Re: [websec] Certificate Pinning via HSTS

2011-09-12 Thread Yoav Nir
On Sep 13, 2011, at 3:54 AM, Richard L. Barnes wrote: > Hey Chris & Chris, > > This seems like a useful near-term approach, but also probably something that > might want to migrate to DANE over time. > > Is there any particular reason you're using key fingerprints instead of cert > fingerprin

Re: [websec] Certificate Pinning via HSTS

2011-09-12 Thread Marsh Ray
On 09/12/2011 04:56 PM, Chris Palmer wrote: Hi all, Chris Evans and I work at Google on the Chrome security team. We have devised this specification for a new extension to Strict Transport Security to allow site operators to "pin" certificates: UAs will require that TLS connections be validated

Re: [websec] Certificate Pinning via HSTS

2011-09-12 Thread Richard L. Barnes
> > Is there any particular reason you're using key fingerprints instead of cert > > fingerprints? It seems like the latter might be slightly easier to > > implement, since you don't have to parse the cert. > > I assume it's because the certificates public keys are embedded within, in > practice

Re: [websec] Certificate Pinning via HSTS

2011-09-12 Thread =JeffH
rbar...@bbn.com said: > > This seems like a useful near-term approach, but also probably something that > might want to migrate to DANE over time. sure, tho it's going to take a while (eg before browsers hard-fail on assurances sourced via Secure DNS). See.. [dane] A browser's myopic view http

Re: [websec] Certificate Pinning via HSTS

2011-09-12 Thread SM
Hi Chris, At 14:56 12-09-2011, Chris Palmer wrote: Chris Evans and I work at Google on the Chrome security team. We have devised this specification for a new extension to Strict Transport [snip] We eagerly anticipate your comments, questions, concerns, et c. As you Would it be possible for

Re: [websec] Certificate Pinning via HSTS

2011-09-12 Thread Richard L. Barnes
Hey Chris & Chris, This seems like a useful near-term approach, but also probably something that might want to migrate to DANE over time. Is there any particular reason you're using key fingerprints instead of cert fingerprints? It seems like the latter might be slightly easier to implement,

Re: [websec] Certificate Pinning via HSTS (.txt version)

2011-09-12 Thread =JeffH
> Chris Evans and I work at Google on the Chrome security team. We have > devised this specification for a new extension to Strict Transport > Security to allow site operators to "pin" certificates: UAs will > require that TLS connections be validated with at least one of the > public keys identif