W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Proposal: A pinning mechanism for CSP?

From: Mike West <mkwst@google.com>
Date: Fri, 30 Jan 2015 19:48:25 +0100
Message-ID: <CAKXHy=fiofF96eZtPyF3cFTbQdthab7x+=ViUVWS4Cz011PDkA@mail.gmail.com>
To: Deian Stefan <deian@cs.stanford.edu>
Cc: Brad Hill <hillbrad@gmail.com>, yan zhu <yan@mit.edu>, Dan Veditz <dveditz@mozilla.com>, Yan Zhu <yzhu@yahoo-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>, Frederik Braun <fbraun@mozilla.com>, Jim Manico <jim.manico@owasp.org>
#2 also happens to be what's in the draft, and #2a is trivial to add if we
decide we want it in the future.

If you don't mind, skim https://w3c.github.io/webappsec/specs/csp-pinning/
again over the weekend. I'll rebrand it on Monday, and kick off a CfC to
get a FPWD published. I believe it should fit pretty cleanly into our
charter, old or new.

Thanks!

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Jan 30, 2015 at 7:26 PM, Deian Stefan <deian@cs.stanford.edu> wrote:

>
> +1
>
> I don't have a strong opinion here and #2 is a simple, clean way to move
> forward.
>
> Brad Hill <hillbrad@gmail.com> writes:
>
> > We didn't discuss it at AppSec, so you're not missing any notes.
> >
> > Hat=individual
> >
> > I like option #2, and Facebook would have real use for such a feature.
> >
> > I think Yan's use case is valid and interesting, but I don't think it's a
> > CSP pinning feature, it's a something-else meta-stable-crypto-key
> > confinement something feature, and I think both it and CSP would be
> harmed
> > by trying to shoehorn it in as CSP pinning.
> >
> > -Brad
> >
> > On Fri Jan 30 2015 at 6:06:06 AM Mike West <mkwst@google.com> wrote:
> >
> >>
> >> On Jan 30, 2015 12:56 PM, "Mike West" <mkwst@google.com> wrote:
> >> > For simplicity's sake, I'd vote for #2, with the option of moving to
> #3
> >> in the future. That 'no-override' model leaves the majority of the power
> >> with the _pin_ and not the _page_, which seems like the right tradeoff.
> >>
> >> I confused myself, apologies. I vote for #2 with the option of moving to
> >> #2a in the future. Not #3.
> >>
> >> -mike
> >>
>
Received on Friday, 30 January 2015 18:49:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC