> > I thought he'd only believe pins on the href he's about
> > to follow when those had just been delivered direct from
> > one of a browser-chosen list of sources that are
> > explicitly trusted (by the browser, not Brian) for this.
>
This is not correct. S-links can come from any site, not just pre-trusted
sites, and the browser will honor them if the user clicks them. Once Brian
gets to the JPF site, they can link him to the People's Front of Judea
website via s-link and do a secure introduction. The general idea behind
HPKP is that the browser is caching pins for sites the user has been to
recently. S-links enables any of these sites securely introduce the user to
new sites. This came up earlier with the question "what if I use a fringe
search engine that isn't pre-loaded?" You need to securely get to your
chosen search engine securely at some point, and then you're okay.
One way to think about s-links is a mechanism to opportunistically reduce
the number of untrusted initial connections.
You might ask, why should the browser trust an s-link if it's from a dodgy
site? This doesn't actually lead to any new attacks though, because s-links
can only make security policy stricter. A bad site has no incentive to
serve bad s-links, they could just serve regular links or links to
different domains.
> I guess there could be some policy setting that allows
> Brian to decide if he trusts the page to transit trust
> for him or just to update the pin db for that URL.
>
No such policy since no origin can update the persistent pin DB for another
origin. And as mentioned above, any site can tighten the security via
s-links for a connection caused by its own links only.
> I must say I am attracted to the notion as such because
> it affords a way to tie trust with branding (which is what
> social trust is mostly about anyway).
Yes, I think this is a major selling point.
> > But I guess it might be that if he searched for "front
> > for the liberation of..." on Thursday and then on Friday
> > typed in the JPF URL that could work if the browser has
> > kept the info. ('course those paranoid JPF guys might
> > change their key late on Thursday which'd be bad) so
> > maybe not.
>
The assumption is that the correct JPF website delivers persistent key
pins, so Brian can go direct to their site Friday after a secure
introduction on Thursday. If he goes via s-link on Thursday and doesn't get
any persistent key pins, the s-link won't affect his direct visit on
Friday, but this is by design. If the site isn't declaring key pins, it
means they're reserving the right to change their mind Thursday night. If
they are setting their own pins, they shouldn't change Thursday night or
else they'll be bricking some users, independently of s-links .
Joe
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
