ietf-smtp
[Top] [All Lists]

[ietf-smtp] certificate pinning

2014-06-06 18:12:14
Now that more servers are offering STARTTLS, it would seem beneficial to
move forward towards certificate validation.

How do people feel about bringing the concept of certificate pinning from
HTTP (http://tools.ietf.org/html/draft-ietf-websec-key-pinning-13) to SMTP?

I realize there's also DANE TLSA (RFC 6698), but that has a requirement on
DNSSEC that may limit its deployment for some time to come.

translating the syntax in the http draft to smtp ehlo, I would imagine
something like (on a second EHLO after the TLS session is started):

C: EHLO foo
S: 250-SIZE 35882577
S: 250-8BITMIME
S: 250-PKP PIN-SHA256=d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=
S: 250-PKP PIN-SHA256=LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=
S: 250-PKP MAX-AGE=259200
S: 250-ENHANCEDSTATUSCODES
S: 250 CHUNKING

alternative syntaxes:
S: 250-PKPPIN SHA256 d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=
S: 250-PKPEXPIRES 259200

Or one line:
S: 250-PKP MAX-AGE=259200
PIN-SHA256=d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=

Brandon
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
<Prev in Thread] Current Thread [Next in Thread>