Confirmed users
76
edits
Security/Features/CA pinning functionality: Difference between revisions
Security/Features/CA pinning functionality (view source)
Revision as of 17:27, 5 April 2012
, 5 April 2012no edit summary
No edit summary |
No edit summary |
||
| Line 15: | Line 15: | ||
|Feature overview=Now they can require HTTPS connections (via HSTS), sites may want to also restrict the CAs who can issue certificates for their domain to a small number (> 1) that they trust. This can be accomplished via providing a list of certificate fingerprints, at least one of which must be present in any chain considered valid for the domain. This is rather like what Chrome has done [http://www.imperialviolet.org/2011/05/04/pinning.html] except we would not be managing a static list of anchors. | |Feature overview=Now they can require HTTPS connections (via HSTS), sites may want to also restrict the CAs who can issue certificates for their domain to a small number (> 1) that they trust. This can be accomplished via providing a list of certificate fingerprints, at least one of which must be present in any chain considered valid for the domain. This is rather like what Chrome has done [http://www.imperialviolet.org/2011/05/04/pinning.html] except we would not be managing a static list of anchors. | ||
|Feature users and use cases=CA Foo is compromised and grants a certificate for example.com to an attacker. The owners of example.com have their site pinned to certificates from CAs Bar and Baz, so when the attacker attempts to use the certificate from CA Foo, he fails to satisfy the pinning requirement. Any users presented with his certificate will not have access to the fraudulent connection (hard fail). | |Feature users and use cases=CA Foo is compromised and grants a certificate for example.com to an attacker. The owners of example.com have their site pinned to certificates from CAs Bar and Baz, so when the attacker attempts to use the certificate from CA Foo, he fails to satisfy the pinning requirement. Any users presented with his certificate will not have access to the fraudulent connection (hard fail). | ||
The spec does not necesaily ping the CA, it pins a subset of keys so that at least one of the keys pinned must be in the CA list of the certificate. | |||
|Feature dependencies=<strike>HSTS.</strike> This feature should not be tied to HSTS, but the two technologies should work together. | |Feature dependencies=<strike>HSTS.</strike> This feature should not be tied to HSTS, but the two technologies should work together. | ||
|Feature requirements=Google has had CA pinning for a while; we should talk to them about their experience and any risks/problems with current proposals. (We need to separate issues with having a hard-coded list, which we aren't planning to do, from issues with the idea of pinning itself.) | |Feature requirements=Google has had CA pinning for a while; we should talk to them about their experience and any risks/problems with current proposals. (We need to separate issues with having a hard-coded list, which we aren't planning to do, from issues with the idea of pinning itself.) | ||
| Line 25: | Line 27: | ||
We should already have mechanisms for clearing stored HSTS information when the user clears their history; pin information should go with it. | We should already have mechanisms for clearing stored HSTS information when the user clears their history; pin information should go with it. | ||
|Feature implementation plan=The pinning data will be stored as a site pref. And it will be implemented in a way similar to STS. The first stage would be to enhance the preferences to be able to store blobs or strings. | |||
Shall this be included in the STS .idl file? Dont know yet. | |||
}} | }} | ||
{{FeatureInfo | {{FeatureInfo | ||