Phillip, On Feb 12, 2016, at 7:51 AM, Phillip Hallam-Baker <[email protected]<mailto:[email protected]>> wrote:
HTTP key pinning does provide some security but it is in band to HTTP which means it can only provide security after first use and there is a big potential for 'shooting yourself in the foot'. A couple of weeks ago I was having this kind of discussion with someone about how cert pinning was Trust-On-First-Use and how DNSSEC/DANE could be used *with* cert pinning to get around the TOFU problem. My suggestion was that the app in question could also do a lookup on the DANE TLSA record and compare that with what they were getting for the cert to pin, but... The DNS based answer to those problems that is deployable is to take the HTTP key pinning record that they have already defined and support in the browser code and publish that exact text string as a DNS Resource Record. ... that is certainly another answer and perhaps much simpler and easier. Put the exact RFC 7469 HPKP header ( https://tools.ietf.org/html/rfc7469 ) in DNS as a resource record and then sign that with DNSSEC. Has anyone ever taken a look at whether that (putting the HPKP header into DNS) would be something reasonable to do? Given that this would not be with the TLSA record, I realize this work might be outside of the scope of the *current* charter of the DANE WG ( https://datatracker.ietf.org/wg/dane/charter/ ), although it does say "The DANE WG will specify how to incorporate DANE and DANE-like functionality into protocols." But if this is something worth pursuing it could be something done here (with a recharter) or something done in another WG (or a new short-term WG could be spun up). Anyway... an interesting idea, Phillip! Dan -- Dan York Senior Content Strategist, Internet Society [email protected]<mailto:[email protected]> +1-802-735-1624 Jabber: [email protected]<mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
