On 01/20/2014 01:57 PM, Chris Palmer wrote: > On Mon, Jan 20, 2014 at 7:44 AM, Daniel Kahn Gillmor > <[email protected]> wrote: > >> In 6125 and the two e-mail drafts above, "pinning" is used to refer to >> the activity that firefox describes as "adding a security exception" and >> chrome calls "proceed anyway" -- where the user (or someone) overrides > > (Note that Chrome does not remember your decision to Proceed Anyway, > although we are working on that.)
ah, that's good to know, thanks for the heads-up. >> At the very least, it seems like new drafts should make it clear that >> their meaning of "pinning" does not mean the other well-known "pinning". > > Perhaps "key pinning" vs. "exception pinning"? I wanted to call > "exception pinning" "name pinning" at first, until I remembered DNS > pinning (to defend against > http://en.wikipedia.org/wiki/DNS_rebinding). So maybe we have 3 > pinnings. :) It's worth noting that 2 of the 3 (key pinning and DNS > pinning) refer to *reducing* the number of trusted entities. Hm, RFC 6125 pinning is also about certificates, not just public keys, so maybe it's "certificate exception pinning" -- but really it seems like a flavor of permissive TOFU (trust on first use) more than anything else. so we have: * DNS pinning: maintain DNS records in the browser (possibly past their TTL) to avoid DNS rebinding attacks. * key pinning: binds public keys to domain names (at the request of the origin server), forbids the use of certificates that do not include the pinned public keys somewhere in the cert chain. * certificate pinning: associate an otherwise non-valid End Entity (EE) certificate with a domain name (at the request of the user), permitting that certificate to be used with the domain name, but *without* forbidding any other certificate from use. > Anyway, I consistently refer to the behavior described in the key > pinning draft as "key pinning", if that helps. (Probably not.) I think it's a start, at least. > I can add an explanatory note to our draft, if that would help. I think a clarifying note in draft-ietf-websec-key-pinning is necessary (i don't know that it is sufficient). it could be just something to indicate that the key pinning described in the draft has entirely distinct semantics and characteristics than "RFC 6125 certificate exception pinning". --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
