<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Titel" content="">
<meta name="Stichwörter" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-Mail-Formatvorlage17
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri;mso-fareast-language:EN-US">HPKP is vulnerable, look at
<a href="https://www.heise.de/security/artikel/Wachsende-Kritik-an-Public-Key-Pinning-fuer-HTTPS-3324703.html">
https://www.heise.de/security/artikel/Wachsende-Kritik-an-Public-Key-Pinning-fuer-HTTPS-3324703.html</a> (you may use Google Translator) from second headline<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-family:Calibri;color:black">Von: </span>
</b><span style="font-family:Calibri;color:black">Public <public-bounces@cabforum.org> im Auftrag von Ryan Sleevi via Public <public@cabforum.org><br>
<b>Antworten an: </b>CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Datum: </b>Freitag, 7. April 2017 um 16:16<br>
<b>An: </b>Bruce Morton <Bruce.Morton@entrustdatacard.com><br>
<b>Cc: </b>Ryan Sleevi <sleevi@google.com>, CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Betreff: </b>Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Fri, Apr 7, 2017 at 9:27 AM, Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" target="_blank">Bruce.Morton@entrustdatacard.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:Calibri;color:#1F497D">Sorry I missed that, but isn’t pinning high risk? I don’t think that any CA would recommend pinning
as it is unsupportable; we can’t do anything when it fails. I think Subscribers should review pinning before deploying,
<a href="https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead" target="_blank">
https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead</a>.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For what it's worth, many of the complaints in that blog relate to CAs lack of disclosure related to their infrastructure - that's what creates the risks. So if CAs were more technically savvy, and worked to help understand their customers
needs, it's very much viable.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:Calibri;color:#1F497D">I think the value of EV is that those certificates are not issued to attackers. So it would be great
if a Subscriber could state that their site only uses EV and that the browser respected that statement.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">And customers have that capability - if CAs, particularly their CA, is technically capable and/or transparent. The browser manufacturers have already give you that capability, if you chose to use it.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US" style="font-size:11.0pt;font-family:Calibri;color:#1F497D">I also think that this statement might be better to be put in the HSTS header. HSTS is low risk, EV
is highly available and stating EV-only would be applicable to most CAs. This allows the Subscriber to move from one CA to another without bricking their site by pinning to a root or intermediate.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I disagree, and was pointing out how you can already accomplish this without requiring new features that accomplish the same as existing features =)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>