On Wed, Aug 7, 2013 at 9:03 AM, Gervase Markham <[email protected]> wrote:
> On 07/08/13 07:19, Yoav Nir wrote: > > Even if others chime in now and say that they do want this change, I > > think we can't just ask administrators to list random names in > > headers or resources. For example, what string do you use for the > > bunch of trust anchors formerly known as "Verisign"? Do you call it > > "Verisign"? "VERISIGN"? "Symantec"? Are the Thawte public keys > > covered by the "Symantec" label? the "Verisign" label? A wrong > > choice by an administrator (like getting your next certificate from a > > Thawte brand CA and expecting it to be covered by your "Symantec" > > pin) could lead to bricking the site. > > Without expressing an opinion on the question, it's worth noting that > this is already an issue with CAA, albeit that Symantec has to decide a > set of domain names (rather than simple strings) to represent them or > their brands. This was not a particularly difficult exercise for them, > they probably have the most roots and most brands, and it only had to be > done once. > > So I'd suggest that it's not an insuperable obstacle. > > > That is not to say we must not do this, but we must not do this > > without a registry for CA strings. > > Or just require people to use "a domain name I control" rather than a > bare string, like CAA. No need for a registry. > There are two questions here. 1) Should we introduce a level of indirection. i.e. should we only be talking about pinning to bits that are actually present in the certificate chain or should we support something more. 2) If the answer to (1) is to have indirection, who should maintain the registry. The main argument that I am making is that if the answer to (1) is 'yes' then reuse the approach taken in CAA and do not introduce a new registry because we do not want to maintain separate registries for different purposes. The secondary argument is that having established that the CAs are going to have to decide on the domain names and scope etc. issues for CAA, the cost of indirection is lowered. -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
