Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate Pinning #8

Open
dmfs opened this issue Jun 22, 2016 · 2 comments
Open

Certificate Pinning #8

dmfs opened this issue Jun 22, 2016 · 2 comments
Labels
discussion point

Comments

@dmfs
Copy link
Member

dmfs commented Jun 22, 2016

The current draft has a certificate member, presumably to support some kind of certificate pinning.

Since the latest draft has been published a new RFC has been published to specify a Public Key Pinning Extension for HTTP (RFC 7469).

I think if we want to support certificate pinning we should use a JSON representation of the data model of RFC 7469. That way the auto configuration document could be used to "bootstrap" certificate pinning for the services (possibly not only HTTP based services, but all of them).

The only weak points would be (the initial connections to) the Webfinger & configuration document endpoints then.
@dmfs
Copy link
Member Author

dmfs commented Jun 22, 2016

There is a proposal to solve the first connection issue using DNS: https://tools.ietf.org/html/draft-hallambaker-webseccaa-00
Not sure if that is still being worked on.

@dmfs
Copy link
Member Author

dmfs commented Jun 22, 2016

Here is a proposal of how the pinning property could look like. A service record MAY have a "public-key-pins" member that's an array of "pin" objects. Each pin object has a "hash-algorithm", a "hash-value" and a "max-age" and optionally a "report-only" and "report-uri" member.

{
  "ttl": 2592000,
  "provider": {
    "name": "Your Provider",
    "image": "https://yourprovider.example.com/icon.png",
    "services": [
      {
         "name": "Calendars",
         "service-type": "caldav",
         "uri": "https://caldav.example.com",
         "public-key-pins": [{
             "hash-algorithm": "sha256",
             "hash-value": "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=",
             "max-age": 2592000,
             "report-only": true,
             "report-uri": "http://example.com/pkp-report"
           },{
             "hash-algorithm": "sha256",
             "hash-value": "LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=",
             "max-age": 2592000
         }]
      },
      {
         "name": "Contacts",
         "service-type": "carddav",
         "uri": "https://carddav.example.com",
         "public-key-pins": [{
             "hash-algorithm": "sha256",
             "hash-value": "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=",
             "max-age": 2592000,
             "report-only": true,
             "report-uri": "http://example.com/pkp-report"
           },{
             "hash-algorithm": "sha256",
             "hash-value": "LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=",
             "max-age": 2592000
         }]

      }
    ]
  },
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion point
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmfs