[jira] [Comment Edited] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support

Masaori Koshiba (JIRA) Mon, 16 Mar 2015 23:09:06 -0700

    [ 
https://issues.apache.org/jira/browse/TS-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14364576#comment-14364576
 ]


Masaori Koshiba edited comment on TS-3216 at 3/17/15 6:08 AM:
--------------------------------------------------------------

[[email protected]], thanks for rewiew.

I agree with that I should avoid making {{ssl_multicert.config}} more complex.

{quote}
It assumes that there is only 1 backup pin, the backup pin is contained in a 
CSR, and that the CSR is available to ATS. All of these assumptions seem shaky 
to me.
{quote}
Do you mean even if there are 2 cert settings in {{ssl_multicert.config}}, only 
one backup pin is enough?

I thought adding HPKP setting in {{records.config}} like HSTS at first.
But, AFAIU, when we have 2 certs, each certs needs different CSRs to generate 
backup pins.
Because when current cert is expired, current pin and backup pin is cached in 
browser,
so we have to generate new cert from CSR which used to generate backup pin.
This is why I add HPKP settings in {{ssl_multicert.config}}.



was (Author: masaori):
[[email protected]], thanks for rewiew.

I agree with that I should avoid making {{ssl_multicert.config}} more complex.

> It assumes that there is only 1 backup pin, the backup pin is contained in a 
> CSR,
> and that the CSR is available to ATS. All of these assumptions seem shaky to 
> me.
Do you mean even if there are 2 cert settings in {{ssl_multicert.config}}, only 
one backup pin is enough?

I thought adding HPKP setting in {{records.config}} like HSTS at first.
But, AFAIU, when we have 2 certs, each certs needs different CSRs to generate 
backup pins.
Because when current cert is expired, current pin and backup pin is cached in 
browser,
so we have to generate new cert from CSR which used to generate backup pin.
This is why I add HPKP settings in {{ssl_multicert.config}}.


> Add HPKP (Public Key Pinning Extension for HTTP) support
> --------------------------------------------------------
>
>                 Key: TS-3216
>                 URL: https://issues.apache.org/jira/browse/TS-3216
>             Project: Traffic Server
>          Issue Type: New Feature
>          Components: SSL
>            Reporter: Masaori Koshiba
>            Assignee: James Peach
>              Labels: review
>             Fix For: 6.0.0
>
>         Attachments: hpkp-001.patch, hpkp-002.patch
>
>
> Add "Public Key Pinning Extension for HTTP" Support in Traffic Server.
> Public Key Pinning Extension for HTTP (draft-ietf-websec-key-pinning-21)
> - https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Comment Edited] (TS-3216) Add HPKP (Public Key Pinning Extension for HTTP) support

Reply via email to