comparison with other stored security state mechanisms [was: Re: Sharing Trust Policy between Crypto Libraries]
stefw at redhat.com
Wed Jan 16 06:27:06 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 01/15/2013 05:37 PM, Daniel Kahn Gillmor wrote:
> On 01/15/2013 06:18 AM, Stef Walter wrote:
>> Since there is obviously a lot of new ideas and work being done
>> in the area of key pinning and TLS trust in general,
> I'm very happy to see folks considering the various pinning schemes
> and how they fit into this model; i think that's the right thing to
> I have a terminology concern though, which i tried to raise
> initially, but i don't think i did very successfully: the current
> sharing-trust-policy draft uses the term "pinning" as a sort of
> additional accepted key (the way it's used in RFC 6125).
> The newer models all use the term "pinning" to refer to an
> allowlist -- that is, if a pin exists, nothing else is acceptable.
> These are actually radically different concepts, and i think we do
> this document (and whatever software or protocols we build from it)
> a disservice by continuing to use the same term for them.
> It's pretty unfortunate that the pre-existing work contains this
> confusion, but we have an opportunity to try to help clarify it
> for implementers and users. Alas, i'm not sure how to do it. Any
Well the Firefox UI uses the term 'Security Exception'. We might
choose to call it a 'Certificate Exception'.
>> So for key pinning, I've been thinking along the lines of
>> defining something along similar lines to the stapled
>> So for key pinning pinning you would the 'peer' as a primary-key.
>> One of the main forms for a peer is a hostname+port (and perhaps
> hm, do you mean "not use the 'peer' as a primary-key"? i think
> the first sentence of the paragraph above is unclear.
Basically I was saying that for key pinning in our model one looks up
the pinning records based on the hostname+protocol+port, which I
called a 'peer'.
> For websec key pinning, for example, the pin belongs to the host
> (and the protocol, which is presumed to be the web i guess), not to
> a key belonging to that host in particular.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the p11-glue