I think that all this pinning stuff works a lot better if there is a mechanism that allows a return to ground truth.
Since we are developing an Internet protocol, the mechanism for ground truth should be DNS in my opinion. It may be impractical to require DNSSEC secured responses in every case. There are Denial of Communication issues (DoC) and there are real performance concerns. If however we are dealing with a case where an exception has occurred, it seems reasonable to me for the response to be to attempt to pull DNSSEC records via whatever guerilla mechanisms we end up deploying to bypass censorship. In other words, use pinning via HTTP header to provide pinning with minimal performance impact but solve the tricky max age issues by relying on the DNS and DNSSEC to provide ground truth when a policy violation is detected. On Tue, Sep 13, 2011 at 5:24 PM, <[email protected]> wrote: > > On 13 Sep 2011, at 21:35, Chris Palmer wrote: > > <snip> > sites; small sites may have to choose no pinning or potentially > bricking their site (up to the maxAge window). This is not worse than > the status quo.""" > > > What about sites which don't currently use https at all? The DNS records > for theregister.co.uk were redirected the other week. An attacker who > could do that could redirect to https, then set a very long max-age pin. At > that point, they'd be dependent on the browser vendor unpinning affected > users, right? > David > > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
