Re: [websec] Comments on draft-ietf-websec-key-pinning-06

CAA does not require a central registry. But it does require CAs to decide what DNS name(s) they are going to use. For key pinning to work the Web Browsers are going to have to track the correspondence of name to roots in any case. So it basically becomes a consistency thing. If it makes sense to

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

On Fri, Jun 28, 2013 at 8:00 AM, Phillip Hallam-Baker wrote: > CAA faced the problem of identifying a CA. > > During the evolution of the draft we went through pretty much every scheme > mentioned in this thread. In the end we decided to go with a domain name > that is asserted for that purpose by

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

CAA faced the problem of identifying a CA. During the evolution of the draft we went through pretty much every scheme mentioned in this thread. In the end we decided to go with a domain name that is asserted for that purpose by the CA. So symantec.com / comodo.com / etc. At this point the main r

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

On 26/06/13 08:13, Trevor Perrin wrote: > > On Mon, Jun 24, 2013 at 2:29 PM, Chris Palmer > wrote: > > If you haven't already, I'd urge everyone to take pcaps of a web > session to their bank or to their web mail provider or whatever. I > think you'll quickl

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

On Mon, Jun 24, 2013 at 2:29 PM, Chris Palmer wrote: > If you haven't already, I'd urge everyone to take pcaps of a web > session to their bank or to their web mail provider or whatever. I > think you'll quickly see that even a large HPKP header, say 500 bytes, > is not going to be the thing that

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

On Mon, Jun 24, 2013 at 6:30 PM, Tobias Gondrom wrote: > On 25/06/13 05:06, Trevor Perrin wrote: > > > On Mon, Jun 24, 2013 at 12:01 AM, Tobias Gondrom < > tobias.gond...@gondrom.org> wrote: > >> >> On 24/06/13 09:13, Trevor Perrin wrote: >> >> Depends on the number of pinned keys. Chrome's e

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

On 25/06/13 05:06, Trevor Perrin wrote: > > On Mon, Jun 24, 2013 at 12:01 AM, Tobias Gondrom > mailto:tobias.gond...@gondrom.org>> wrote: > > > On 24/06/13 09:13, Trevor Perrin wrote: >> Depends on the number of pinned keys. Chrome's existing preloads >> [1] have 9, 5, 19, 36, 2, and 2

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

On Mon, Jun 24, 2013 at 12:01 AM, Tobias Gondrom wrote: > > On 24/06/13 09:13, Trevor Perrin wrote: > > Depends on the number of pinned keys. Chrome's existing preloads [1] > have 9, 5, 19, 36, 2, and 2 keys. That's a mean of 12, which would be >500 > bytes with SHA256. > > IMHO the expected s

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Hi all, comments inline. Best regards, Tobias On 24/06/13 09:13, Trevor Perrin wrote: > > On Sun, Jun 23, 2013 at 12:25 AM, Yoav Nir > wrote: > > Hi David > > As far as I know, this idea was not discussed before. If we were > to do this, the proper URI f

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

On Sun, Jun 23, 2013 at 12:25 AM, Yoav Nir wrote: > Hi David > > As far as I know, this idea was not discussed before. If we were to do > this, the proper URI for this would be some kind of RFC 5785 URI like > "/.well-known/pins" or "/.well-known/hpkp". > > Looking at the examples in the key-p

Re: [websec] Comments on draft-ietf-websec-key-pinning-06

Hi David As far as I know, this idea was not discussed before. If we were to do this, the proper URI for this would be some kind of RFC 5785 URI like "/.well-known/pins" or "/.well-known/hpkp". Looking at the examples in the key-pinning draft, an HPKP header using SHA-1 takes just under 120 by

[websec] Comments on draft-ietf-websec-key-pinning-06

I sent the mail below to the draft-ietf-websec-key-pinning-06 authors, and Chris Palmer suggested I raise the points on this mailing list. He also mentioned a previous discussion (which I haven't been able to locate) around a well-known host security information URL; if there's a good place to g