Protocol Action: 'Public Key Pinning Extension for HTTP' to Proposed Standard (draft-ietf-websec-key-pinning-21.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The IESG has approved the following document:
- 'Public Key Pinning Extension for HTTP'
  (draft-ietf-websec-key-pinning-21.txt) as Proposed Standard

This document is the product of the Web Security Working Group.

The IESG contact persons are Barry Leiba and Pete Resnick.

A URL of this Internet Draft is:
http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/





Technical Summary

This spec describes an extension to the HTTP protocol allowing web
host operators to instruct user agents to remember ("pin") the hosts'
cryptographic identities for a given period of time.  During that
time, UAs will require that the host present a certificate chain
including at least one Subject Public Key Info structure whose
fingerprint matches one of the pinned fingerprints for that host.  By
effectively reducing the number of authorities who can authenticate
the domain during the lifetime of the pin, pinning may reduce the
incidence of man-in-the-middle attacks due to compromised
Certification Authorities.

Review and Consensus

Previous versions of this document received useful reviews on the 
mailing list. Many changes were introduced due to working group 
consensus, including to pin format, an includeSubdomains directive,
and interaction with private trust anchors. 

Some changes were proposed and rejected by the working group,
most notably named pins, a "strict" directive, and hard limits on the 
max-age directive. The consensus on these involved a long and hard 
discussion, but as chairs, Tobias and I believe that it is a regular
rather than rough consensus.

Two issues that were left for last were the interaction of pre-loaded
pins with noted pins, and the processing of report-only pins. There 
was a lot of controversy and a lot of back-and-forth about these 
issues. We believe that the current drafts represents the working
group's consensus, although at least one participant would have 
preferred a different outcome.

Personnel

Yoav Nir is the document shepherd. Barry Leiba is the responsible
Area Director.





[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux