<div dir="ltr">That's just a press summary of what Bruce linked.<div><br></div><div>It sounds like folks don't understand Ivan's criticisms or the problems with HPKP. Since this list is primarily targetted towards CAs, I encourage you to reach out to Ivan (or if he still lurks) about how CAs could make HPKP more viable, if they're interested. I've already described how CAs are uniquely qualified to provide that assistance. It's the lack of that assistance that has created the significant risks. That's not something Gerv or Jody and I can solve - that's on CAs.</div><div><br></div><div>This is no different than, for example, CAs needing to disclose what CAA domains they accept, as otherwise, CAA cannot be (effectively) used.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 7, 2017 at 10:21 AM, Christian Heutger <span dir="ltr"><<a href="mailto:ch@psw.net" target="_blank">ch@psw.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="DE" link="blue" vlink="purple">
<div class="m_-676141005694372930WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">HPKP is vulnerable, look at
<a href="https://www.heise.de/security/artikel/Wachsende-Kritik-an-Public-Key-Pinning-fuer-HTTPS-3324703.html" target="_blank">
https://www.heise.de/security/<wbr>artikel/Wachsende-Kritik-an-<wbr>Public-Key-Pinning-fuer-HTTPS-<wbr>3324703.html</a> (you may use Google Translator) from second headline<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><u></u> <u></u></span></p>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">Von: </span>
</b><span style="font-family:Calibri;color:black">Public <<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>> im Auftrag von Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Antworten an: </b>CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Datum: </b>Freitag, 7. April 2017 um 16:16<br>
<b>An: </b>Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.<wbr>com</a>><br>
<b>Cc: </b>Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>>, CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Betreff: </b>Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist<u></u><u></u></span></p>
</div><div><div class="h5">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Fri, Apr 7, 2017 at 9:27 AM, Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.<wbr>com</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:Calibri;color:#1f497d">Sorry I missed that, but isn’t pinning high risk? I don’t think that any CA would recommend pinning
as it is unsupportable; we can’t do anything when it fails. I think Subscribers should review pinning before deploying,
<a href="https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead" target="_blank">
https://blog.qualys.com/<wbr>ssllabs/2016/09/06/is-http-<wbr>public-key-pinning-dead</a>.</span><span lang="EN-US"><u></u><u></u></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">For what it's worth, many of the complaints in that blog relate to CAs lack of disclosure related to their infrastructure - that's what creates the risks. So if CAs were more technically savvy, and worked to help understand their customers
needs, it's very much viable.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:Calibri;color:#1f497d">I think the value of EV is that those certificates are not issued to attackers. So it would be great
if a Subscriber could state that their site only uses EV and that the browser respected that statement.</span><span lang="EN-US"><u></u><u></u></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">And customers have that capability - if CAs, particularly their CA, is technically capable and/or transparent. The browser manufacturers have already give you that capability, if you chose to use it.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:Calibri;color:#1f497d">I also think that this statement might be better to be put in the HSTS header. HSTS is low risk, EV
is highly available and stating EV-only would be applicable to most CAs. This allows the Subscriber to move from one CA to another without bricking their site by pinning to a root or intermediate.</span><span lang="EN-US"><u></u><u></u></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I disagree, and was pointing out how you can already accomplish this without requiring new features that accomplish the same as existing features =)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>