Re: [fetch] Request for support for certificate pinning (#98) from sleevi on 2015-08-12 (public-webapps-github@w3.org from August 2015)

From: sleevi <notifications@github.com>
Date: Wed, 12 Aug 2015 09:04:24 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/98/130356332@github.com>

>  even if you use SNI you can't pool connections together with other connections to different domains even if they connect to the same host, cert pinning or not.

This is based on incorrect understanding. @f0zi , you can read https://tools.ietf.org/html/rfc7540#section-9.1.1 for some of it, but everything I previously said still stands. It's absolutely valid to pool connections to different domains, so long as they have certs covering the alternative domains. Browsers have been doing this for nearly a decade.

re: explicitly bad behaviour, I mean the idea that the application is making this decision on behalf of an arbitrary third-party origin it does not control or operate. It's an inversion of control, and one with profound implications. I'm saying your use case is not valid.

> I agree that this feature is limited use but I also believe that it is also an essential security feature for a small set of use cases that can't be done otherwise.

You've not established a use case where HPKP doesn't address, other than those that intentionally violate the priority of constituencies (anti-user) or invert control of security policy.

> If I decide that I require the user to directly connect to my authentication endpoints than that is my right as service provider and so is my right to deny the user access to my service if he does not comply on the grounds of being unable to provide the security that the users would expect. I think this is actually good for the user.

I'm sorry, but this statement is unfortunately an example of an explicit and intentional violation of the priority of constituencies. The user's ability to access the service as they wish - perhaps with an anti-virus product installed on their machine, perhaps with a tool such as Fiddler or Wireshark to see what data the site is leaking about them, is tantamount. I'm saying if that's your use case, there's simply no reason to support it.

> You also seem to have misunderstood what I said about the root certificates.

No, I understood perfectly, but it seems we're not communicating well.

Overall, I think it can be summed up as HPKP fully exists to help the 'destination server' control their security policy. Not allowing arbitrary 'loading' servers to control that policy was very much intentional.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/98#issuecomment-130356332

Received on Wednesday, 12 August 2015 16:04:59 UTC