draft-ietf-websec-key-pinning-16.txt   draft-ietf-websec-key-pinning-17.txt 
Web Security C. Evans Web Security C. Evans
Internet-Draft C. Palmer Internet-Draft C. Palmer
Intended status: Standards Track R. Sleevi Intended status: Standards Track R. Sleevi
Expires: December 27, 2014 Google, Inc. Expires: December 27, 2014 Google, Inc.
June 25, 2014 June 25, 2014
Public Key Pinning Extension for HTTP Public Key Pinning Extension for HTTP
draft-ietf-websec-key-pinning-16 draft-ietf-websec-key-pinning-17
Abstract Abstract
This memo describes an extension to the HTTP protocol allowing web This memo describes an extension to the HTTP protocol allowing web
host operators to instruct user agents to remember ("pin") the hosts' host operators to instruct user agents to remember ("pin") the hosts'
cryptographic identities for a given period of time. During that cryptographic identities for a given period of time. During that
time, UAs will require that the host present a certificate chain time, UAs will require that the host present a certificate chain
including at least one Subject Public Key Info structure whose including at least one Subject Public Key Info structure whose
fingerprint matches one of the pinned fingerprints for that host. By fingerprint matches one of the pinned fingerprints for that host. By
effectively reducing the number of authorities who can authenticate effectively reducing the number of authorities who can authenticate
skipping to change at page 11, line 28 skipping to change at page 11, line 28
An SPKI Fingerprint is defined as the output of a known cryptographic An SPKI Fingerprint is defined as the output of a known cryptographic
hash algorithm whose input is the DER-encoded ASN.1 representation of hash algorithm whose input is the DER-encoded ASN.1 representation of
the subjectPublicKeyInfo (SPKI) field of an X.509 certificate. A Pin the subjectPublicKeyInfo (SPKI) field of an X.509 certificate. A Pin
is defined as the combination of the known algorithm identifier and is defined as the combination of the known algorithm identifier and
the SPKI Fingerprint computed using that algorithm. the SPKI Fingerprint computed using that algorithm.
The SPKI Fingerprint is encoded in base 64 for use in an HTTP header. The SPKI Fingerprint is encoded in base 64 for use in an HTTP header.
(See [RFC4648].) (See [RFC4648].)
In this version of the specification, the known cryptographic hash In this version of the specification, the known cryptographic hash
algorithm is SHA-256, identified as "sha256" ([RFC4634]). (Future algorithm is SHA-256, identified as "sha256" ([RFC6234]). (Future
versions of this specification may add new algorithms and deprecate versions of this specification may add new algorithms and deprecate
old ones.) UAs MUST ignore Pins for which they do not recognize the old ones.) UAs MUST ignore Pins for which they do not recognize the
algorithm identifier. UAs MUST continue to process the rest of a PKP algorithm identifier. UAs MUST continue to process the rest of a PKP
response header field and note Pins for algorithms they do recognize; response header field and note Pins for algorithms they do recognize;
UAs MUST recognize "sha256". UAs MUST recognize "sha256".
Figure 4 reproduces the definition of the SubjectPublicKeyInfo Figure 4 reproduces the definition of the SubjectPublicKeyInfo
structure in [RFC5280]. structure in [RFC5280].
SubjectPublicKeyInfo ::= SEQUENCE { SubjectPublicKeyInfo ::= SEQUENCE {
skipping to change at page 23, line 46 skipping to change at page 23, line 46
[RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the [RFC3339] Klyne, G., Ed. and C. Newman, "Date and Time on the
Internet: Timestamps", RFC 3339, July 2002. Internet: Timestamps", RFC 3339, July 2002.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005. 3986, January 2005.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and HMAC-SHA)", RFC 4634, July 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
April 2011. April 2011.
[RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict [RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict
Transport Security (HSTS)", RFC 6797, November 2012. Transport Security (HSTS)", RFC 6797, November 2012.
[RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Message Syntax and Routing", RFC 7230, June (HTTP/1.1): Message Syntax and Routing", RFC 7230, June
2014. 2014.
 End of changes. 4 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/