[cabfpub] FW: [websec] #58: Should we pin only SPKI, or also names

Jeremy Rowley jeremy.rowley at digicert.com
Mon Aug 12 22:24:40 UTC 2013


There's a difference between an SDO and an implementer.  My question is
whether the Forum would be a willing implementer if the proposal is
developed at IETF.  The IPR issue is somewhat overstated since it resulted
in a loss of only one contributing member.  Although that is more members
than I'd hoped, I do not think it should be considered an implementation
barrier.

I do agree that the practical concerns need (and should) be addressed in the
IETF.

Jeremy

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ryan Sleevi
Sent: Monday, August 12, 2013 3:47 PM
To: jeremy rowley
Cc: CABFPub
Subject: Re: [cabfpub] FW: [websec] #58: Should we pin only SPKI, or also
names

As mentioned again on our most recent call, members of the Forum have
repeatedly (and arguably, correctly) asserted that the CA/B Forum is not an
SDO. Having CAs manage/maintain a registry that could have adverse business
impact on competitors, and with participation in the CA/B Forum gated behind
an IPR policy that unfortunately cost many members, seems equally a
dangerous path to go down.

Beyond these very real, and very significant, practical concerns, the
technical concerns against name pinning are better discussed in the IETF, so
we can continue the discussion there.

On Mon, Aug 12, 2013 at 2:40 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> Thanks Ryan - why are you against the CAB Forum assuming responsibility?
> Also, I took Chris Palmer's comments as more neutral/in-favor of the 
> proposal than against it.  Is Google opposed to pinning CAs as an 
> option in addition to pinning specific keys?
>
> Jeremy
>
> -----Original Message-----
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Monday, August 12, 2013 2:01 PM
> To: jeremy rowley
> Cc: CABFPub
> Subject: Re: [cabfpub] FW: [websec] #58: Should we pin only SPKI, or 
> also names
>
> On the User Agent side, we have significant reservations with this 
> proposal, which have been expressed during these discussions.
>
> I would invite interested CAs to comment further on the IETF list, 
> rather than splitting the discussion here.
>
> For what it's worth, we would prefer NOT to see such an activity in 
> the CA/B Forum IF it was adopted.
>
> On Mon, Aug 12, 2013 at 12:54 PM, Jeremy Rowley 
> <jeremy.rowley at digicert.com>
> wrote:
>> See below.  Is this a project of interest to the CA/Browser forum?
>> The Forum would be responsible for maintaining a registry of CAs and 
>> the mapping to their roots for the purpose of key pinning.
>>
>> Jeremy
>>
>> -----Original Message-----
>> From: websec-bounces at ietf.org [mailto:websec-bounces at ietf.org] On 
>> Behalf Of Yoav Nir
>> Sent: Monday, August 12, 2013 12:50 PM
>> To: Trevor Perrin
>> Cc: websec
>> Subject: Re: [websec] #58: Should we pin only SPKI, or also names
>>
>>
>> On Aug 12, 2013, at 7:11 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>>> On Mon, Aug 12, 2013 at 1:17 AM, Gervase Markham <gerv at mozilla.org>
> wrote:
>>>> On 11/08/13 05:25, Trevor Perrin wrote:
>>>>> Could we just say:
>>>>> - The holder of a domain name is responsible for specifying the 
>>>>> SPKIs that it maps to.
>>>>> - How the domain holder communicates this to the UA is out of scope.
>>>>
>>>> In other words "Don't set up a registry; just punt the problem and 
>>>> hope something works itself out organically"?
>>>
>>> Yes.
>>>
>>> If people hate this, someone should make a proposal for a registry:
>>>
>>> - Who maintains it?
>>> - How are requests to add or remove CA names authenticated?
>>> - Does the registry map CA names to actual keys?
>>>   - If so, how are change requests authenticated?
>>>   - What are the timing rules to ensure changes are propagated to 
>>> browsers as needed?
>>> - How can the registry be monitored and double-checked to avoid it 
>>> becoming a single point of failure?
>>> - Should these process details be defined in the HPKP spec or 
>>> somewhere
>> else?
>>
>> As you've said, before this is for the CAs and browsers to come up 
>> with such a solution (assuming they want it, and I'm not hearing this 
>> from either the Mozilla people or the Google people on this list). 
>> CAs and browers. Now, if only there was some forum where both of 
>> these come
> together...
>>
>> Joking aside, The CA/Browser forum is not currently in the business 
>> of running registries. IANA is, but I don't know how to specify in a 
>> draft an IANA policy that would include following mergers, 
>> acquisitions, and branding, and settling trademark disputes. Not do I 
>> have any reason to believe that IANA would be willing to do this. So 
>> unless the CA/Browser Forum agrees to take on this responsibility, 
>> and provide stable link for both machine and human readable mappings, 
>> I think this proposal should be shelved until we can find someone who 
>> will
> answer your questions above.
>>
>> Yoav
>>
>> _______________________________________________
>> websec mailing list
>> websec at ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list