[cryptography] OCSP needs to be stapled, pinnable

Nico Williams nico at cryptonector.com
Thu Feb 9 19:04:31 EST 2012

On Thu, Feb 9, 2012 at 5:26 PM, Chris Palmer <snackypants at gmail.com> wrote:
> On 8 févr. 2012, at 16:38, Nico Williams wrote:
> I think the main thing is that pinning (whether of keys or of anything else) and OCSP stapling are quick hacks until we get a real certificate goodness/liveness/authorizedness publication system going (such as Certificate Transparency, Sovereign Keys, Convergence, or whatever).

If pinning is a hack then so is Convergence.  After all, Convergence
is a distributed form of pinning.

I don't think it's a good idea to dismiss pinning out of hand.  Leap
of faith learning of keys has worked reasonably well for SSH, and
users are effectively taking leaps of faith all the time on the web
anyways.  By pinning some things about their peers we can make the
leap of faith have better properties, namely to force any MITMs to
continue being there or face detection.

Besides, economics matters.  If a "hack" is good enough for 95% of
cases and cheap enough then it's better than a more elegant but also
more expensive solution.  It may well be that pinning is not a cheap
hack that works, but we've certainly not established that yet.

> Quick hacks certainly have value in the short and medium terms, but it's best to keep them simple. The semantics of pinning just keys have turned out to be weird enough, and getting an X.509 extension (or whatever) to express "always require a stapled OCSP response" will also probably turn out to be surprisingly weird, or at least amusing.

I didn't say "pin just keys".  Instead I'm proposing that certs tell
you what about them is safe to pin, and if several factors can be
pinned then how many can be expected to change before breaking the
pin.  A TLS extension can be used to warn about upcoming
discontinuities too.

> I guess I'm saying we should keep our eye on an elegant and general *solution* rather than elegantating and generalizing our *hacks*. A public log is, IMHO, the elegant and general solution.

If there was a simple, general, elegant solution we'd have had
consensus on it long ago.

Yes, I do want auditable CAs, of course.  Is that enough?  I'm not sure.


More information about the cryptography mailing list