Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion

2013-09-17 Thread Yoav Nir 

On Sep 17, 2013, at 11:17 PM, joel jaeggli joe...@bogus.com
 wrote:

 On 9/16/13 5:23 PM, Tom Ritter wrote:
 On 16 September 2013 17:10, Bruce Morton bruce.mor...@entrust.com wrote:
 Sounds reasonable. One question is that since it is not widely used, does it
 meet the 0.1 percent of connections criteria? I don’t know how we measure
 that.
 
 Chrome's between 16-46% of the market[0] and pins Google and
 Twitter[1].  Between Google and Twitter, I'd say it probably hits
 0.1%...
 
 is this behavior consistent with what mozilla was doing/did?
 
 https://bugzilla.mozilla.org/show_bug.cgi?id=744204
 
 https://wiki.mozilla.org/Security/Features/CA_pinning_functionality

Not quite.  What Chrome currently has is a static list of pins (gets updated 
when Chrome gets updated). The Mozilla is implementing is a dynamic list of 
pins updated by visiting the site, as specified in 
http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think either 
Google or Twitter emit the HPKP headers (yet).

Yoav

___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops

Re: [wpkops] Support for this activity from product developers?

2012-10-17 Thread Yoav Nir 

On Oct 17, 2012, at 8:42 PM, Ryan Sleevi wrote:

 On Wed, October 17, 2012 11:13 am, Tim Moses wrote:
 Colleagues - One of the premises of this initiative (perhaps the main
 premise) was that product developers would be willing to be governed by
 the results of an industry consensus process when it comes to handling
 certificates and acting on the results of certificate validation.  That
 is, that developers would see value in claiming conformance to any
 resulting standard.  For instance, suppose consensus were to emerge that
 certain certificate validation failures should be fatal (i.e. the
 associated application should refuse to perform the requested operation),
 would application developers be willing to modify their products
 accordingly?
 
 Nothing in the discussions on the list to date confirms or refutes the
 premise.  I think it would be useful to hear from developers of relevant
 products how they would view the outcome of this type of IETF initiative.
 
 Thanks a lot.  All the best.  Tim.
 
 T: +1 613 270 3183
 
 Tim,
 
 According to your current (third) charter proposal:
 
 Future activities may attempt to prescribe how the Web PKI should work,
 and the prescription may turn out to be a proper subset of the PKIX PKI. 
 However, that task is explicitly not a goal of the proposed working group.
 Instead, the group's goal is merely to describe how the Web PKI
 actually works in the set of browsers and servers that are in common use
 today.
 
 This would suggest that the current work is not to the production of
 normative work product for any of the participants in the Web PKI, but
 rather informative work. It seems like discussion about the introduction
 of normative behaviours, for applications or for authorities, was
 something that was explicitly being avoided, as discussed during the
 scoping thread, until such a time as the WG had worked to produce
 informative work.
 
 At present, I'm very supportive of the work set out in the proposed
 charter, but further broadening the charter to include normative work may,
 I fear, prevent the delivery of useful and relevant documentation that can
 be used today.

It might turn out to be like a dictionary. Modern linguists write descriptive 
dictionaries, so google and friend become verbs, but then people use those 
dictionaries as the authority of what is correct usage.

Similarly, if this descriptive work shows a disparity, like if certain 
validation failures are fatal in some browsers, but not in others, then the 
lenient browsers might be shamed into complying with the best practice as 
described in the descriptive work.

___
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops