On Tue, May 28, 2013 at 4:51 AM, Tobias Gondrom <[email protected]> wrote:
> It seems like the majority of the WG would not share my concerns. So I > will shut up soon. ;-) Thanks for raising your concerns, and for sticking the conversation and with pinning in general! > 1. user choice is a bad idea when it comes to security. > Just remember the many SSL cert "click to proceed anyway pop-up > windows/issues..." > In most cases the user is not qualified to fully understand the > consequences of his choice. Yes. But, in this case, the choice is between status-quo HTTPS and extra-happy pinned HTTPS. That's a very different proposition than clearly-broken HTTPS vs. status-quo HTTPS, for example. Also, failing closed would probably be a deal-breaker for deployment, at least at this time. Finally, for sites that people use regularly — Facebook, Gmail, Twitter — users will still get good protection. Arguably, these are the sites that are mature and most likely to be able to deploy pinning; it's the banks and other occasionally-visited sites that should probably stick to Report-Only mode anyway, because they are less mature *as web technology companies*. Thus I would argue that, at least for now, the sites that would most likely fail open due to limit son the max-max-age are sites that should fail open anyway, for other reasons. However, that's a bit of a tangent. As it is, many sites that really need pinning protection can get it under this I-D, and others can gain nice information from Report-Only mode, and others do no worse than the status quo. > 2. as you seem to advocate a hard limit of 30 days. Not exactly; I find Trevor's call for simple clarity compelling, but I also like a browser-determined limit past which we fail open (for the reasons described above). I could happily go either way, which doesn't really help, I realize. :) Ryan and I can just make a call one way or the other and write it up, is that OK? > Could you think of > browsers refreshing their PINs before expiry automatically? (i.e. > without the user actually visiting the site?) > And question to all: would this open Pandora's box in terms of privacy > etc. as we would leak the list of pinned sites to servers in the middle? Right, exactly. I don't want to have browsers unilaterally leaking information by proactively pre-scanning particular sites. However, an oft-updated master list, like Chrome's CRLSets but for pins culled by crawling sites and looking for pin updates, might be workable. But I'd consider that a nice-to-have that is out of the I-D's immediate scope. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
