[Ach] Recommendations creating CSRs
azet at azet.org
Sun Sep 28 22:35:38 CEST 2014
* Hanno Böck <hanno at hboeck.de> [140928 21:26]:
> On Sun, 28 Sep 2014 20:42:41 +0200
> Aaron Zauner <azet at azet.org> wrote:
> > HTKP is basically TOFU security with a more user friendly
> > implementation. I do not see it getting
> > accepted by IETF consensus, but I might be wrong.
> > https://tools.ietf.org/html/draft-ietf-websec-key-pinning
> I recently had a look into HPKP and appart from the fact
> that it's http-only I really like it.
The idea is not bad - but yes. It's only for HTTP, which will be
obsolete anyway once the HTTPBIS working group decides how HTTP2
should look like (a year from now? not sure.).
> And - it's already usable today. It will protect your chrome users and
> firefox has announced at least plans to implement.
> Given that and the well known problems of the CA system I was quite
> surprised that a good solution exists and nobody uses this.
There are two promising protocols on the horizon the first one is
TACK, which http key pinning is based upon. TACK works not only for
HTTP but for any TLS connection. nobody in IETF seems to care. Not
sure who it was - either Moxie Marlinspike or Trevor Perrin that
replied a couple of months back on my question why TACK is still an
IETF draft "it's up to google".
To this day I haven't heard a good explaination why one would not
want to implement TACK, neither on related IETF lists, nor blogposts
nor twitter discussions on the topic of trust on the "web". Still
the Draft has since expired with almost zero traffic mentioning
TACK on related IETF lists.
The second one is Certificate Transparency which is also a beautifully
designed protocol. It was originally a Google project but since
has been moved into ani IETF working group with a solid spec and
While Googling [sic!] for the documents linked above, I also noticed
that ACM Queue published the an article describing the idea behind CT
by Ben Laurie: http://queue.acm.org/detail.cfm?id=2668154
> In case anyone's interested, I recently created a script to help
> creating the headers required for hpkp.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Digital signature
More information about the Ach