Hi, all
I know this is late days and all, but something on the httpbis list got me to
thinking about this.
Section 2.1.4 defines the "strict" directive. When present, it means that "the
UA ... should apply to the Pinned Host the Pinning Policy expressed in the PKP
header ... ignoring local client policy."
While the text does not say what this local policy might be, the reason for
having this was the policy to allow locally-issued certificates to be used for
pretty much anything. This policy accommodates TLS proxies. So if a
security-minded bank would like to avoid interception even at the cost of being
inaccessible from many places of business, they can use the "strict" directive.
Now consider two devices. One is a mobile platform, could be a phone or a
laptop, that the user carries around from home to work. The other is a desktop
computer, that is always at work. The laptop will at some point be used at home
to access the bank. The PKP gets noted, and from that point on, the user will
not be able to access the bank from work.
The desktop computer cannot note the PKP, and will always be able to connect to
the bank. Section 2.5 says this:
o The UA MUST note the Pins if and only if the TLS connection was
authenticated with a certificate chain containing at least one of
the SPKI structures indicated by at least one of the given SPKI
Fingerprints.
This rule is a safety rule, to avoid being injected with bogus PKPs, mostly
through misconfiguration of the server. There are other requirements (that TLS
be error-free) that make sure it is not done by an attacker (at least, not a
non-trusted attacker).
I'm wondering if we should remove this requirement from section 2.5 when the
"strict" directive is present. IOW, should we allow noting of PKPs with the
"strict" directive as long as the TLS connection is valid. I can see how this
would make it easy for a TLS proxy to brick the browser, but I'm wondering what
others think of the trade-off.
Yoav
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec
