Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
In any case, I think this is not a common practice in all the browsers, as you say only chrome and mozilla supports it and it´s a practice of these browsers that I don´t know how to fit in a trust model which is based on browser procedures to admit CAs in their trust stores and this is to check and avoid vulnerabilities like those appeared in the Diginotar case. Iñigo Barreira Responsable del Área técnica i-barre...@izenpe.net 945067705 ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ! ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente. -Mensaje original- De: wpkops-boun...@ietf.org [mailto:wpkops-boun...@ietf.org] En nombre de joel jaeggli Enviado el: martes, 17 de septiembre de 2013 22:57 Para: Yoav Nir; CC: Tom Ritter; wpkops@ietf.org; Bruce Morton; Tim Moses Asunto: Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion On 9/17/13 1:54 PM, Yoav Nir wrote: > > On Sep 17, 2013, at 11:49 PM, Ryan Sleevi wrote: > >> On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: >>> >>> On Sep 17, 2013, at 11:17 PM, joel jaeggli >>> wrote: >>> >>>> On 9/16/13 5:23 PM, Tom Ritter wrote: >>>>> On 16 September 2013 17:10, Bruce Morton >>>>> >>>>> wrote: >>>>>> Sounds reasonable. One question is that since it is not widely >>>>>> used, does it meet the 0.1 percent of connections criteria? I >>>>>> don't know how we measure that. >>>>> >>>>> Chrome's between 16-46% of the market[0] and pins Google and >>>>> Twitter[1]. Between Google and Twitter, I'd say it probably hits >>>>> 0.1%... >>>> >>>> is this behavior consistent with what mozilla was doing/did? >>>> >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=744204 >>>> >>>> https://wiki.mozilla.org/Security/Features/CA_pinning_functionality >>> >>> Not quite. What Chrome currently has is a static list of pins (gets >>> updated when Chrome gets updated). The Mozilla is implementing is a >>> dynamic list of pins updated by visiting the site, as specified in >>> http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't >>> think either Google or Twitter emit the HPKP headers (yet). >>> >>> Yoav >> >> Note: Chrome has a static list of preloaded pins - but also supports >> dynamic pins, as specified in the draft. > > Really? Cool! That calls for an RFC 6982 "implementation status" section. indeed, if it does. > Yoav > > ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On Sep 17, 2013, at 11:49 PM, Ryan Sleevi wrote: > On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: >> >> On Sep 17, 2013, at 11:17 PM, joel jaeggli >> wrote: >> >>> On 9/16/13 5:23 PM, Tom Ritter wrote: On 16 September 2013 17:10, Bruce Morton wrote: > Sounds reasonable. One question is that since it is not widely used, > does it > meet the 0.1 percent of connections criteria? I don't know how we > measure > that. Chrome's between 16-46% of the market[0] and pins Google and Twitter[1]. Between Google and Twitter, I'd say it probably hits 0.1%... >>> >>> is this behavior consistent with what mozilla was doing/did? >>> >>> https://bugzilla.mozilla.org/show_bug.cgi?id=744204 >>> >>> https://wiki.mozilla.org/Security/Features/CA_pinning_functionality >> >> Not quite. What Chrome currently has is a static list of pins (gets >> updated when Chrome gets updated). The Mozilla is implementing is a >> dynamic list of pins updated by visiting the site, as specified in >> http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think >> either Google or Twitter emit the HPKP headers (yet). >> >> Yoav > > Note: Chrome has a static list of preloaded pins - but also supports > dynamic pins, as specified in the draft. Really? Cool! That calls for an RFC 6982 "implementation status" section. Yoav ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On 9/17/13 1:31 PM, Yoav Nir wrote: > > On Sep 17, 2013, at 11:17 PM, joel jaeggli wrote: > >> On 9/16/13 5:23 PM, Tom Ritter wrote: >>> On 16 September 2013 17:10, Bruce Morton >>> wrote: Sounds reasonable. One question is that since it is not widely used, does it meet the 0.1 percent of connections criteria? I don’t know how we measure that. >>> >>> Chrome's between 16-46% of the market[0] and pins Google and >>> Twitter[1]. Between Google and Twitter, I'd say it probably >>> hits 0.1%... >> >> is this behavior consistent with what mozilla was doing/did? >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=744204 >> >> https://wiki.mozilla.org/Security/Features/CA_pinning_functionality > >> > Not quite. What Chrome currently has is a static list of pins (gets > updated when Chrome gets updated). The Mozilla is implementing is a > dynamic list of pins updated by visiting the site, as specified in > http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't > think either Google or Twitter emit the HPKP headers (yet). It sounds somewhat nascent. the existing practice seems to have practical limits to it's scaling/applicability, the new one isn't quite there yet. > Yoav > > ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: > > On Sep 17, 2013, at 11:17 PM, joel jaeggli > wrote: > > > On 9/16/13 5:23 PM, Tom Ritter wrote: > >> On 16 September 2013 17:10, Bruce Morton > >> wrote: > >>> Sounds reasonable. One question is that since it is not widely used, > >>> does it > >>> meet the 0.1 percent of connections criteria? I dont know how we > >>> measure > >>> that. > >> > >> Chrome's between 16-46% of the market[0] and pins Google and > >> Twitter[1]. Between Google and Twitter, I'd say it probably hits > >> 0.1%... > > > > is this behavior consistent with what mozilla was doing/did? > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=744204 > > > > https://wiki.mozilla.org/Security/Features/CA_pinning_functionality > > Not quite. What Chrome currently has is a static list of pins (gets > updated when Chrome gets updated). The Mozilla is implementing is a > dynamic list of pins updated by visiting the site, as specified in > http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think > either Google or Twitter emit the HPKP headers (yet). > > Yoav Note: Chrome has a static list of preloaded pins - but also supports dynamic pins, as specified in the draft. ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On 9/17/13 1:54 PM, Yoav Nir wrote: > > On Sep 17, 2013, at 11:49 PM, Ryan Sleevi wrote: > >> On Tue, September 17, 2013 1:31 pm, Yoav Nir wrote: >>> >>> On Sep 17, 2013, at 11:17 PM, joel jaeggli >>> wrote: >>> On 9/16/13 5:23 PM, Tom Ritter wrote: > On 16 September 2013 17:10, Bruce Morton > wrote: >> Sounds reasonable. One question is that since it is not widely used, >> does it >> meet the 0.1 percent of connections criteria? I don't know how we >> measure >> that. > > Chrome's between 16-46% of the market[0] and pins Google and > Twitter[1]. Between Google and Twitter, I'd say it probably hits > 0.1%... is this behavior consistent with what mozilla was doing/did? https://bugzilla.mozilla.org/show_bug.cgi?id=744204 https://wiki.mozilla.org/Security/Features/CA_pinning_functionality >>> >>> Not quite. What Chrome currently has is a static list of pins (gets >>> updated when Chrome gets updated). The Mozilla is implementing is a >>> dynamic list of pins updated by visiting the site, as specified in >>> http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think >>> either Google or Twitter emit the HPKP headers (yet). >>> >>> Yoav >> >> Note: Chrome has a static list of preloaded pins - but also supports >> dynamic pins, as specified in the draft. > > Really? Cool! That calls for an RFC 6982 "implementation status" section. indeed, if it does. > Yoav > > ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On 9/17/13 1:17 PM, joel jaeggli wrote: On 9/16/13 5:23 PM, Tom Ritter wrote: On 16 September 2013 17:10, Bruce Morton wrote: Sounds reasonable. One question is that since it is not widely used, does it meet the 0.1 percent of connections criteria? I don’t know how we measure that. Chrome's between 16-46% of the market[0] and pins Google and Twitter[1]. Between Google and Twitter, I'd say it probably hits 0.1%... is this behavior consistent with what mozilla was doing/did? It is consistent with Mozilla's current plan Camilo https://bugzilla.mozilla.org/show_bug.cgi?id=744204 https://wiki.mozilla.org/Security/Features/CA_pinning_functionality -tom [0] https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Summary_table [1] http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json (And Tor, Cryptocat, and Tor2web). (It also preloads HSTS on ~200 domains.) ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On Sep 17, 2013, at 11:17 PM, joel jaeggli wrote: > On 9/16/13 5:23 PM, Tom Ritter wrote: >> On 16 September 2013 17:10, Bruce Morton wrote: >>> Sounds reasonable. One question is that since it is not widely used, does it >>> meet the 0.1 percent of connections criteria? I don’t know how we measure >>> that. >> >> Chrome's between 16-46% of the market[0] and pins Google and >> Twitter[1]. Between Google and Twitter, I'd say it probably hits >> 0.1%... > > is this behavior consistent with what mozilla was doing/did? > > https://bugzilla.mozilla.org/show_bug.cgi?id=744204 > > https://wiki.mozilla.org/Security/Features/CA_pinning_functionality Not quite. What Chrome currently has is a static list of pins (gets updated when Chrome gets updated). The Mozilla is implementing is a dynamic list of pins updated by visiting the site, as specified in http://tools.ietf.org/html/draft-ietf-websec-key-pinning. I don't think either Google or Twitter emit the HPKP headers (yet). Yoav ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On 9/16/13 5:23 PM, Tom Ritter wrote: > On 16 September 2013 17:10, Bruce Morton wrote: >> Sounds reasonable. One question is that since it is not widely used, does it >> meet the 0.1 percent of connections criteria? I don’t know how we measure >> that. > > Chrome's between 16-46% of the market[0] and pins Google and > Twitter[1]. Between Google and Twitter, I'd say it probably hits > 0.1%... is this behavior consistent with what mozilla was doing/did? https://bugzilla.mozilla.org/show_bug.cgi?id=744204 https://wiki.mozilla.org/Security/Features/CA_pinning_functionality > -tom > > [0] https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Summary_table > [1] > http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json > (And Tor, Cryptocat, and Tor2web). (It also preloads HSTS on ~200 > domains.) > ___ > wpkops mailing list > wpkops@ietf.org > https://www.ietf.org/mailman/listinfo/wpkops > ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
On 16 September 2013 17:10, Bruce Morton wrote: > Sounds reasonable. One question is that since it is not widely used, does it > meet the 0.1 percent of connections criteria? I don’t know how we measure > that. Chrome's between 16-46% of the market[0] and pins Google and Twitter[1]. Between Google and Twitter, I'd say it probably hits 0.1%... -tom [0] https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Summary_table [1] http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json (And Tor, Cryptocat, and Tor2web). (It also preloads HSTS on ~200 domains.) ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
Re: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
Tim, Sounds reasonable. One question is that since it is not widely used, does it meet the 0.1 percent of connections criteria? I don't know how we measure that. Bruce. From: wpkops-boun...@ietf.org [mailto:wpkops-boun...@ietf.org] On Behalf Of Tim Moses Sent: Friday, September 13, 2013 4:28 PM To: wpkops@ietf.org Subject: [wpkops] Cert-pinning, CA-pinning part of trust model: suggestion Inigo/Bruce - Should certificate-pinning and CA-pinning be considered a part of the trust model? It was, after all, the way in which the DigiNotar failure was discovered. Just a suggestion. All the best. Tim. ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
[wpkops] Cert-pinning, CA-pinning part of trust model: suggestion
Inigo/Bruce - Should certificate-pinning and CA-pinning be considered a part of the trust model? It was, after all, the way in which the DigiNotar failure was discovered. Just a suggestion. All the best. Tim. ___ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops