Hi During the meeting in Atlanta I said that saying that that pin validation is disabled when the cert chains to a private trust anchor would not go over well, because it's disabling a security feature in the presence of an attack. I still think so, but I think we can raise less red flags if we just describe what the issue is - that there is a TLS proxy.
I don't have suggested text, at least yet, but here's how I think the issue can be addressed. Keep in mind that we're not writing a design for any particular browser. === On some networks, mostly corporate networks, there are TLS proxies, transparent proxies that sign certificates on behalf of visited web sites as described in [ref]. When a UA gets into such a network, the certificate presented in the TLS handshake will not be consistent with the UA's previously stored pins. It is up to the UA to decide whether such a TLS proxy is acceptable or not. If it is acceptable, then pinning should be disabled, and the UA should not follow the mandates in section 2.4 of this document. Ideally, such proxies, or their associated trust anchors would be specially marked as trusted for this purpose. If the UA does not allow for such a configuration, a heuristic MAY be used to determine what trust anchors are used for a legitimate TLS proxy. One such heuristic, is that all trust anchors that are not part of the stock trust anchor store that comes with the UA or the operating system, but that are in the trust anchor store (implying that they have been added by the user) are acceptable for TLS proxies. === I think this defuses the issue. What do others think? One other suggestion that was brought up in Atlanta, was to have the server specify a policy about private trust anchors in the Public-Key-Pins header, something like: Public-Key-Pins: max-age=500; policy=strict; pin-sha1="4n972HfV354KP560yw4uqe/baXc="; pin-sha1="IvGeLsbqzPxdI0b0wuj2xVTdXgc=" Public-Key-Pins: max-age=31536000; policy=accept_private; pin-sha1="4n972HfV354KP560yw4uqe/baXc="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=" In case of policy=strict, the UA will not accept any handshake that disagrees with stored pins. This might be preferred by some servers, that are willing to accept not being accessible from all networks for the benefit of preventing MitM attacks. What do others think about this idea? Yoav _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec