I asked this before back in December but got no takers. Now that our naming things I-D is in IETF LC, I thought I'd ask again, just in case, and then shut up:-)
draft-farrell-decade-ni-07 [1] defines ways to name things with hashes that could be used here. I don't see a mega-benefit, but perhaps some small ones, e.g not having to define IANA processes for algorithm agility for this draft (needed, but not yet defined). It also seems odd to be defining loads of ways to hash public keys with trivial differences. If you did choose to adopt our thing then instead of: pin-sha1="4n972HfV354KP560yw4uqe/baXc="; you'd perhaps use: pin="ni:///sha-256;UyaQV-Ev4rdLoHyJJWCi11OHfrYv9E1aGQAlMO2X_-Q"; There'd maybe be a few other tweaks, e.g. we use base64url (but also over the SPKI). Not sure what else. So: any interest in that? If there is but it'd need changes to [1] then we're open to chatting about that. (And happy to get any other comments on our draft as well of course.) Cheers, S. [1] http://tools.ietf.org/html/draft-farrell-decade-ni On 06/04/2012 07:35 PM, [email protected] wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This draft is a work item of the Web Security Working Group of > the IETF. > > Title : Public Key Pinning Extension for HTTP > Author(s) : Chris Evans > Chris Palmer > Filename : draft-ietf-websec-key-pinning-02.txt > Pages : 17 > Date : 2012-06-04 > > This memo describes an extension to the HTTP protocol allowing web > host operators to instruct user agents (UAs) to remember ("pin") the > hosts' cryptographic identities for a given period of time. During > that time, UAs will require that the host present a certificate chain > including at least one Subject Public Key Info structure whose > fingerprint matches one or more of the pinned fingerprints for that > host. By effectively reducing the scope of authorities who can > authenticate the domain during the lifetime of the pin, pinning may > reduce the incidence of man-in-the-middle attacks due to compromised > Certification Authorities and other authentication errors and > attacks. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-websec-key-pinning-02.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-key-pinning-02.txt > > The IETF datatracker page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
