Hi
During the meeting in Atlanta I said that saying that that pin validation is
disabled when the cert chains to a private trust anchor would not go over well,
because it's disabling a security feature in the presence of an attack. I still
think so, but I think we can raise less red flags if we just describe what the
issue is - that there is a TLS proxy.
I don't have suggested text, at least yet, but here's how I think the issue can
be addressed. Keep in mind that we're not writing a design for any particular
browser.
===
On some networks, mostly corporate networks, there are TLS proxies, transparent
proxies that sign certificates on behalf of visited web sites as described in
[ref]. When a UA gets into such a network, the certificate presented in the TLS
handshake will not be consistent with the UA's previously stored pins.
It is up to the UA to decide whether such a TLS proxy is acceptable or not. If
it is acceptable, then pinning should be disabled, and the UA should not follow
the mandates in section 2.4 of this document. Ideally, such proxies, or their
associated trust anchors would be specially marked as trusted for this purpose.
If the UA does not allow for such a configuration, a heuristic MAY be used to
determine what trust anchors are used for a legitimate TLS proxy. One such
heuristic, is that all trust anchors that are not part of the stock trust
anchor store that comes with the UA or the operating system, but that are in
the trust anchor store (implying that they have been added by the user) are
acceptable for TLS proxies.
===
I think this defuses the issue. What do others think?
One other suggestion that was brought up in Atlanta, was to have the server
specify a policy about private trust anchors in the Public-Key-Pins header,
something like:
Public-Key-Pins: max-age=500; policy=strict;
pin-sha1="4n972HfV354KP560yw4uqe/baXc=";
pin-sha1="IvGeLsbqzPxdI0b0wuj2xVTdXgc="
Public-Key-Pins: max-age=31536000; policy=accept_private;
pin-sha1="4n972HfV354KP560yw4uqe/baXc=";
pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="
In case of policy=strict, the UA will not accept any handshake that disagrees
with stored pins. This might be preferred by some servers, that are willing to
accept not being accessible from all networks for the benefit of preventing
MitM attacks. What do others think about this idea?
Yoav
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
