[cabfpub] FW: [websec] #58: Should we pin only SPKI, or also names

Rob Stradling rob.stradling at comodo.com
Mon Aug 12 21:58:21 UTC 2013

Hi Jeremy.  Comodo would be happy to maintain this registry, if the 
WebSec WG decides that it's required.

On 12/08/13 20:54, Jeremy Rowley wrote:
> See below.  Is this a project of interest to the CA/Browser forum?  The
> Forum would be responsible for maintaining a registry of CAs and the mapping
> to their roots for the purpose of key pinning.
> Jeremy
> -----Original Message-----
> From: websec-bounces at ietf.org [mailto:websec-bounces at ietf.org] On Behalf Of
> Yoav Nir
> Sent: Monday, August 12, 2013 12:50 PM
> To: Trevor Perrin
> Cc: websec
> Subject: Re: [websec] #58: Should we pin only SPKI, or also names
> On Aug 12, 2013, at 7:11 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> On Mon, Aug 12, 2013 at 1:17 AM, Gervase Markham <gerv at mozilla.org> wrote:
>>> On 11/08/13 05:25, Trevor Perrin wrote:
>>>> Could we just say:
>>>> - The holder of a domain name is responsible for specifying the
>>>> SPKIs that it maps to.
>>>> - How the domain holder communicates this to the UA is out of scope.
>>> In other words "Don't set up a registry; just punt the problem and
>>> hope something works itself out organically"?
>> Yes.
>> If people hate this, someone should make a proposal for a registry:
>> - Who maintains it?
>> - How are requests to add or remove CA names authenticated?
>> - Does the registry map CA names to actual keys?
>>    - If so, how are change requests authenticated?
>>    - What are the timing rules to ensure changes are propagated to
>> browsers as needed?
>> - How can the registry be monitored and double-checked to avoid it
>> becoming a single point of failure?
>> - Should these process details be defined in the HPKP spec or somewhere
> else?
> As you've said, before this is for the CAs and browsers to come up with such
> a solution (assuming they want it, and I'm not hearing this from either the
> Mozilla people or the Google people on this list). CAs and browers. Now, if
> only there was some forum where both of these come together...
> Joking aside, The CA/Browser forum is not currently in the business of
> running registries. IANA is, but I don't know how to specify in a draft an
> IANA policy that would include following mergers, acquisitions, and
> branding, and settling trademark disputes. Not do I have any reason to
> believe that IANA would be willing to do this. So unless the CA/Browser
> Forum agrees to take on this responsibility, and provide stable link for
> both machine and human readable mappings, I think this proposal should be
> shelved until we can find someone who will answer your questions above.
> Yoav
> _______________________________________________
> websec mailing list
> websec at ietf.org
> https://www.ietf.org/mailman/listinfo/websec
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list