Re: [Gen-art] Gen-ART Telechat review of draft-ietf-tokbind-negotiation-11
Andrei Popov <Andrei.Popov@microsoft.com> Mon, 30 April 2018 22:00 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320FA126DED; Mon, 30 Apr 2018 15:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Mic4qp9kVHG; Mon, 30 Apr 2018 15:00:56 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0092.outbound.protection.outlook.com [104.47.41.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A0401271FD; Mon, 30 Apr 2018 15:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=H/G43TkYGUEWNYiNzUMgt3yr7aIWlFCafa3Ip935WPY=; b=l9kRqHyKoLqUZb6iU3w9PANCykw0iZ25MYyVaDb0ByjcB1ITMB897DXF/I3GNVhLUjec32DdVp9sweP8GNbOGq3zi3+yGREi1Rfz5Yvi4nSe8h9i+gIrvj7Sfma2xpORvoZ010B3jyLSKHoTHpk577C2gkpbIT2tWmzYb4SKL4M=
Received: from DM5PR21MB0507.namprd21.prod.outlook.com (10.172.91.141) by DM5PR21MB0634.namprd21.prod.outlook.com (10.175.111.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.755.1; Mon, 30 Apr 2018 22:00:54 +0000
Received: from DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::4cd6:2483:123:84d]) by DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::4cd6:2483:123:84d%5]) with mapi id 15.20.0735.004; Mon, 30 Apr 2018 22:00:54 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "draft-ietf-tokbind-negotiation.all@ietf.org" <draft-ietf-tokbind-negotiation.all@ietf.org>
CC: General Area Review Team <gen-art@ietf.org>
Thread-Topic: Gen-ART Telechat review of draft-ietf-tokbind-negotiation-11
Thread-Index: AQHT10UdqhM4IuEBqU+wlU/s7LUZmKQZ7GDQ
Date: Mon, 30 Apr 2018 22:00:54 +0000
Message-ID: <DM5PR21MB0507D6F0AB40E3CB0AEF15ED8C820@DM5PR21MB0507.namprd21.prod.outlook.com>
References: <b52e85fa-941b-0721-ec8a-34daf979c843@alum.mit.edu>
In-Reply-To: <b52e85fa-941b-0721-ec8a-34daf979c843@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:d::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR21MB0634; 7:FQ5WOLIdwzpi7k5reP3FaC5kPr8iMcvoEbC0FctOSqmnzrUt03L39UCCm1XZLgp2k50tt/kSTctEMSR/1SSzQ3/yACpiIf8KBgEW7UcdM3VC8Htj9dJ+RkbSUejoXtAXmsoBEtSFZHuIvEOu2UCxFHbvXvBb5UE49wYeEBo70xvRKWZxL1t5OGwUHYZpOoeSmzXfmAKhTUf0QCHK6TUSfGyz+PzxOgwhwdzknZlpBbl0HERwVDi/546A32UNQM0p; 20:ZgARfKgBWA0DpjodMZS1E7YKa7RZ0L+7M1dPBgzDfp0WMtwtyKkjDyS5SZZihod0vMLXpqEEQAYeTXMexYSBWau4s/bNSIPt8hQxZSdvl2CRyVwHBaj0HjonszPa2WT7RNNPg1vFCWNCxcoPhKfl+0yXJqVcFI06GG+6OqxJHRI=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR21MB0634;
x-ms-traffictypediagnostic: DM5PR21MB0634:
x-microsoft-antispam-prvs: <DM5PR21MB0634C788C45B130F5AB934248C820@DM5PR21MB0634.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(189930954265078)(219752817060721)(240460790083961);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231254)(2018427008)(944501410)(52105095)(6055026)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011); SRVR:DM5PR21MB0634; BCL:0; PCL:0; RULEID:; SRVR:DM5PR21MB0634;
x-forefront-prvs: 0658BAF71F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(39860400002)(366004)(396003)(346002)(376002)(189003)(199004)(13464003)(377424004)(51914003)(6116002)(74316002)(55016002)(68736007)(33656002)(8936002)(10090500001)(2906002)(305945005)(7736002)(9686003)(229853002)(5660300001)(8990500004)(8676002)(86612001)(6436002)(86362001)(81156014)(575784001)(7696005)(3280700002)(76176011)(81166006)(59450400001)(46003)(99286004)(14454004)(486006)(476003)(446003)(11346002)(106356001)(6506007)(3660700001)(105586002)(4001150100001)(316002)(22452003)(97736004)(53936002)(53546011)(6346003)(6246003)(25786009)(2171002)(186003)(2900100001)(4326008)(2501003)(102836004)(10290500003)(5250100002)(110136005)(72206003)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR21MB0634; H:DM5PR21MB0507.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-microsoft-antispam-message-info: aA9CdaLqTRBD5LvZDyPIzKklQi5rHEqHzijhcYNKlRsAhXXpX7YxEAUEuogvm5pFGuXgqfJ9P3Jyn6wzF/r7yWfaay7tcBKrdAJ41JXCv58IEUQs4PNdo7XNYQnuKlu0v9EPoggbHO0KBHrZXnOZhrP3MMrD7CeTuhmr3ANFhH6MFxVNgi7+w5dSIoGg05sM
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 8a2ee016-9624-4fdd-3174-08d5aee5d872
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a2ee016-9624-4fdd-3174-08d5aee5d872
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2018 22:00:54.3658 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR21MB0634
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/FRCGWjfcoS4cUahmqNGyEClKoBA>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-tokbind-negotiation-11
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2018 22:00:58 -0000
Hi Paul, Thanks for the feedback. > These don't state the precise meaning of "highest valued version". I can clarify that the "highest valued version" means the version with the highest major and minor numbers that the client supports. Would this be clear? > For example, if the supplied version is 3.5, what does it say about other versions supported? As noted earlier, the client advertising version 3.5 says precisely nothing about client support for any other TB versions. The draft currently says: " If the client does not support the Token Binding protocol version selected by the server, then the connection proceeds without Token Binding." I suggest the following additional language to make this clearer: "There is no requirement for the client to support any Token Binding versions other than the one advertised in the client's "token_binding" extension." Cheers, Andrei -----Original Message----- From: Paul Kyzivat <pkyzivat@alum.mit.edu> Sent: Wednesday, April 18, 2018 11:43 AM To: draft-ietf-tokbind-negotiation.all@ietf.org Cc: General Area Review Team <gen-art@ietf.org> Subject: Gen-ART Telechat review of draft-ietf-tokbind-negotiation-11 For IESG Evaluation reviews: I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please wait for direction from your document shepherd or AD before posting a new version of the draft. For more information, please see the FAQ at <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.tools.ietf.org%2Farea%2Fgen%2Ftrac%2Fwiki%2FGenArtfaq&data=02%7C01%7CAndrei.Popov%40microsoft.com%7Cad6baf98fd364362af4d08d5a55c3e76%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636596737964819391&sdata=ug6ZiXYW6CXh0ViezKpf%2FrqS2BabpHCd6tHS%2B23yWv8%3D&reserved=0>. Document: draft-ietf-tokbind-negotiation-11 Reviewer: Paul Kyzivat Review Date: 2018-04-18 IETF LC End Date: 2017-11-27 IESG Telechat date: 2018-05-08 Summary: This draft is on the right track but has open issues, described in the review. Issues: Major: 0 Minor: 1 Nits: 0 (1) MINOR: Section 2 states the following requirement: ... it SHOULD indicate the latest (highest valued) version in TokenBindingParameters.token_binding_version. Section 4 states: The client receiving the "token_binding" extension MUST terminate the handshake with a fatal "unsupported_extension" alert if any of the following conditions are true: ... 2. "token_binding_version" is higher than the Token Binding protocol version advertised by the client. These don't state the precise meaning of "highest valued version". For example, if the supplied version is 3.5, what does it say about other versions supported? Presumably it covers 3.0...3.5. But what about lower major versions? I guess it must mean that 1.0...1.x and 2.0...2.y are also supported for some value of x and y. But *what* values of x and y? All that were ever defined? And what are the rules about versions 0.n? This use of versioning implies that a particular discipline be followed for defining new major/minor version numbers, and for implementors. But no such discipline is described. Additional text is needed to nail all of this down. The above restates what I included in my Last Call review of -10. In followup to that I had some discussion with the author about this but we didn't reach agreement. The author replied to me that: "Similarly to TLS <= 1.2 version negotiation, this says nothing about any other protocol versions supported by the client. It only means that the server may respond with version X.Y where X<=3 and Y<=5. If the client happens to not support the version the server has chosen, the client will not use Token Binding on this connection." I'm not familiar with TLS version negotiation, but I just peeked at TLS 1.2 and 1.3. I found the following from TLS 1.3 enlightening: - The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation. Apparently the TLS 1.2 version negotiation isn't a very good one to follow in this regard. Enumerating supported versions is more robust. In any case this document doesn't have any text to state that the version negotiation should be the same as TLS 1.2. So I continue to suggest that the complete mechanism for negotiating the version be specified.
- [Gen-art] Gen-ART Telechat review of draft-ietf-t… Paul Kyzivat
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… Andrei Popov
- Re: [Gen-art] Gen-ART Telechat review of draft-ie… John Bradley