draft-ietf-websec-key-pinning-00.txt   draft-ietf-websec-key-pinning-01.txt 
Web Security C. Evans Web Security C. Evans
Internet-Draft C. Palmer Internet-Draft C. Palmer
Expires: June 2, 2012 Google, Inc. Intended status: Standards Track Google, Inc.
November 30, 2011 Expires: June 11, 2012 December 9, 2011
Public Key Pinning Extension for HTTP Public Key Pinning Extension for HTTP
draft-ietf-websec-key-pinning-00 draft-ietf-websec-key-pinning-01
Abstract Abstract
This memo describes an extension to the HTTP protocol allowing web This memo describes an extension to the HTTP protocol allowing web
host operators to instruct user agents (UAs) to remember ("pin") the host operators to instruct user agents (UAs) to remember ("pin") the
hosts' cryptographic identities for a given period of time. During hosts' cryptographic identities for a given period of time. During
that time, UAs will require that the host present a certificate chain that time, UAs will require that the host present a certificate chain
including at least one Subject Public Key Info structure whose including at least one Subject Public Key Info structure whose
fingerprint matches one or more of the pinned fingerprints for that fingerprint matches one or more of the pinned fingerprints for that
host. By effectively reducing the scope of authorities who can host. By effectively reducing the scope of authorities who can
skipping to change at line 39 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 2, 2012. This Internet-Draft will expire on June 11, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at line 81 skipping to change at page 3, line 30
greatly reduce the risk of MITM attacks and other false- greatly reduce the risk of MITM attacks and other false-
authentication problems for their users without incurring undue risk. authentication problems for their users without incurring undue risk.
We intend for hosts to use public key pinning together with HSTS (as We intend for hosts to use public key pinning together with HSTS (as
defined in [hsts-draft], but is possible to pin keys without defined in [hsts-draft], but is possible to pin keys without
requiring HSTS. requiring HSTS.
This draft is being discussed on the WebSec Working Group mailing This draft is being discussed on the WebSec Working Group mailing
list, websec@ietf.org. list, websec@ietf.org.
1.1. About Notation 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [rfc-2119]. document are to be interpreted as described in RFC 2119 [rfc-2119].
2. Server and Client Behavior 2. Server and Client Behavior
2.1. Response Header Field Syntax 2.1. Response Header Field Syntax
To set a pin, hosts use a new HTTP header field, Public-Key-Pins, in To set a pin, hosts use a new HTTP header field, Public-Key-Pins, in
their HTTP responses. Figure 1 describes the syntax of the header their HTTP responses. Figure 1 describes the syntax of the header
field. field.
Public-Key-Pins = "Public-Key-Pins" ":" LWS directives Public-Key-Pins = "Public-Key-Pins" ":" LWS directives
skipping to change at line 119 skipping to change at page 4, line 37
In the pin rule, the token is the name of a cryptographic hash In the pin rule, the token is the name of a cryptographic hash
algorithm, and MUST be either "sha1" or "sha256". (Future versions algorithm, and MUST be either "sha1" or "sha256". (Future versions
of this specification may change the hash functions.) The quoted- of this specification may change the hash functions.) The quoted-
string is a sequence of base64 digits: a base64-encoded hash. See string is a sequence of base64 digits: a base64-encoded hash. See
Section 2.2. Section 2.2.
Figure 2 shows some example response header fields using the pins Figure 2 shows some example response header fields using the pins
extension (folded for clarity). extension (folded for clarity).
Public-Key-Pins: max-age=500; Public-Key-Pins: max-age=500;
pins=sha1-4n972HfV354KP560yw4uqe/baXc=, pin-sha1="4n972HfV354KP560yw4uqe/baXc=";
sha1-IvGeLsbqzPxdI0b0wuj2xVTdXgc= pin-sha1="IvGeLsbqzPxdI0b0wuj2xVTdXgc="
Public-Key-Pins: max-age=31536000; Public-Key-Pins: max-age=31536000;
pins=sha1-4n972HfV354KP560yw4uqe/baXc=, pin-sha1="4n972HfV354KP560yw4uqe/baXc=";
sha256-LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ= pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="
Public-Key-Pins: pins=sha1-4n972HfV354KP560yw4uqe/baXc=, Public-Key-Pins: pin-sha1="4n972HfV354KP560yw4uqe/baXc=";
sha1-qvTGHdzF6KLavt4PO0gs2a6pQ00=, pin-sha1="qvTGHdzF6KLavt4PO0gs2a6pQ00=";
sha256-LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ= ; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=";
max-age=2592000 max-age=2592000
Figure 2 Figure 2
2.2. Semantics of Pins 2.2. Semantics of Pins
The fingerprint is the SHA-1 or SHA-256 hash of the DER-encoded ASN.1 The fingerprint is the SHA-1 or SHA-256 hash of the DER-encoded ASN.1
representation of the SubjectPublicKeyInfo (SPKI) field of the X.509 representation of the SubjectPublicKeyInfo (SPKI) field of the X.509
certificate. Figure 3 reproduces the definition of the certificate. Figure 3 reproduces the definition of the
SubjectPublicKeyInfo structure in [rfc-5280]. SubjectPublicKeyInfo structure in [rfc-5280].
skipping to change at line 173 skipping to change at page 5, line 45
Upon receipt of the Public-Key-Pins response header field, the UA Upon receipt of the Public-Key-Pins response header field, the UA
notes the host as a Pinned Host, storing the pins and their notes the host as a Pinned Host, storing the pins and their
associated max-age in non-volatile storage (for example, along with associated max-age in non-volatile storage (for example, along with
the HSTS metadata). The pins and their associated max-age are the HSTS metadata). The pins and their associated max-age are
collectively known as Pinning Metadata. collectively known as Pinning Metadata.
The UA MUST observe these conditions when noting a host: The UA MUST observe these conditions when noting a host:
o The UA MUST note the pins if and only if it received the Public- o The UA MUST note the pins if and only if it received the Public-
Key-Pins response header field over an error-free TLS connection. Key-Pins response header field over an error-free TLS connection.
The UAs MUST ignore Public-Key-Pins response header fields
received on HTTP (non-HTTPS) connections.
o The UA MUST note the pins if and only if the TLS connection was o The UA MUST note the pins if and only if the TLS connection was
authenticated with a certificate chain containing at least one of authenticated with a certificate chain containing at least one of
the SPKI structures indicated by at least one of the given the SPKI structures indicated by at least one of the given
fingerprints. (See Section 2.4.) fingerprints. (See Section 2.4.)
o The UA MUST note the pins if and only if the given set of pins o The UA MUST note the pins if and only if the given set of pins
contains at least one pin that does NOT refer to an SPKI in the contains at least one pin that does NOT refer to an SPKI in the
certificate chain. (That is, the host must set a Backup Pin; see certificate chain. (That is, the host must set a Backup Pin; see
Section 3.1.) Section 3.1.)
If the Public-Key-Pins response header field does not meet all three If the Public-Key-Pins response header field does not meet all four
of these criteria, the UA MUST NOT note the host as a Pinned Host, of these criteria, the UA MUST NOT note the host as a Pinned Host,
and MUST discard any previously set Pinning Metadata for that host in and MUST discard any previously set Pinning Metadata for that host in
its non-volatile store. Public-Key-Pins response header fields that its non-volatile store. Public-Key-Pins response header fields that
meet all these critera are known as Valid Pinning Headers. meet all these critera are known as Valid Pinning Headers.
Whenever a UA receives a Valid Pinning Header, it MUST set its Whenever a UA receives a Valid Pinning Header, it MUST set its
Pinning Metadata to the exact pins and max-age given in the most Pinning Metadata to the exact pins and max-age given in the most
recently received Valid Pinning Header. recently received Valid Pinning Header.
2.3.1. max-age 2.3.1. max-age
skipping to change at line 207 skipping to change at page 6, line 33
Public-Key-Pins HTTP Response Header, during which the UA regards the Public-Key-Pins HTTP Response Header, during which the UA regards the
host as a Pinned Host. The delta-seconds production is specified in host as a Pinned Host. The delta-seconds production is specified in
[rfc-2616]. [rfc-2616].
Note that by setting a low or 0 value for max-age, hosts effectively Note that by setting a low or 0 value for max-age, hosts effectively
instruct UAs to cease regarding them as Pinned Hosts. instruct UAs to cease regarding them as Pinned Hosts.
2.4. Validating Pinned Connections 2.4. Validating Pinned Connections
When a UA connects to a Pinned Host, if the TLS connection has When a UA connects to a Pinned Host, if the TLS connection has
errors, it applies its usual policy. For example, depending on the errors, the UA MUST terminate the connection without allowing the
type of failure, the UA might or might now allow the user the option user to proceed anyway. (This behavior is the same as that required
of continuing with the connection anyway. For hosts that are Known by [hsts-draft].
HSTS Hosts the UA MUST terminate the connection in case of TLS
errors, as required by [hsts-draft].
If the connection has no errors, the UA will then apply a new If the connection has no errors, the UA will then apply a new
correctness check: Pin Validation. To perform Pin Validation, the UA correctness check: Pin Validation. To perform Pin Validation, the UA
will compute the fingerprints of the SPKI structures in each will compute the fingerprints of the SPKI structures in each
certificate in the host's certificate chain. The UA will then check certificate in the host's validated certificate chain. (The UA
that the set of these fingerprints intersects the set of fingerprints ignores superfluous certificates in the chain that do not form part
in that host's Pinning Metadata. If there is set intersection, the of the validating chain.) The UA will then check that the set of
UA continues with the connection as normal. Otherwise, the UA MUST these fingerprints intersects the set of fingerprints in that host's
treat this Pin Failure as a non-recoverable error. Pinning Metadata. If there is set intersection, the UA continues
with the connection as normal. Otherwise, the UA MUST treat this Pin
Failure as a non-recoverable error.
Note that, although the UA has previously received public key pins at Note that, although the UA has previously received public key pins at
the HTTP layer, it can and MUST perform Pin Validation at the TLS the HTTP layer, it can and MUST perform Pin Validation at the TLS
layer, before beginning an HTTP conversation over the TLS channel. layer, before beginning an HTTP conversation over the TLS channel.
The TLS layer thus evaluates TLS connections with pinning information The TLS layer thus evaluates TLS connections with pinning information
the UA received previously, regardless of mechanism: statically the UA received previously, regardless of mechanism: statically
preloaded, via HTTP header, or some other means (possibly in the TLS preloaded, via HTTP header, or some other means (possibly in the TLS
layer itself). layer itself).
2.5. Interactions With Preloaded Pin Lists 2.5. Interactions With Preloaded Pin Lists
skipping to change at line 270 skipping to change at page 9, line 5
key of a secondary, not-yet-deployed key pair. The operator keeps key of a secondary, not-yet-deployed key pair. The operator keeps
the backup key pair offline, and sets a pin for it in the Public-Key- the backup key pair offline, and sets a pin for it in the Public-Key-
Pins header. Then, in case the operator loses control of their Pins header. Then, in case the operator loses control of their
primary private key, they can deploy the backup key pair. UAs, who primary private key, they can deploy the backup key pair. UAs, who
have had the backup key pair pinned (when it was set in previous have had the backup key pair pinned (when it was set in previous
Valid Pinning Headers), can connect to the host without error. Valid Pinning Headers), can connect to the host without error.
Because having a backup key pair is so important to recovery, UAs Because having a backup key pair is so important to recovery, UAs
MUST require that hosts set a Backup Pin. (See Section 2.3.) MUST require that hosts set a Backup Pin. (See Section 2.3.)
4. Usability Considerations 4. IANA Considerations
This document has no actions for IANA.
5. Usability Considerations
When pinning works to detect impostor Pinned Hosts, users will When pinning works to detect impostor Pinned Hosts, users will
experience denial of service. UAs MUST explain the reason why, i.e. experience denial of service. UAs MUST explain the reason why, i.e.
that it was impossible to verify the confirmed cryptographic identity that it was impossible to verify the confirmed cryptographic identity
of the host. of the host.
UAs MUST have a way for users to clear current pins for Pinned Hosts. UAs MUST have a way for users to clear current pins for Pinned Hosts.
UAs SHOULD have a way for users to query the current state of Pinned UAs SHOULD have a way for users to query the current state of Pinned
Hosts. Hosts.
5. Acknowledgements 6. Acknowledgements
Thanks to Jeff Hodges, Adam Langley, Nicolas Lidzborski, SM, and Yoav Thanks to Tobias Gondrom, Jeff Hodges, Adam Langley, Nicolas
Nir for suggestions and edits that clarified the text. Thanks to Lidzborski, SM, James Manger, and Yoav Nir for suggestions and edits
Trevor Perrin for suggesting a mechanism to affirmatively break pins that clarified the text. Thanks to Trevor Perrin for suggesting a
([pin-break-codes]). Adam Langley provided the SPKI fingerprint mechanism to affirmatively break pins ([pin-break-codes]). Adam
generation code. Langley provided the SPKI fingerprint generation code.
6. What's Changed 7. What's Changed
Removed the section on pin break codes and verifiers, in favor the of Removed the section on pin break codes and verifiers, in favor the of
most-recently-received policy (Section 2.3). most-recently-received policy (Section 2.3).
Now using a new header field, Public-Key-Pins, separate from HSTS. Now using a new header field, Public-Key-Pins, separate from HSTS.
This allows hosts to use pinning separately from Strict Transport This allows hosts to use pinning separately from Strict Transport
Security. Security.
Explicitly requiring that UAs perform Pin Validation before the HTTP Explicitly requiring that UAs perform Pin Validation before the HTTP
conversation begins. conversation begins.
Backup Pins are now required. Backup Pins are now required.
Separated normative from non-normative material. Removed tangential Separated normative from non-normative material. Removed tangential
and out-of-scope non-normative discussion. and out-of-scope non-normative discussion.
7. References 8. References
8.1. Normative References
[hsts-draft] [hsts-draft]
Hodges, J., Jackson, C., and A. Barth, "HTTP Strict Hodges, J., Jackson, C., and A. Barth, "HTTP Strict
Transport Security (HSTS)", October 2011, <http:// Transport Security (HSTS)", October 2011, <http://
tools.ietf.org/html/ tools.ietf.org/html/
draft-ietf-websec-strict-transport-sec-03>. draft-ietf-websec-strict-transport-sec-03>.
[why-pin-key]
Langley, A., "Public Key Pinning", May 2011,
<http://www.imperialviolet.org/2011/05/04/pinning.html>.
[pin-break-codes]
Perrin, T., "Self-Asserted Key Pinning", September 2011,
<http://trevp.net/SAKP/>.
[rfc-2119] [rfc-2119]
Bradner, S., "Key words for use in RFCs to Indicate Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997, Requirement Levels", March 1997,
<http://www.ietf.org/rfc/rfc2119.txt>. <http://www.ietf.org/rfc/rfc2119.txt>.
[rfc-2616] [rfc-2616]
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", June 1999, Transfer Protocol -- HTTP/1.1", June 1999,
<http://www.ietf.org/rfc/rfc2616.txt>. <http://www.ietf.org/rfc/rfc2616.txt>.
skipping to change at line 350 skipping to change at page 13, line 43
(TLS) Protocol Version 1.2", August 2008, (TLS) Protocol Version 1.2", August 2008,
<http://www.ietf.org/rfc/rfc5246.txt>. <http://www.ietf.org/rfc/rfc5246.txt>.
[rfc-5280] [rfc-5280]
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", May 2008, (CRL) Profile", May 2008,
<http://www.ietf.org/rfc/rfc5280.txt>. <http://www.ietf.org/rfc/rfc5280.txt>.
8.2. Informative References
[why-pin-key]
Langley, A., "Public Key Pinning", May 2011,
<http://www.imperialviolet.org/2011/05/04/pinning.html>.
[pin-break-codes]
Perrin, T., "Self-Asserted Key Pinning", September 2011,
<http://trevp.net/SAKP/>.
Appendix A. Fingerprint Generation Appendix A. Fingerprint Generation
This Go program generates public key fingerprints, suitable for use This Go program generates public key fingerprints, suitable for use
in pinning, from PEM-encoded certificates. It is non-normative. in pinning, from PEM-encoded certificates. It is non-normative.
package main package main
import ( import (
"io/ioutil" "io/ioutil"
"os" "os"
 End of changes. 19 change blocks. 
41 lines changed or deleted 51 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/