Security/Features/CA pinning functionality
|Status note||Depends on enabling libpkix by default. The feature will land one relase after the pkix landing.|
|Product manager||Sid Stamm|
|Directly Responsible Individual||Camilo Viecco|
|Lead engineer||Camilo Viecco|
|Security lead||Curtis Koenig|
|Privacy lead||Sid Stamm|
|Product marketing lead||`|
|Additional members||Gervase Markham|
Stage 1: Definition
1. Feature overview
Now they can require HTTPS connections (via HSTS), sites may want to also restrict the CAs who can issue certificates for their domain to a small number (> 1) that they trust. This can be accomplished via providing a list of certificate fingerprints, at least one of which must be present in any chain considered valid for the domain. This is rather like what Chrome has done  except we would not be managing a static list of anchors.
2. Users & use cases
CA Foo is compromised and grants a certificate for example.com to an attacker. The owners of example.com have their site pinned to certificates from CAs Bar and Baz, so when the attacker attempts to use the certificate from CA Foo, he fails to satisfy the pinning requirement. Any users presented with his certificate will not have access to the fraudulent connection (hard fail).
The spec does not necesaily ping the CA, it pins a subset of keys so that at least one of the keys pinned must be in the CA list of the certificate.
HSTS. This feature should not be tied to HSTS, but the two technologies should work together.
Google has had CA pinning for a while; we should talk to them about their experience and any risks/problems with current proposals. (We need to separate issues with having a hard-coded list, which we aren't planning to do, from issues with the idea of pinning itself.)
- Replacing the existing x.509 PKI infrastructure. (This is a refinement.)
- Enabling pinning without also requiring HTTPS (see section 6.5 of spec)
Stage 2: Design
5. Functional specification
It will be deployed in two pushes:
- Do built in pins.
- Allow website pin data as the ietf draft
See https://tools.ietf.org/html/draft-evans-palmer-key-pinning .
However we need to get clarification on several issues including: 1. What do do when muliple headers are found (?) 2. What is the benefit for the requirement that the backup key must NOT be in the chain?
To allow for self MIM the pinning feature will provide three enforcement levels (it will always be calculated) 0: Ignore pinning, ie allow connectionw with failed pin data. (calculate but store result somewhere internally) Hopefully we can put some UX to reflect failed pins, but this is outside of the current scope. 1. (the default) Ignore Pinning IF the trust anchor is not a built in CA. 2. Strict enforcement.
6. User experience design
The draft recommends that users have ways of querying which domains are pinned. We need to consider whether we think this is necessary and, if so, how to do it. (Perhaps integrated with the history view?) No UI will be provided to change the enforcement level.
If site access is denied, we will need a screen explaining why. (There will be no override, as per spec.)
We should already have mechanisms for clearing stored HSTS information when the user clears their history; pin information should go with it.
Stage 3: Planning
7. Implementation plan
The pinning data will be stored as a site pref. And it will be implemented in a way similar to STS. The first stage would be to enhance the preferences to be able to store blobs or strings.
Shall this be included in the STS .idl file? Dont know yet.
We shall notice that this is an HTTP extension. Not an TLS/SSL extension.
There are 3 parts fo the implementation: 1. Enhance permission manager to include strings for storage (https://bugzilla.mozilla.org/show_bug.cgi?id=744212 ) 2. Ability to "Note" a pinning when presented over an error free TLS connection 3. Ability to use the permission manager at chain building time to ensure a valid (from the pinning perspective planner exists).
Quality Assurance review
This will require a lot of QA, in particular due to the built-in roots. Will need non trivial collaboration with QA.
Stage 4: Development
So we have two bugs created now: https://bugzilla.mozilla.org/show_bug.cgi?id=744212 (this one is waiting for review) and https://bugzilla.mozilla.org/show_bug.cgi?id=744204
Stage 5: Release
10. Landing criteria
This feature depends on using libpkix for functionality.
|Theme / Goal||TLS Hardening|
Team status notes