shared by PKP. </DIV>
<DIV>&nbsp;</DIV>
<DIV>-Eric Lawrence </DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>
<DIV style=3D"FONT: 10pt tahoma">
<DIV><FONT size=3D3 face=3DCalibri></FONT>&nbsp;</DIV>
<DIV style=3D"BACKGROUND: #f5f5f5">
<DIV style=3D"font-color: black"><B>From:</B> <A =
title=3Dsleevi@google.com=20
href=3D"mailto:sleevi@google.com">Ryan Sleevi</A> </DIV>
<DIV><B>Sent:</B> Wednesday, August 27, 2014 8:14 PM</DIV>
<DIV><B>To:</B> <A title=3Dtom@ritter.vg =
href=3D"mailto:tom@ritter.vg">Tom=20
Ritter</A> </DIV>
<DIV><B>Cc:</B> <A title=3Dynir.ietf@gmail.com=20
href=3D"mailto:ynir.ietf@gmail.com">Yoav Nir</A> ; <A=20
title=3Ddraft-ietf-websec-key-pinning@tools.ietf.org=20
href=3D"mailto:draft-ietf-websec-key-pinning@tools.ietf.org">draft-ietf-w=
ebsec-key-pinning</A>=20
; <A title=3Dericlaw1979@hotmail.com =
href=3D"mailto:ericlaw1979@hotmail.com">Eric=20
Lawrence</A> ; <A title=3Dwebsec@ietf.org=20
href=3D"mailto:websec@ietf.org">mailto:websec@ietf.org</A> </DIV>
<DIV><B>Subject:</B> Re: [websec]=20
draft-ietf-websec-key-pinning</DIV></DIV></DIV>
<DIV>&nbsp;</DIV></DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>
<DIV dir=3Dltr>Right, so, I do agree with Joe that I do think we've =
reached=20
conclusions on the suitability for security and the suitability for =
testing, and=20
I do want to see what can be done to editorially resolve this.=20
<DIV>&nbsp;</DIV>
<DIV>Without having fully drafted the text, it seems like one possible =
solution=20
is to describe HOW a site operator might use this to test deployment of =
pins,=20
knowing that it may not be a perfect solution for all use cases, it =
would at=20
least help to clarify both the strengths and limitations.</DIV>
<DIV>&nbsp;</DIV>
<DIV>The example I'm thinking of is as follows:</DIV>
<DIV>&nbsp;</DIV>
<DIV>-- Begin</DIV>
<DIV>Site operator deploys PKP-RO on their domain</DIV>
<DIV>- In order for this to be useful, the assumption here (and which I =
think=20
had always been implicit, but it may help to call this out, in several =
places if=20
necessary) is that PKP-RO does not require that the current connection =
MATCH the=20
pins in order to send a report (otherwise, you'd never get a negative =
report,=20
because you'd never evaluate PKP-RO in the negative case)</DIV>
<DIV>- They gather data from their users, which may include information =
about=20
possible certificate chain paths that they were not aware of (assuming a =

publicly trusted CA with UAs with different trust stores, etc)</DIV>
<DIV>&nbsp;</DIV>
<DIV>After gathering data, they deploy PKP, which makes the RO now a =
hard=20
fail.</DIV>
<DIV>They may still use report-uri with their PKP header, along with =
shorter=20
timeframes, to ensure no critical errors were missed</DIV>
<DIV>&nbsp;</DIV>
<DIV>Now it comes time to gather in the sub-domains, the site operator =
works=20
through their (known) subdomains with PKP-RO, doing the same steps as =
they did=20
for the parent domain, setting PKP on these subdomains.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Believing they have gathered all their subdomains into a unified =
policy,=20
they then work to set PKP on the 'main' domain with includeSubDomains +=20
reportURI set.</DIV>
<DIV>They likely do this in small bursts, temporarily decreasing the =
max-age of=20
the 'main' domain when setting the includeSubDomains (e.g. perhaps 1 day =
or even=20
4-12h), examining reportURI for failures, and then turning on their=20
sans-includeSubDomains policy with the longer max-age</DIV>
<DIV>&nbsp;</DIV>
<DIV>Finally, believing to have gathered sufficient data, they turn on=20
includeSubDomains (with report-URI), and have the whole system =
protected</DIV>
<DIV>&nbsp;</DIV>
<DIV>-- Fin</DIV>
<DIV>&nbsp;</DIV>
<DIV>As Eric noted in HSTS, this may include having the subdomains =
either set=20
their own policies (for redundancy/safety, but at the tradeoff of =
potentially=20
conflicting pin policies, as already noted), or having the subdomains =
source a=20
resource from the parent domain (which causes them to fetch/detect the=20
includeSubDomains from the parent domain)</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>The assumption here, and I realize is perhaps unfair for some use =
cases, is=20
that you know the sub-domains you wish to protect. Hopefully a competant =
domain=20
administrator was responsible and this information can be discovered. =
The=20
short-lived PKP+includeSubDomains+reportUri provides an added means of =
testing,=20
but is admittedly 'more' heavy-handed than simply PKP-RO with =
persistence.</DIV>
<DIV>&nbsp;</DIV>
<DIV>PKP-RO with persistence is, I think, dangerous. In the naieve form, =
it=20
allows a MITM to setup a DOS bomb against a legitimate server, by =
setting a=20
PKP-RO to report errors. Unlike a PKP policy (which is detectable by the =
user,=20
by virtue of fail-closed), whose fail-closed nature may indicate to the =
user=20
that somebody set them up a bomb, a PKP-RO is conceptually and =
practically=20
silent to the user, which may cause the user to flood the legitimate =
server with=20
reports once they're away from the MITM. Now, we could tweak how =
persistence=20
works for that case, but I think as we do, we get further and further =
into a=20
complexity that may require significant edits/reviews. We can do that, =
but I=20
gather the spirit, both of the editors and, from the responses, those =
involved=20
in this discussion, that it's not necessarily something felt too =
strongly=20
about.</DIV>
<DIV>&nbsp;</DIV>
<DIV>The question is, does the above scenario sound reasonable enough to =

include, perhaps in an "operational advice" or some form of appendix, =
that=20
provides guidance on how the existing primitives can be used, but also=20
highlights the limitations of the current primitives so as not to cause=20
confusion?</DIV></DIV>
<DIV class=3Dgmail_extra><BR><BR>
<DIV class=3Dgmail_quote>On Wed, Aug 27, 2014 at 5:26 AM, Tom Ritter =
<SPAN=20
dir=3Dltr>&lt;<A href=3D"mailto:tom@ritter.vg"=20
target=3D_blank>tom@ritter.vg</A>&gt;</SPAN> wrote:<BR>
<BLOCKQUOTE class=3Dgmail_quote=20
style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc =
1px solid">
  <DIV>On 27 August 2014 05:46, Yoav Nir &lt;<A=20
  href=3D"mailto:ynir.ietf@gmail.com">ynir.ietf@gmail.com</A>&gt; =
wrote:<BR>&gt;=20
  At this stage, we can make editorial changes, but we cannot make=20
  significant<BR>&gt; changes on our own. We can withdraw the request to =

  publish, and take it back<BR>&gt; to the working group, but I think =
that would=20
  be inadvisable.<BR>&gt;<BR>&gt; I think we should proceed, making only =

  editorial changes, and changes<BR>&gt; resulting from discussion with =
IESG=20
  members.<BR><BR></DIV>If adding a note in 4.2 about includeSubdomains =
and=20
  PKP-RO (for<BR>testing) counts as editorial, I think that is=20
  worthwhile.<BR>Otherwise/regardless I also don't want to =
withdraw.<BR><SPAN=20
  class=3DHOEnZb><FONT =
color=3D#888888><BR>-tom<BR></FONT></SPAN></BLOCKQUOTE></DIV>
<DIV>&nbsp;</DIV></DIV></DIV></DIV></DIV></BODY></HTML>

------=_NextPart_000_002C_01CFC2A2.29DAF660--


From nobody Thu Aug 28 07:35:46 2014
Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AFE81A0457 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 18:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level: 
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQOYroEGpwSP for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 18:14:13 -0700 (PDT)
Received: from mail-vc0-x22d.google.com (mail-vc0-x22d.google.com [IPv6:2607:f8b0:400c:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B95171A03DE for <websec@ietf.org>; Wed, 27 Aug 2014 18:14:12 -0700 (PDT)
Received: by mail-vc0-f173.google.com with SMTP id im17so90783vcb.32 for <websec@ietf.org>; Wed, 27 Aug 2014 18:14:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uBwwB3iYU0DJJtlxL9CXXgrNQtRE6WZicjZnntLLrCk=; b=Ve7lS/iAcG3nJm7BtJdtp61xzIdVLukIwV7N5YGfkp0cyjraSBEGdKFLB21WZXTQlg W9Xsa0twFjMz7KylmVjVUsv8ggdd3eDYcuS4qgGSKWoGKSGaHCjYNkva6rwWf1ycMsNQ nhMLg33bv/fmu33aFnD86bICcWsEjG9ZpLapSGjXPwEVZAwPjG+M+qYxqvWaXqbgT9Pm 63TeATMng23BkPKLs15NhVvWUhHjZc5W5+Ift2ovYBEdQEeE4M5f5Oa8SKq9gI5HuRV2 zlzN6OsaF8LALxXhkz0FU829PZVtHBjM5+c/cKFmYjLUqp1aWtY6+yCEnydQh/LudazG OfwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=uBwwB3iYU0DJJtlxL9CXXgrNQtRE6WZicjZnntLLrCk=; b=PlecxrjY2Ri7EXJ2cpev7xjZxgISiqRzYDothqYYBA5gvcRXp63s7HGS3e88LVioA2 9PdKWwQrCI3p+hLqI9l90imxA8c9YMPi7vnzvorY71SGgL9Pm9KiZ4QzaYxjQ7ndouzL LuhL1Ex5qEacwTkNO/5n3mtsrmuKzL/08cPfgHyvqMvD/vu7qdLcLQhVsimdg+oal+kp xoMkczP0aLHTdlvoNKOcynD5ZxY1cWjQZktYRA5JbeqG+U29QaKY4h5wU/BOGzXB0TS8 0Q5lrZXIOZwhbXTNSlDjZL3OFqrwAY9k9AvoWn/dnXhnQe39WLE/0NozTGCcSU+zRUmN W0Vw==
X-Gm-Message-State: ALoCoQmBO0SrIHH8UrTh0HDjM/ptkfj2MNVLirQ69a9soP9ci57YSLMITOg52qKI7Rt8pR9ONIu0
MIME-Version: 1.0
X-Received: by 10.52.32.230 with SMTP id m6mr445096vdi.74.1409188451663; Wed, 27 Aug 2014 18:14:11 -0700 (PDT)
Received: by 10.52.119.178 with HTTP; Wed, 27 Aug 2014 18:14:11 -0700 (PDT)
In-Reply-To: <CA+cU71=gTW1ePN9HX4urTDktF-RohgrmYP_jRgKVStQ4F7QP6w@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com> <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com> <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com> <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com> <0EBE1766-612D-442E-B2B1-149D368144D4@gmail.com> <CA+cU71=gTW1ePN9HX4urTDktF-RohgrmYP_jRgKVStQ4F7QP6w@mail.gmail.com>
Date: Wed, 27 Aug 2014 18:14:11 -0700
Message-ID: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary=bcaec517c4b2155c0f0501a64121
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/2En_bqwA-WRBh9LtayZ9ziCmomc
X-Mailman-Approved-At: Thu, 28 Aug 2014 07:35:28 -0700
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 01:14:15 -0000

--bcaec517c4b2155c0f0501a64121
Content-Type: text/plain; charset=UTF-8

Right, so, I do agree with Joe that I do think we've reached conclusions on
the suitability for security and the suitability for testing, and I do want
to see what can be done to editorially resolve this.

Without having fully drafted the text, it seems like one possible solution
is to describe HOW a site operator might use this to test deployment of
pins, knowing that it may not be a perfect solution for all use cases, it
would at least help to clarify both the strengths and limitations.

The example I'm thinking of is as follows:

-- Begin
Site operator deploys PKP-RO on their domain
- In order for this to be useful, the assumption here (and which I think
had always been implicit, but it may help to call this out, in several
places if necessary) is that PKP-RO does not require that the current
connection MATCH the pins in order to send a report (otherwise, you'd never
get a negative report, because you'd never evaluate PKP-RO in the negative
case)
- They gather data from their users, which may include information about
possible certificate chain paths that they were not aware of (assuming a
publicly trusted CA with UAs with different trust stores, etc)

After gathering data, they deploy PKP, which makes the RO now a hard fail.
They may still use report-uri with their PKP header, along with shorter
timeframes, to ensure no critical errors were missed

Now it comes time to gather in the sub-domains, the site operator works
through their (known) subdomains with PKP-RO, doing the same steps as they
did for the parent domain, setting PKP on these subdomains.

Believing they have gathered all their subdomains into a unified policy,
they then work to set PKP on the 'main' domain with includeSubDomains +
reportURI set.
They likely do this in small bursts, temporarily decreasing the max-age of
the 'main' domain when setting the includeSubDomains (e.g. perhaps 1 day or
even 4-12h), examining reportURI for failures, and then turning on their
sans-includeSubDomains policy with the longer max-age

Finally, believing to have gathered sufficient data, they turn on
includeSubDomains (with report-URI), and have the whole system protected

-- Fin

As Eric noted in HSTS, this may include having the subdomains either set
their own policies (for redundancy/safety, but at the tradeoff of
potentially conflicting pin policies, as already noted), or having the
subdomains source a resource from the parent domain (which causes them to
fetch/detect the includeSubDomains from the parent domain)


The assumption here, and I realize is perhaps unfair for some use cases, is
that you know the sub-domains you wish to protect. Hopefully a competant
domain administrator was responsible and this information can be
discovered. The short-lived PKP+includeSubDomains+reportUri provides an
added means of testing, but is admittedly 'more' heavy-handed than simply
PKP-RO with persistence.

PKP-RO with persistence is, I think, dangerous. In the naieve form, it
allows a MITM to setup a DOS bomb against a legitimate server, by setting a
PKP-RO to report errors. Unlike a PKP policy (which is detectable by the
user, by virtue of fail-closed), whose fail-closed nature may indicate to
the user that somebody set them up a bomb, a PKP-RO is conceptually and
practically silent to the user, which may cause the user to flood the
legitimate server with reports once they're away from the MITM. Now, we
could tweak how persistence works for that case, but I think as we do, we
get further and further into a complexity that may require significant
edits/reviews. We can do that, but I gather the spirit, both of the editors
and, from the responses, those involved in this discussion, that it's not
necessarily something felt too strongly about.

The question is, does the above scenario sound reasonable enough to
include, perhaps in an "operational advice" or some form of appendix, that
provides guidance on how the existing primitives can be used, but also
highlights the limitations of the current primitives so as not to cause
confusion?


On Wed, Aug 27, 2014 at 5:26 AM, Tom Ritter <tom@ritter.vg> wrote:

> On 27 August 2014 05:46, Yoav Nir <ynir.ietf@gmail.com> wrote:
> > At this stage, we can make editorial changes, but we cannot make
> significant
> > changes on our own. We can withdraw the request to publish, and take it
> back
> > to the working group, but I think that would be inadvisable.
> >
> > I think we should proceed, making only editorial changes, and changes
> > resulting from discussion with IESG members.
>
> If adding a note in 4.2 about includeSubdomains and PKP-RO (for
> testing) counts as editorial, I think that is worthwhile.
> Otherwise/regardless I also don't want to withdraw.
>
> -tom
>

--bcaec517c4b2155c0f0501a64121
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Right, so, I do agree with Joe that I do think we&#39;ve r=
eached conclusions on the suitability for security and the suitability for =
testing, and I do want to see what can be done to editorially resolve this.=
<div>
<br></div><div>Without having fully drafted the text, it seems like one pos=
sible solution is to describe HOW a site operator might use this to test de=
ployment of pins, knowing that it may not be a perfect solution for all use=
 cases, it would at least help to clarify both the strengths and limitation=
s.</div>
<div><br></div><div>The example I&#39;m thinking of is as follows:</div><di=
v><br></div><div>-- Begin</div><div>Site operator deploys PKP-RO on their d=
omain</div><div>- In order for this to be useful, the assumption here (and =
which I think had always been implicit, but it may help to call this out, i=
n several places if necessary) is that PKP-RO does not require that the cur=
rent connection MATCH the pins in order to send a report (otherwise, you&#3=
9;d never get a negative report, because you&#39;d never evaluate PKP-RO in=
 the negative case)</div>
<div>- They gather data from their users, which may include information abo=
ut possible certificate chain paths that they were not aware of (assuming a=
 publicly trusted CA with UAs with different trust stores, etc)</div><div>
<br></div><div>After gathering data, they deploy PKP, which makes the RO no=
w a hard fail.</div><div>They may still use report-uri with their PKP heade=
r, along with shorter timeframes, to ensure no critical errors were missed<=
/div>
<div><br></div><div>Now it comes time to gather in the sub-domains, the sit=
e operator works through their (known) subdomains with PKP-RO, doing the sa=
me steps as they did for the parent domain, setting PKP on these subdomains=
.</div>
<div><br></div><div>Believing they have gathered all their subdomains into =
a unified policy, they then work to set PKP on the &#39;main&#39; domain wi=
th includeSubDomains + reportURI set.</div><div>They likely do this in smal=
l bursts, temporarily decreasing the max-age of the &#39;main&#39; domain w=
hen setting the includeSubDomains (e.g. perhaps 1 day or even 4-12h), exami=
ning reportURI for failures, and then turning on their sans-includeSubDomai=
ns policy with the longer max-age</div>
<div><br></div><div>Finally, believing to have gathered sufficient data, th=
ey turn on includeSubDomains (with report-URI), and have the whole system p=
rotected</div><div><br></div><div>-- Fin</div><div><br></div><div>As Eric n=
oted in HSTS, this may include having the subdomains either set their own p=
olicies (for redundancy/safety, but at the tradeoff of potentially conflict=
ing pin policies, as already noted), or having the subdomains source a reso=
urce from the parent domain (which causes them to fetch/detect the includeS=
ubDomains from the parent domain)</div>
<div><br></div><div><br></div><div>The assumption here, and I realize is pe=
rhaps unfair for some use cases, is that you know the sub-domains you wish =
to protect. Hopefully a competant domain administrator was responsible and =
this information can be discovered. The short-lived PKP+includeSubDomains+r=
eportUri provides an added means of testing, but is admittedly &#39;more&#3=
9; heavy-handed than simply PKP-RO with persistence.</div>
<div><br></div><div>PKP-RO with persistence is, I think, dangerous. In the =
naieve form, it allows a MITM to setup a DOS bomb against a legitimate serv=
er, by setting a PKP-RO to report errors. Unlike a PKP policy (which is det=
ectable by the user, by virtue of fail-closed), whose fail-closed nature ma=
y indicate to the user that somebody set them up a bomb, a PKP-RO is concep=
tually and practically silent to the user, which may cause the user to floo=
d the legitimate server with reports once they&#39;re away from the MITM. N=
ow, we could tweak how persistence works for that case, but I think as we d=
o, we get further and further into a complexity that may require significan=
t edits/reviews. We can do that, but I gather the spirit, both of the edito=
rs and, from the responses, those involved in this discussion, that it&#39;=
s not necessarily something felt too strongly about.</div>
<div><br></div><div>The question is, does the above scenario sound reasonab=
le enough to include, perhaps in an &quot;operational advice&quot; or some =
form of appendix, that provides guidance on how the existing primitives can=
 be used, but also highlights the limitations of the current primitives so =
as not to cause confusion?</div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Wed,=
 Aug 27, 2014 at 5:26 AM, Tom Ritter <span dir=3D"ltr">&lt;<a href=3D"mailt=
o:tom@ritter.vg" target=3D"_blank">tom@ritter.vg</a>&gt;</span> wrote:<br><=
blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px=
 #ccc solid;padding-left:1ex">
<div class=3D"">On 27 August 2014 05:46, Yoav Nir &lt;<a href=3D"mailto:yni=
r.ietf@gmail.com">ynir.ietf@gmail.com</a>&gt; wrote:<br>
&gt; At this stage, we can make editorial changes, but we cannot make signi=
ficant<br>
&gt; changes on our own. We can withdraw the request to publish, and take i=
t back<br>
&gt; to the working group, but I think that would be inadvisable.<br>
&gt;<br>
&gt; I think we should proceed, making only editorial changes, and changes<=
br>
&gt; resulting from discussion with IESG members.<br>
<br>
</div>If adding a note in 4.2 about includeSubdomains and PKP-RO (for<br>
testing) counts as editorial, I think that is worthwhile.<br>
Otherwise/regardless I also don&#39;t want to withdraw.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
-tom<br>
</font></span></blockquote></div><br></div>

--bcaec517c4b2155c0f0501a64121--


From nobody Thu Aug 28 07:35:47 2014
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AA851A03A4 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 23:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.219
X-Spam-Level: 
X-Spam-Status: No, score=-2.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hij2RDSJFcm5 for <websec@ietfa.amsl.com>; Wed, 27 Aug 2014 23:07:51 -0700 (PDT)
Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by ietfa.amsl.com (Postfix) with ESMTP id 40CC21A0376 for <websec@ietf.org>; Wed, 27 Aug 2014 23:07:50 -0700 (PDT)
Received: from [192.168.2.160] (unknown [93.217.92.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id B826615A0BFF; Thu, 28 Aug 2014 08:06:28 +0200 (CEST)
Message-ID: <53FEC72A.7010605@greenbytes.de>
Date: Thu, 28 Aug 2014 08:07:38 +0200
From: Julian Reschke <julian.reschke@greenbytes.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Yoav Nir <ynir.ietf@gmail.com>, "<websec@ietf.org>" <websec@ietf.org>
References: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
In-Reply-To: <6CAA88AE-1A98-4FF1-B994-A43A0AD3930D@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/tQ74o2LbEQzKa08ExiMUByFSjqU
X-Mailman-Approved-At: Thu, 28 Aug 2014 07:35:32 -0700
Cc: Barry Leiba <barryleiba@computer.org>
Subject: Re: [websec] Re-litigating Key-Pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 06:07:54 -0000

On 2014-08-27 07:44, Yoav Nir wrote:
> ...
> Fixing editorial issues like Julians’ comments about references is fine, and could even be done *after* IESG review. ...
>  ...

FWIW, I believe the ABNF issues (which are *not* editorial) absolutely 
need to be fixed as well.

Best regards, Julian


From nobody Thu Aug 28 07:59:24 2014
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715E71A6FFA for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6M7mk_eaghEG for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 07:59:17 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A66BE1A7030 for <websec@ietf.org>; Thu, 28 Aug 2014 07:59:16 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id 10so1066171lbg.3 for <websec@ietf.org>; Thu, 28 Aug 2014 07:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=3kMVZU1sJjdsMe2C+yQQp2WPt0Uk3HeC7Uyz0ZgY0mc=; b=qZkHGi52RDFw9N1nudfjUSrV69s02yr22LkwmM8HDutUJT/ZXx8q1CaBlFszV0lI5k 6FmhYwWZp003y5EqVNsSz1qMXFazfnGCdcDeUqEv24BA7Ii93hAWrgm74dqjSjQAUNsv u8pBTgh/hPb9l3/sVScbppd8bOdZOa4mmu9itP8rbWTpIIlnb59NHOUx7POx5KCfmp82 5hvYdMCa5VHZsOS5lKmYiSSe84lujwT3DUNhqcprD9xSwNzEF1jMgw8s+FYPseF0qNED 4sxTR2fYOEwBDl20pBCPdYcV5nH5K8M29vcxBwgLjZ2fkVi1SwmXdzVp3uS2uXFdr5Ol 3qyw==
X-Received: by 10.152.18.166 with SMTP id x6mr4944239lad.1.1409237952328; Thu, 28 Aug 2014 07:59:12 -0700 (PDT)
Received: from [172.24.249.230] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id la9sm2532754lab.12.2014.08.28.07.59.10 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Aug 2014 07:59:11 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_6D101CC9-BD2B-4B07-AB53-DAC05AD4228E"
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3
In-Reply-To: <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl>
Date: Thu, 28 Aug 2014 17:59:07 +0300
Message-Id: <35F981DA-46C4-44D7-8582-25BF8BF1B31A@gmail.com>
References: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com> <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl>
To: Eric Lawrence <ericlaw1979@hotmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/3ovQFDTEgJ95UJ2VuU1aHmXexPs
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, websec@ietf.org, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 14:59:19 -0000

--Apple-Mail=_6D101CC9-BD2B-4B07-AB53-DAC05AD4228E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

Hi Eric

Part of the issue is that PKP (and PKP-RO) follow the lead of other =
headers such as CSP that also have report-only alternatives, but PKP is =
inherently different.

CSP has directives that relate to the content delivered, so if CSP has a =
directive that says the resource cannot be displayed behind a =
transparent floating frame, the content will not be displayed. If it=92s =
CSP-RO instead of CSP, the content is displayed, but a report is also =
sent. That makes sense, and if you see that the CSP-RO header causes =
reports, you can adjust it. Once you move to CSP, you=92re fine as long =
as the content does not change, and even if it does change, you can test =
it first with a test server.

For PKP it=92s different. The thing that changes is the certificate =
presented to the client. You can=92t test the new certificate on a side =
server, at least not in a way that will fill you with confidence. And =
because of the way certificates are used, there is no such thing as a =
static structure to the site. You have to change the certificate (and =
usually the key) every year, so testing with PKP-RO may be fine before =
first deploying PKP, but it doesn=92t help you where it=92s dangerous - =
when it=92s time to change certificates.

This leads some people around here to conclude that PKP-RO is not =
useful.

Yoav


On Aug 28, 2014, at 5:26 PM, Eric Lawrence <ericlaw1979@hotmail.com> =
wrote:

> I=92ll take one last tilt at this, because I think this spec is quite =
important and folks aren=92t actually very far apart on this.
> =20
> To start, I want to reiterate that Draft #20 was the first time I got =
involved in PKP, so my perspective comes from that draft and not any =
other conversations, tribal knowledge, meetings, etc, that others in the =
group may have been a part of.
> =20
> Here=92s how I *thought* Draft #20 specified things to work:
> =20
>   1> PKP and PKP-RO are equivalent in every way except that PKP =
mismatch triggers a Report *and* fails the connection, while PKP-RO =
mismatch only triggers a Report. That=92s why PKP-RO is named =93Public =
Key Pins Report Only=94 and not =93Sorta Like Public Key Pins But Does =
Not Break Connections And Does Not Persist (SLPKPBDNBCADNP)=94
> =20
>   2> Site administrators should use PKP-RO to prototype a policy to be =
later deployed PKP. They use PKP-RO first to generate confidence that =
they will not be self-inflicting any broad denial-of-service when =
enabling PKP.
> =20
>   3> When PKP and PKP-RO headers are initially encountered (pins not =
previously stored), a failure to match the specified policy triggers a =
Report. The mismatched policy is NOT stored, which blocks the DOS bomb =
attack Ryan mentions below.
> =20
>   4> PKP and PKP-RO only exist as different headers because it allows =
a site to have one policy in force and also prototype proposed policy =
changes.
> =20
> This design made perfect sense to me, and my feedback on the draft was =
primarily intended to clarify the language around this design.
> =20
> Instead, it appears that PKP-RO works dramatically differently than =
PKP, in ways that I believe are entirely non-obvious to implementers who =
only read the draft. While I believe it would be possible to editorially =
change the language to make PKP-RO=92s different behavior, to me, that =
approach only seems to be codifying a more confusing, less useful =
design, and would require more work on the part of the authors.
> =20
> I don=92t believe there are any privacy or security implications in =
allowing PKP-RO to behave like PKP except that it=92s =93Report Only.=94 =
Any privacy or security implications in PKP-RO are shared by PKP.
> =20
> -Eric Lawrence


--Apple-Mail=_6D101CC9-BD2B-4B07-AB53-DAC05AD4228E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi =
Eric<div><br></div><div>Part of the issue is that PKP (and PKP-RO) =
follow the lead of other headers such as CSP that also have report-only =
alternatives, but PKP is inherently =
different.</div><div><br></div><div>CSP has directives that relate to =
the content delivered, so if CSP has a directive that says the resource =
cannot be displayed behind a transparent floating frame, the content =
will not be displayed. If it=92s CSP-RO instead of CSP, the content is =
displayed, but a report is also sent. That makes sense, and if you see =
that the CSP-RO header causes reports, you can adjust it. Once you move =
to CSP, you=92re fine as long as the content does not change, and even =
if it does change, you can test it first with a test =
server.</div><div><br></div><div>For PKP it=92s different. The thing =
that changes is the certificate presented to the client. You can=92t =
test the new certificate on a side server, at least not in a way that =
will fill you with confidence. And because of the way certificates are =
used, there is no such thing as a static structure to the site. You have =
to change the certificate (and usually the key) every year, so testing =
with PKP-RO may be fine before first deploying PKP, but it doesn=92t =
help you where it=92s dangerous - when it=92s time to change =
certificates.</div><div><br></div><div>This leads some people around =
here to conclude that PKP-RO is not =
useful.</div><div><br></div><div>Yoav</div><div><br></div><div><br><div><d=
iv><div>On Aug 28, 2014, at 5:26 PM, Eric Lawrence &lt;<a =
href=3D"mailto:ericlaw1979@hotmail.com">ericlaw1979@hotmail.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
<div dir=3D"ltr">
<div dir=3D"ltr">
<div style=3D"font-size: 12pt; font-family: Calibri;">
<div>I=92ll take one last tilt at this, because I think this spec is =
quite=20
important and folks aren=92t actually very far apart on this. </div>
<div>&nbsp;</div>
<div>To start, I want to reiterate that Draft #20 was the first time I =
got=20
involved in PKP, so my perspective comes from that draft and not any =
other=20
conversations, tribal knowledge, meetings, etc, that others in the group =
may=20
have been a part of. </div>
<div>&nbsp;</div>
<div>Here=92s how I *thought* Draft #20 specified things to work:</div>
<div>&nbsp;</div>
<div>&nbsp; 1&gt; PKP and PKP-RO are equivalent in every way except that =
PKP=20
mismatch triggers a Report *and* fails the connection, while PKP-RO =
mismatch=20
only triggers a Report. That=92s why PKP-RO is named =93Public Key Pins =
Report Only=94=20
and not =93Sorta Like Public Key Pins But Does Not Break Connections And =
Does Not=20
Persist (SLPKPBDNBCADNP)=94</div>
<div>&nbsp;</div>
<div>&nbsp; 2&gt; Site administrators should use PKP-RO to prototype a =
policy to=20
be later deployed PKP. They use PKP-RO first to generate confidence that =
they=20
will not be self-inflicting any broad denial-of-service when enabling =
PKP.</div>
<div>&nbsp;</div>
<div>&nbsp; 3&gt; When PKP and PKP-RO headers are initially encountered =
(pins=20
not previously stored), a failure to match the specified policy triggers =
a=20
Report. The mismatched policy is NOT stored, which blocks the DOS bomb =
attack=20
Ryan mentions below.</div>
<div>&nbsp;</div>
<div>&nbsp; 4&gt; PKP and PKP-RO only exist as different headers because =
it=20
allows a site to have one policy in force and also prototype proposed =
policy=20
changes.</div>
<div>&nbsp;</div>
<div>This design made perfect sense to me, and my feedback on the draft =
was=20
primarily intended to clarify the language around this design.</div>
<div>&nbsp;</div>
<div>Instead, it appears that PKP-RO works dramatically differently than =
PKP, in=20
ways that I believe are entirely non-obvious to implementers who only =
read the=20
draft. While I believe it would be possible to editorially change the =
language=20
to make PKP-RO=92s different behavior, to me, that approach only seems =
to be=20
codifying a more confusing, less useful design, and would require more =
work on=20
the part of the authors.</div>
<div>&nbsp;</div>
<div>I don=92t believe there are any privacy or security implications in =
allowing=20
PKP-RO to behave like PKP except that it=92s =93Report Only.=94 Any =
privacy or=20
security implications in PKP-RO are shared by PKP. </div>
<div>&nbsp;</div>
<div>-Eric Lawrence </div>
<div style=3D"font-size: small; text-decoration: none; font-family: =
Calibri; font-weight: normal; font-style: normal; display: inline;">
<div style=3D"FONT: 10pt tahoma">
<div><font size=3D"3" =
face=3D"Calibri"></font></div></div></div></div></div></div></blockquote><=
/div><br></div></div></body></html>=

--Apple-Mail=_6D101CC9-BD2B-4B07-AB53-DAC05AD4228E--


From nobody Thu Aug 28 09:03:02 2014
Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B51C11A8725 for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 09:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZlMILIHDlfO for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 09:02:59 -0700 (PDT)
Received: from mail-vc0-x234.google.com (mail-vc0-x234.google.com [IPv6:2607:f8b0:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3E321A870F for <websec@ietf.org>; Thu, 28 Aug 2014 09:02:58 -0700 (PDT)
Received: by mail-vc0-f180.google.com with SMTP id lf12so1077679vcb.11 for <websec@ietf.org>; Thu, 28 Aug 2014 09:02:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=tQvpBB+f11irFMQ//htYF+pdlEit7YKiCHDfhoO/Bh4=; b=0BLHyRJR0V8trcOZnmDFNGRdadaqtHPzZ+iDAyGibdjHYSn8mh+6AHhumrAz2oJrcu 2X14AaZYp6JSYf3Vvup27ZV6t3oEFvfJb3hZ5dlPdUUyWb9k+M3WhcC+2GJu9bqxwYqJ V9ix1JKGb+JmVIOFxJ3JgLX2KwXC0dwzZnU36QIbI/8kc3nXjVZNIutODuR7MdkbW1Rd bH2Qnf8PbGU2AJ39Bts1QvU4hzycpJVpM49W4d3n85vINTIVgUwzy0MGpZ0MrLQ43gOv /9mp3n96Z5QxjgTneUcPMqsuAAopRumC7lzxVY7Xsq81rk/m+CM80MaD2ExXl5DuKfJx L7Ag==
X-Received: by 10.52.30.2 with SMTP id o2mr3652747vdh.12.1409241777821; Thu, 28 Aug 2014 09:02:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.219.1 with HTTP; Thu, 28 Aug 2014 09:02:36 -0700 (PDT)
In-Reply-To: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com>
References: <BAY169-DS62B5941BF0A9024964BB0AEEE0@phx.gbl> <CACvaWvYHAmpX0f9_m-sckhWz9tcyWA-sxVR4vP-A5UcAQmnYXA@mail.gmail.com> <BAY169-DS45F1C5036AB09CA44D0BC7AEDF0@phx.gbl> <CA+cU71k-pLD315dzfd_c74QM51c7V2VQkZ26PiXUTqntmESD=A@mail.gmail.com> <CAOuvq20mZkScvPDKjsa1eZ6rdoHxf_+oF=gpaOcvkOTaYhyj6Q@mail.gmail.com> <CA+cU71mW47OvqRNTbw-H7u-F_k6hMv4xr0XcMYAS_V6eE8brwA@mail.gmail.com> <CAOuvq20C+T9Ejf_KUsfPRtUWL7ggCF0UWJZkGr5xGBEkERXeRQ@mail.gmail.com> <BAY169-DS45D73636AA204DEEABC876AEDC0@phx.gbl> <CAOuvq20kCKk=jcXsy_d8C-4Fn-f0zshP6YUPn5N8hsKt7KO7dw@mail.gmail.com> <CAGZ8ZG3KUPAbePp-_GCztj4RSLd8MuNo1iDz=ua+BEjQVzJc7Q@mail.gmail.com> <CA+cU71=A6vFXZrG8mcqj4uC-z2VdJfFOutqcq9MPTYs+uhpa9Q@mail.gmail.com> <CAOuvq22QgGVpsxrsZswqspiP-rgNE6B3vp_6bYDTE5-MrLZdVg@mail.gmail.com> <CA+cU71nN-=TjWZZovMUcTrXMF1gBcYFppnfnsaP7hKw+6AUCLQ@mail.gmail.com> <CAOe4Uim9ZC7MdY1tXhLWFwNxzxorh00bJ3PBsco_H-KxpYh-Dg@mail.gmail.com> <CAGZ8ZG3xoA1w1oEx9F8MuH1PARe5ALU9A1CEXqDXM-JSh_niGg@mail.gmail.com> <CACvaWvYjVXMsgCzL=mM+F8eS0hcjTqEaR7xYzti4LD4rdpbD1g@mail.gmail.com> <0EBE1766-612D-442E-B2B1-149D368144D4@gmail.com> <CA+cU71=gTW1ePN9HX4urTDktF-RohgrmYP_jRgKVStQ4F7QP6w@mail.gmail.com> <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 28 Aug 2014 12:02:36 -0400
Message-ID: <CAOe4Uik7wAr0TnHvDDfcpv2PrcDiCO8kfuPYAv1QgMcM0ULdig@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Content-Type: multipart/alternative; boundary=20cf307d06b291dc380501b2abf3
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/lJHHCijJqqB6MdOJ1LX1T2tY1X4
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, Eric Lawrence <ericlaw1979@hotmail.com>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 16:03:00 -0000

--20cf307d06b291dc380501b2abf3
Content-Type: text/plain; charset=UTF-8

On Wed, Aug 27, 2014 at 9:14 PM, Ryan Sleevi <sleevi@google.com> wrote:

> Right, so, I do agree with Joe that I do think we've reached conclusions
> on the suitability for security and the suitability for testing, and I do
> want to see what can be done to editorially resolve this.
>
> Without having fully drafted the text, it seems like one possible solution
> is to describe HOW a site operator might use this to test deployment of
> pins, knowing that it may not be a perfect solution for all use cases, it
> would at least help to clarify both the strengths and limitations.
>
> The example I'm thinking of is as follows:
>

With Ryan's proposed testing plan I fear many site operators can't easily
enumerate all subdomains and even if they try this is a particularly
difficult test mode because there's no feedback if you forget a subdomain.
This allows you to make sure it works on all subdomains you know about-but
what about the ones you don't?

Beyond that though, we're probably kidding ourselves if we think most site
operators will actually sit down and read an RFC front-to-back. They won't.
Some evidence from a project a student of mine is working on, finding a
large number of sites (~30%) are not properly setting HSTS headers per the
spec (which is comparably simple to achieve):
http://jbonneau.com/doc/KB14-hsts_pinning_survey_working_draft.pdf. Clearly
a lot of people didn't read the RFC and that's not even counting minor
errors like incorrect capitalization.

I think we should be realistic that this RFC will primarily be read by
developers building support into user agents and not site operators. Site
operators will, at best, read somebody's 500-word how-to blog post. Many
will probably just copy what some other site is doing and modify it until
it appears to work.

In a perfect world, we'd do "developer testing" on an draft like this where
we give a random site-operator-off-the-street the RFC and ask if they can
comprehend it and add support to their site. This is similar to how any new
software tool should have user testing. Short of that, the evidence we have
is that multiple people (including myself) who are security enthusiasts and
have been following this draft for years had a broken mental model of how
PKP-RO works. I think this design is violating the Principal of Least
Astonishment and we're asking for trouble no matter how much explanatory
text gets added to the RFC.

--20cf307d06b291dc380501b2abf3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quo=
te">On Wed, Aug 27, 2014 at 9:14 PM, Ryan Sleevi <span dir=3D"ltr">&lt;<a h=
ref=3D"mailto:sleevi@google.com" target=3D"_blank">sleevi@google.com</a>&gt=
;</span> wrote:<br>



<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div dir=3D"ltr">Right, so, I do agree with Joe that I do =
think we&#39;ve reached conclusions on the suitability for security and the=
 suitability for testing, and I do want to see what can be done to editoria=
lly resolve this.<div>




<br></div><div>Without having fully drafted the text, it seems like one pos=
sible solution is to describe HOW a site operator might use this to test de=
ployment of pins, knowing that it may not be a perfect solution for all use=
 cases, it would at least help to clarify both the strengths and limitation=
s.</div>




<div><br></div><div>The example I&#39;m thinking of is as follows:</div></d=
iv></blockquote><div><br></div><div>With Ryan&#39;s proposed testing plan I=
 fear many site operators can&#39;t easily enumerate all subdomains and eve=
n if they try this is a particularly difficult test mode because there&#39;=
s no feedback if you forget a subdomain. This allows you to make sure it wo=
rks on all subdomains you know about-but what about the ones you don&#39;t?=
<br>


</div><div><br></div><div>Beyond that though, we&#39;re probably kidding ou=
rselves if we think most site operators will actually sit down and read an =
RFC front-to-back. They won&#39;t. Some evidence from a project a student o=
f mine is working on, finding a large number of sites (~30%) are not proper=
ly setting HSTS headers per the spec (which is comparably simple to achieve=
):=C2=A0<a href=3D"http://jbonneau.com/doc/KB14-hsts_pinning_survey_working=
_draft.pdf" target=3D"_blank">http://jbonneau.com/doc/KB14-hsts_pinning_sur=
vey_working_draft.pdf</a>. Clearly a lot of people didn&#39;t read the RFC =
and that&#39;s not even counting minor errors like incorrect capitalization=
.</div>


<div><br></div><div>I think we should be realistic that this RFC will prima=
rily be read by developers building support into user agents and not site o=
perators. Site operators will, at best, read somebody&#39;s 500-word how-to=
 blog post. Many will probably just copy what some other site is doing and =
modify it until it appears to work.</div>


<div><br></div><div>In a perfect world, we&#39;d do &quot;developer testing=
&quot; on an draft like this where we give a random site-operator-off-the-s=
treet the RFC and ask if they can comprehend it and add support to their si=
te. This is similar to how any new software tool should have user testing. =
Short of that, the evidence we have is that multiple people (including myse=
lf) who are security enthusiasts and have been following this draft for yea=
rs had a broken mental model of how PKP-RO works. I think this design is vi=
olating the Principal of Least Astonishment and we&#39;re asking for troubl=
e no matter how much explanatory text gets added to the RFC.</div>


</div></div></div>

--20cf307d06b291dc380501b2abf3--


From nobody Thu Aug 28 09:20:38 2014
Return-Path: <ericlaw1979@hotmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF71E1A875C for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 09:13:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.317
X-Spam-Level: 
X-Spam-Status: No, score=-2.317 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOkrUr61XZN6 for <websec@ietfa.amsl.com>; Thu, 28 Aug 2014 09:13:29 -0700 (PDT)
Received: from BAY004-OMC2S4.hotmail.com (bay004-omc2s4.hotmail.com [65.54.190.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9CA31A8764 for <websec@ietf.org>; Thu, 28 Aug 2014 09:13:24 -0700 (PDT)
Received: from BAY169-DS42 ([65.54.190.125]) by BAY004-OMC2S4.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22712);  Thu, 28 Aug 2014 09:13:24 -0700
X-TMN: [osxG9GpzYa2WenOWNLbGO1WxQPZbh1F5]
X-Originating-Email: [ericlaw1979@hotmail.com]
Message-ID: <BAY169-DS421419C50B5700132829BBAEDA0@phx.gbl>
From: "Eric Lawrence" <ericlaw1979@hotmail.com>
To: "Yoav Nir" <ynir.ietf@gmail.com>
References: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com> <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl> <35F981DA-46C4-44D7-8582-25BF8BF1B31A@gmail.com>
In-Reply-To: <35F981DA-46C4-44D7-8582-25BF8BF1B31A@gmail.com>
Date: Thu, 28 Aug 2014 11:13:23 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0019_01CFC2B1.15174440"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-OriginalArrivalTime: 28 Aug 2014 16:13:24.0783 (UTC) FILETIME=[FEA3A3F0:01CFC2DA]
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/kw6UkbDY1FIhrNUSPeumSW7p-bI
X-Mailman-Approved-At: Thu, 28 Aug 2014 09:20:35 -0700
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, websec@ietf.org, Ryan Sleevi <sleevi@google.com>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Aug 2014 16:13:36 -0000

This is a multi-part message in MIME format.

------=_NextPart_000_0019_01CFC2B1.15174440
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

> testing with PKP-RO may=20
> be fine before first deploying PKP, but it doesn=92t help you where =
it=92s dangerous -=20
> when it=92s time to change certificates.

In addition to raising confidence before you first deploy, PKP-RO helps =
when you wish to retire a pinned SPKI.=20

For instance:

  0. Acme Corp has a secure website; they=92re using PKP with =
includeSubdomains.
  1. Acme Corp currently buys its certs from Verisign and uses PKP to =
pin the Verisign intermediate SPKI.=20
  2. Next year, Acme Corp decides that they want to buy GoDaddy certs =
instead. They update their PKP header to add the GoDaddy =
intermediate=92s SPKI to the list.
  3. Because Acme Corp is a huge enterprise, they don=92t know if some =
business unit (e.g. SpecialProjects.Acme.com) didn=92t get the memo =
about the move to GoDaddy and may still be using a Verisign cert. So, in =
addition to the updated PKP header, they ALSO send a PKP-RO header that =
specifies *only* the GoDaddy SPKI and watch for any reporting failures.
  4. After an appropriate period, Acme concludes that they are safe in =
replacing the PKP set of SPKIs with the set they prototyped in PKP-RO. =
They do so and remove the PKP-RO header.

-Eric

*An aside vis-=E0-vis the plausibility of #3, a site not knowing about =
its own subdomains: I recently spoke to a site (=93example.com=94) that =
wasn=92t using includeSubdomains on their HSTS header. I asked why not, =
since all of the company=92s public websites were HTTPS. It turns out =
that they can=92t use includeSubdomains because their private Intranet =
uses internally-mapped domains subordinate to their public domain name =
suffix. So, while =93hr.example.com=94 isn=92t publicly reachable, =
browsers don=92t know or care, and HSTS+includeSubdomains will fail any =
insecure connection for the employees inside the company.=20

A similar challenge will face any such companies when they try to use =
PKP with includeSubdomains.


From: Yoav Nir=20
Sent: Thursday, August 28, 2014 9:59 AM
To: Eric Lawrence=20
Cc: Ryan Sleevi ; Tom Ritter ; draft-ietf-websec-key-pinning ; =
websec@ietf.org=20
Subject: Re: [websec] draft-ietf-websec-key-pinning

Hi Eric=20

Part of the issue is that PKP (and PKP-RO) follow the lead of other =
headers such as CSP that also have report-only alternatives, but PKP is =
inherently different.

CSP has directives that relate to the content delivered, so if CSP has a =
directive that says the resource cannot be displayed behind a =
transparent floating frame, the content will not be displayed. If it=92s =
CSP-RO instead of CSP, the content is displayed, but a report is also =
sent. That makes sense, and if you see that the CSP-RO header causes =
reports, you can adjust it. Once you move to CSP, you=92re fine as long =
as the content does not change, and even if it does change, you can test =
it first with a test server.

For PKP it=92s different. The thing that changes is the certificate =
presented to the client. You can=92t test the new certificate on a side =
server, at least not in a way that will fill you with confidence. And =
because of the way certificates are used, there is no such thing as a =
static structure to the site. You have to change the certificate (and =
usually the key) every year, so testing with PKP-RO may be fine before =
first deploying PKP, but it doesn=92t help you where it=92s dangerous - =
when it=92s time to change certificates.

This leads some people around here to conclude that PKP-RO is not =
useful.

Yoav


On Aug 28, 2014, at 5:26 PM, Eric Lawrence <ericlaw1979@hotmail.com> =
wrote:


  I=92ll take one last tilt at this, because I think this spec is quite =
important and folks aren=92t actually very far apart on this.=20

  To start, I want to reiterate that Draft #20 was the first time I got =
involved in PKP, so my perspective comes from that draft and not any =
other conversations, tribal knowledge, meetings, etc, that others in the =
group may have been a part of.=20

  Here=92s how I *thought* Draft #20 specified things to work:

    1> PKP and PKP-RO are equivalent in every way except that PKP =
mismatch triggers a Report *and* fails the connection, while PKP-RO =
mismatch only triggers a Report. That=92s why PKP-RO is named =93Public =
Key Pins Report Only=94 and not =93Sorta Like Public Key Pins But Does =
Not Break Connections And Does Not Persist (SLPKPBDNBCADNP)=94

    2> Site administrators should use PKP-RO to prototype a policy to be =
later deployed PKP. They use PKP-RO first to generate confidence that =
they will not be self-inflicting any broad denial-of-service when =
enabling PKP.

    3> When PKP and PKP-RO headers are initially encountered (pins not =
previously stored), a failure to match the specified policy triggers a =
Report. The mismatched policy is NOT stored, which blocks the DOS bomb =
attack Ryan mentions below.

    4> PKP and PKP-RO only exist as different headers because it allows =
a site to have one policy in force and also prototype proposed policy =
changes.

  This design made perfect sense to me, and my feedback on the draft was =
primarily intended to clarify the language around this design.

  Instead, it appears that PKP-RO works dramatically differently than =
PKP, in ways that I believe are entirely non-obvious to implementers who =
only read the draft. While I believe it would be possible to editorially =
change the language to make PKP-RO=92s different behavior, to me, that =
approach only seems to be codifying a more confusing, less useful =
design, and would require more work on the part of the authors.

  I don=92t believe there are any privacy or security implications in =
allowing PKP-RO to behave like PKP except that it=92s =93Report Only.=94 =
Any privacy or security implications in PKP-RO are shared by PKP.=20

  -Eric Lawrence=20

------=_NextPart_000_0019_01CFC2B1.15174440
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META content=3D"text/html charset=3Dwindows-1252" =
http-equiv=3DContent-Type></HEAD>
<BODY=20
style=3D"WORD-WRAP: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space"=20
dir=3Dltr>
<DIV dir=3Dltr>
<DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>&gt; testing with PKP-RO may </DIV>
<DIV>&gt; be fine before first deploying PKP, but it doesn=92t help you =
where it=92s=20
dangerous - </DIV>
<DIV>&gt; when it=92s time to change certificates.</DIV>
<DIV>&nbsp;</DIV>
<DIV>In addition to raising confidence before you first deploy, PKP-RO =
helps=20
when you wish to retire a pinned SPKI. </DIV>
<DIV>&nbsp;</DIV>
<DIV>For instance:</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp; 0. Acme Corp has a secure website; they=92re using PKP with=20
includeSubdomains.</DIV>
<DIV>&nbsp; 1. Acme Corp currently buys its certs from Verisign and uses =
PKP to=20
pin the Verisign intermediate SPKI. </DIV>
<DIV>&nbsp; 2. Next year, Acme Corp decides that they want to buy =
GoDaddy certs=20
instead. They update their PKP header to add the GoDaddy =
intermediate=92s SPKI to=20
the list.</DIV>
<DIV>&nbsp; 3. Because Acme Corp is a huge enterprise, they don=92t know =
if some=20
business unit (e.g. SpecialProjects.Acme.com) didn=92t get the memo =
about the move=20
to GoDaddy and may still be using a Verisign cert. So, in addition to =
the=20
updated PKP header, they ALSO send a PKP-RO header that specifies *only* =
the=20
GoDaddy SPKI and watch for any reporting failures.</DIV>
<DIV>&nbsp; 4. After an appropriate period, Acme concludes that they are =
safe in=20
replacing the PKP set of SPKIs with the set they prototyped in PKP-RO. =
They do=20
so and remove the PKP-RO header.</DIV>
<DIV>&nbsp;</DIV>
<DIV>-Eric</DIV>
<DIV>&nbsp;</DIV>
<DIV>*An aside vis-=E0-vis the plausibility of #3, a site not knowing =
about its=20
own subdomains: I recently spoke to a site (=93example.com=94) that =
wasn=92t using=20
includeSubdomains on their HSTS header. I asked why not, since all of =
the=20
company=92s public websites were HTTPS. It turns out that they can=92t =
use=20
includeSubdomains because their private Intranet uses internally-mapped =
domains=20
subordinate to their public domain name suffix. So, while =
=93hr.example.com=94 isn=92t=20
publicly reachable, browsers don=92t know or care, and =
HSTS+includeSubdomains will=20
fail any insecure connection for the employees inside the company. =
</DIV>
<DIV>&nbsp;</DIV>
<DIV>A similar challenge will face any such companies when they try to =
use PKP=20
with includeSubdomains.</DIV>
<DIV><FONT face=3D"Times New Roman"></FONT>&nbsp;</DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>
<DIV style=3D"FONT: 10pt tahoma">
<DIV><FONT size=3D3 face=3DCalibri></FONT>&nbsp;</DIV>
<DIV style=3D"BACKGROUND: #f5f5f5">
<DIV style=3D"font-color: black"><B>From:</B> <A =
title=3Dynir.ietf@gmail.com=20
href=3D"mailto:ynir.ietf@gmail.com">Yoav Nir</A> </DIV>
<DIV><B>Sent:</B> Thursday, August 28, 2014 9:59 AM</DIV>
<DIV><B>To:</B> <A title=3Dericlaw1979@hotmail.com=20
href=3D"mailto:ericlaw1979@hotmail.com">Eric Lawrence</A> </DIV>
<DIV><B>Cc:</B> <A title=3Dsleevi@google.com =
href=3D"mailto:sleevi@google.com">Ryan=20
Sleevi</A> ; <A title=3Dtom@ritter.vg href=3D"mailto:tom@ritter.vg">Tom =
Ritter</A> ;=20
<A title=3Ddraft-ietf-websec-key-pinning@tools.ietf.org=20
href=3D"mailto:draft-ietf-websec-key-pinning@tools.ietf.org">draft-ietf-w=
ebsec-key-pinning</A>=20
; <A title=3Dwebsec@ietf.org =
href=3D"mailto:websec@ietf.org">websec@ietf.org</A>=20
</DIV>
<DIV><B>Subject:</B> Re: [websec]=20
draft-ietf-websec-key-pinning</DIV></DIV></DIV>
<DIV>&nbsp;</DIV></DIV>
<DIV=20
style=3D'FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
"Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; =
DISPLAY: inline'>Hi=20
Eric=20
<DIV>&nbsp;</DIV>
<DIV>Part of the issue is that PKP (and PKP-RO) follow the lead of other =
headers=20
such as CSP that also have report-only alternatives, but PKP is =
inherently=20
different.</DIV>
<DIV>&nbsp;</DIV>
<DIV>CSP has directives that relate to the content delivered, so if CSP =
has a=20
directive that says the resource cannot be displayed behind a =
transparent=20
floating frame, the content will not be displayed. If it=92s CSP-RO =
instead of=20
CSP, the content is displayed, but a report is also sent. That makes =
sense, and=20
if you see that the CSP-RO header causes reports, you can adjust it. =
Once you=20
move to CSP, you=92re fine as long as the content does not change, and =
even if it=20
does change, you can test it first with a test server.</DIV>
<DIV>&nbsp;</DIV>
<DIV>For PKP it=92s different. The thing that changes is the certificate =
presented=20
to the client. You can=92t test the new certificate on a side server, at =
least not=20
in a way that will fill you with confidence. And because of the way =
certificates=20
are used, there is no such thing as a static structure to the site. You =
have to=20
change the certificate (and usually the key) every year, so testing with =
PKP-RO=20
may be fine before first deploying PKP, but it doesn=92t help you where =
it=92s=20
dangerous - when it=92s time to change certificates.</DIV>
<DIV>&nbsp;</DIV>
<DIV>This leads some people around here to conclude that PKP-RO is not=20
useful.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Yoav</DIV>
<DIV>&nbsp;</DIV>
<DIV>
<DIV>&nbsp;</DIV>
<DIV>
<DIV>
<DIV>On Aug 28, 2014, at 5:26 PM, Eric Lawrence &lt;<A=20
href=3D"mailto:ericlaw1979@hotmail.com">ericlaw1979@hotmail.com</A>&gt;=20
wrote:</DIV><BR class=3DApple-interchange-newline>
<BLOCKQUOTE type=3D"cite">
  <DIV dir=3Dltr>
  <DIV dir=3Dltr>
  <DIV style=3D"FONT-SIZE: 12pt; FONT-FAMILY: calibri">
  <DIV>I=92ll take one last tilt at this, because I think this spec is =
quite=20
  important and folks aren=92t actually very far apart on this. </DIV>
  <DIV>&nbsp;</DIV>
  <DIV>To start, I want to reiterate that Draft #20 was the first time I =
got=20
  involved in PKP, so my perspective comes from that draft and not any =
other=20
  conversations, tribal knowledge, meetings, etc, that others in the =
group may=20
  have been a part of. </DIV>
  <DIV>&nbsp;</DIV>
  <DIV>Here=92s how I *thought* Draft #20 specified things to =
work:</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>&nbsp; 1&gt; PKP and PKP-RO are equivalent in every way except =
that PKP=20
  mismatch triggers a Report *and* fails the connection, while PKP-RO =
mismatch=20
  only triggers a Report. That=92s why PKP-RO is named =93Public Key =
Pins Report=20
  Only=94 and not =93Sorta Like Public Key Pins But Does Not Break =
Connections And=20
  Does Not Persist (SLPKPBDNBCADNP)=94</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>&nbsp; 2&gt; Site administrators should use PKP-RO to prototype a =
policy=20
  to be later deployed PKP. They use PKP-RO first to generate confidence =
that=20
  they will not be self-inflicting any broad denial-of-service when =
enabling=20
  PKP.</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>&nbsp; 3&gt; When PKP and PKP-RO headers are initially =
encountered (pins=20
  not previously stored), a failure to match the specified policy =
triggers a=20
  Report. The mismatched policy is NOT stored, which blocks the DOS bomb =
attack=20
  Ryan mentions below.</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>&nbsp; 4&gt; PKP and PKP-RO only exist as different headers =
because it=20
  allows a site to have one policy in force and also prototype proposed =
policy=20
  changes.</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>This design made perfect sense to me, and my feedback on the =
draft was=20
  primarily intended to clarify the language around this design.</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>Instead, it appears that PKP-RO works dramatically differently =
than PKP,=20
  in ways that I believe are entirely non-obvious to implementers who =
only read=20
  the draft. While I believe it would be possible to editorially change =
the=20
  language to make PKP-RO=92s different behavior, to me, that approach =
only seems=20
  to be codifying a more confusing, less useful design, and would =
require more=20
  work on the part of the authors.</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>I don=92t believe there are any privacy or security implications =
in=20
  allowing PKP-RO to behave like PKP except that it=92s =93Report =
Only.=94 Any privacy=20
  or security implications in PKP-RO are shared by PKP. </DIV>
  <DIV>&nbsp;</DIV>
  <DIV>-Eric Lawrence </DIV>
  <DIV=20
  style=3D"FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: =
calibri; FONT-WEIGHT: normal; FONT-STYLE: normal; DISPLAY: inline">
  <DIV style=3D"FONT: 10pt tahoma">
  <DIV><FONT size=3D3=20
face=3DCalibri></FONT></DIV></DIV></DIV></DIV></DIV></DIV></BLOCKQUOTE></=
DIV>
<DIV>&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></BODY></HTML>

------=_NextPart_000_0019_01CFC2B1.15174440--


From nobody Sat Aug 30 14:34:28 2014
Return-Path: <elwynd@dial.pipex.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 919671A06E3; Sat, 30 Aug 2014 11:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.502
X-Spam-Level: 
X-Spam-Status: No, score=-100.502 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qY5gE21Wt9xU; Sat, 30 Aug 2014 11:42:59 -0700 (PDT)
Received: from mk-outboundfilter-1.mail.uk.tiscali.com (mk-outboundfilter-1.mail.uk.tiscali.com [212.74.114.37]) by ietfa.amsl.com (Postfix) with ESMTP id 0726C1A06DA; Sat, 30 Aug 2014 11:42:58 -0700 (PDT)
X-Trace: 121199994/mk-outboundfilter-1.mail.uk.tiscali.com/PIPEX/$OFF_NET_AUTH_ACCEPTED/TUK-OFF-NET-SMTP-AUTH-PIPEX-Customers/81.187.254.252/None/elwynd@dial.pipex.com
X-SBRS: None
X-RemoteIP: 81.187.254.252
X-IP-MAIL-FROM: elwynd@dial.pipex.com
X-SMTP-AUTH: elwynd@dial.pipex.com
X-MUA: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aq4EANYZAlRRu/78/2dsb2JhbABag2BXgnzEe4dMAYElhHoBAQQBIxVAAQULCxgCAgUWCwICCQMCAQIBRQYNAQUCAQGINgwJplCUWwETBIEsjT8RAVAHgnmBUwWFBQKQWIZ9hx+Nf4Nia4EPgUABAQE
X-IPAS-Result: Aq4EANYZAlRRu/78/2dsb2JhbABag2BXgnzEe4dMAYElhHoBAQQBIxVAAQULCxgCAgUWCwICCQMCAQIBRQYNAQUCAQGINgwJplCUWwETBIEsjT8RAVAHgnmBUwWFBQKQWIZ9hx+Nf4Nia4EPgUABAQE
X-IronPort-AV: E=Sophos;i="5.04,432,1406588400"; d="scan'208";a="121199994"
X-IP-Direction: OUT
Received: from neut-r.netinf.eu (HELO [81.187.254.252]) ([81.187.254.252]) by smtp.pipex.tiscali.co.uk with ESMTP/TLS/DHE-RSA-AES128-SHA; 30 Aug 2014 19:42:58 +0100
Message-ID: <54021B2F.7000108@dial.pipex.com>
Date: Sat, 30 Aug 2014 19:42:55 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Chris Palmer <palmer@google.com>
References: <53DA3F13.10007@dial.pipex.com>	<A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com>	<549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>	<53E8DC68.5010803@dial.pipex.com> <CAOuvq23AF3NFGg2HRhWgcg70GaZmQ=ArL-NfUCepN0QGuGEqDQ@mail.gmail.com>
In-Reply-To: <CAOuvq23AF3NFGg2HRhWgcg70GaZmQ=ArL-NfUCepN0QGuGEqDQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/sPbcZCxslktOoOuKAep2hu4itbs
X-Mailman-Approved-At: Sat, 30 Aug 2014 14:34:26 -0700
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 18:43:02 -0000

Hi, Chris.

A couple of remaining points and a couple of nits/queries in the fixes.

I have deleted the items that we are agreed on below and added comments 
in line.

New nits:
s2.6, next to last para: s/previous/previously/

s4, lasta para:
> and indeed MUST pin to issuers not in the chain

Is this a requirements MUST?  The protocol will be quite happy and 
implementers can't (at least I don't think) they can check if the host 
leaves it out.  This is operational advice (admittedly highly relevant) 
but still advice I think.

On 25/08/14 21:23, Chris Palmer wrote:
> On Mon, Aug 11, 2014 at 8:08 AM, Elwyn Davies <elwynd@dial.pipex.com> wrote:
>
<<snip>>

>> Ok.  Accepting that the host is expected normally to send the headers on all
>> responses, when SHOULD it not send the headers? (from the previous comments
>> a server that knows it is not multiplexed might be a candidate - or if it
>> knows it has already responded on this connection?)
>
> I think it's easiest and simplest for servers to simply always send the headers.
>

Having thought about this a bit, I don't think this text fully reflects 
what is going on in the server.  If I understand correctly, we have:
- Server has a policy that it wants to be pinned if it can be 
(presumably this ought to be configurable in the server).
- When a client sends a request over a new secure connection and the 
policy says 'be pinned', the server sends back pinning header(s) in the 
response.
- Thereafter, it MAY for simplicity send pinning headers in all 
subsequent responses on the connection. Alternatively it can do 
something intelligent and not bother sending the headers if it is the 
same connection - but of course this probably means a layer violation.

Thought: Does it make any difference if the client doesn't accept the 
pin? Should success or failure be logged?  Should the host always keep 
sending the headers if the client didn't accept the pin on the first
exchange (is this a possible symptom of a MITM?)?

Suggestion:
OLD:
2.2.1.  HTTP-over-Secure-Transport Request Type

    When replying to an HTTP request that was conveyed over a secure
    transport, a Pinned Host SHOULD include in its response exactly one
    PKP header field, exactly one PKP-RO header field, or one of each.

NEW:
2.2.1.  HTTP-over-Secure-Transport Request Type

    If a host has a policy of becoming a Pinned Host whenever possible,
    then on replying to an initial HTTP request that was conveyed over a
    secure transport, a host intending to become Pinned Host includes in
    its response exactly one PKP header field, exactly one PKP-RO header
    field, or one of each.  The host MAY include the same header(s)
    with any subsequent responses using the same connection.


<<snip>>

>>>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need
>>>>> specific answers.
>>
>> There are still some of the questions that ought to be explicitly answered.
>
> To me, the only questions that might not have obvious answers are:
>
>     o  Whether the header field is useful or allowable in trailers (see
>        Section 4.1 of [RFC7230]).
>
> Surely not? For the same reason we don't want it in meta http-equiv.
>
>     o  Whether the header field ought to be preserved across redirects.
>
> Surely not?
>
> Any others?

The point was that I guess you ought to explicitly say "not" in each case.

>
<<snip>>

> Changes visible at
> https://code.google.com/p/key-pinning-draft/source/list. I won't push
> a version 21 until I've gone through the rest of the incoming email.
>
> Thank you!
>
Cheers,
Elwyn