Hi Ryan, On 8/5/14, 2:41 PM, "Ryan Sleevi" <[email protected]> wrote:
> > > > On Tue, Aug 5, 2014 at 2:27 PM, Alissa Cooper <[email protected]> wrote: >> Alissa Cooper has entered the following ballot position for >> draft-ietf-websec-key-pinning-19: Yes >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I agree with Pete's comment about the first sentence. >> >> It would be nice if in Section 5 or 7 some suggestion could be made for >> UAs to consider the relationship between the functionality they provide >> to clear pins/pinned hosts and the functionality they provide to clear >> (or prevent the storage of) other UA state. E.g., upon clearing one's >> browsing history or entering private browsing mode, it seems like having >> the option to clear pins/pinned hosts or not pin would make sense. This >> is alluded to in Section 7 but not really tied to the threat described in >> Section 5. > > Just to confirm, you're looking to see an illustrative (non-normative) > example/discussion of UI controls in Section 5, correct? Yes, roughly — a non-normative discussion of the fact that UAs may want to consider the relationship between pin-clearing and other forms of state clearing (the same level of detail you already have in Section 7 would be appropriate I think). > >> >> I'm also curious about whether there is any reason to retain expired >> pins? (Other than the fact that flushing them requires the UA to actively >> check which ones are expired.) > > I am having a bit of trouble parsing this question. The draft right now > doesn't normatively say one way or the other how to treat expired pins post > expiration. That is, pins are noted, they expire, but there are no > post-expiration steps, since the behaviour is indistinguishable from an > unpinned host. Yes, I noted that, which is why I was asking about it. Deleting pins upon expiry would reduce the amount of state the UA retains about the user’s browsing history. In practice this might not mean much if the UA retains a full browsing history anyway. But it could be a small privacy improvement for a UA that doesn’t otherwise offer a way to clear pins. Then again, I’m not sure that the situation where a UA doesn’t offer pin clearing but does check for expired pins and delete them is realistic (what do you think?). And the case you describe below seems quite compelling, so I’m not sure there is anything to document here. Alissa > > > One reason to avoid proactively erasing pins would be situations of temporary > clock skew, which is, anecdotally, a depressingly common occurrence. A user > who temporarily experienced clock skew would not be protected from sites they > visited during the skew (as pins would be expired), but could note new pins > (following the pinning logic). If the clock skew was resolved (either manually > or through a delayed reconcilliation, as many modern OSes now go through), the > user's original pins would become viable again (within the expiration window). > > This is a client misconfiguration that can't readily be accomodated or > predicted on the server, and it's a complex one, so it seems non-ideal to > document. The observable behaviour, from a server, is that if Client X > attempts to access the Site Y with an expired pin, it's no different than if > they had no Pin. That invariant is retained regardless of which behaviour the > UA implements. >
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
