[OAUTH-WG] Re: [WIMSE] New Version Notification for draft-mw-oauth-tls-session-bound-tokens-07.txt
KARTHIK RAMPALLI <karthik@glyphzerolabs.com> Sun, 05 July 2026 03:54 UTC
Return-Path: <karthik@glyphzerolabs.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E0BF910EDAA78 for <oauth@mail2.ietf.org>; Sat, 4 Jul 2026 20:54:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783223688; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=XcxTWF8yIAQmR+Nt2w64w/Lp02f3Cl7zVz4k6RDguKPvYv+qbrRaNLik/VXnZV8nJ ETFMNVbO491Aqo8FHqtA5dLk3WuiC5jfuG/DpYOYGETqT3C0fFEpvX7z2EQ5a81rJK 2+Gqoj6220iMQ1u4/HTgpDEqrVDSUgXLyPaedVYs=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=glyphzerolabs-com.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1qLdfsM4_NS for <oauth@mail2.ietf.org>; Sat, 4 Jul 2026 20:54:48 -0700 (PDT)
Received: from mail-yx1-xb133.google.com (mail-yx1-xb133.google.com [IPv6:2607:f8b0:4864:20::b133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4B61510EDA9F4 for <oauth@ietf.org>; Sat, 4 Jul 2026 20:54:47 -0700 (PDT)
Received: by mail-yx1-xb133.google.com with SMTP id 956f58d0204a3-664b05d408bso1415217d50.1 for <oauth@ietf.org>; Sat, 04 Jul 2026 20:54:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1783223681; cv=none; d=google.com; s=arc-20260327; b=EsQozOSIR69uGfN9vu9aSoTk5I7AyoO7ocWzimfeEZkCh46Z6rXEPCSXdoosi3T6EZ GnRJdzlBO5ZB3v0jFKg0IjCZzSfbaerHVU44Edg12Sx7EXn8CLkzqFXrq+RstTfjqQAi b0nXpu7OMcRut69PoawaiCIjj2iCUjTnmOC2xhDUTE/f+eeo2qFcaFs1TtCq07UzW/pi SUqznxlpZJhP4+PuTh7F8u2ZBrZvynLFUZu3MYbX2gULkseskeNYnzd/grKbuV8NLA6s +0yILOEaDIDmW/jsWsJdrF3hHhfvYQ9b4qUlkqKp8YeeREpuG3PbM6+hor6NdyxkEmOf WiNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; fh=xlu8HWlZG86ztRPfFHwyHtxZPx328gxdBjYGk+fVtiU=; b=EUbe78u6DGx7hWOXxtcjKyl9hqBM2iusiebWdtlIAUuLPDD5H5kWN+MF5LHmPIovu+ bYxXTNauC5Md7XfMsOWhYqHb1MuVI+8V2VrizUC/vrforS5mHCbAuUCYTxOIaA8TKU7H BCcWrKd0zWhVqnem3zuOlyDKEMoun7SSW2FwcOWMgRyiPy9jB43V86to3MvlzGgX1DHj d5wKXMaeHw9UvE/OKsYSxWx8FrnwznV5OKgugJw9a06KpTqEO6zqDLSdR3sQ2usf8pTY 3iupj3fVxLH7PZ26hTVcVTm29E4kYKK6Ep+35tMOXVY/KatYByKLcpeWHWv20y9NmKWH tGzg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=glyphzerolabs-com.20251104.gappssmtp.com; s=20251104; t=1783223681; x=1783828481; darn=ietf.org; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to :content-type; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; b=IGa/vZFHqU3JxQRidQ/M2MabuFKn0naWXMAdCPKSF6tSBTgpdhL6xF0BqfyAObzYBq cOe/JmB4rTRYAG6x7OAH3Lh0NmV8f5ghplt9YRWfTWfp79v7CQl9HJeWHN3qD8ZUDtZr fnwDDleTUZT5AgpR329dCcheshf84MwlOvtnEINOtONyOHy3JTugY3FZnR8tRbn6l/jZ g2llgu4rChGztASVZ3dZTO+oEYB66uRBIgtDkkfcMREpYdeOkKiCiN6ITd0qGriFx8s2 vWwAAI00vSZZKA/DcEqkz2oYtVLm0GMMtSCZGmDEBXE/OTwT5yMHjBFmYeWpJIbdl7Fz brkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783223681; x=1783828481; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to:content-type; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; b=V+BAWjRwMvvDWXOpwoOkI3ez+gCTr0qsghR2WspMZoYaCe3r+NmxBLu9phGWDeH5L3 6UNo1vuD3mKQzkSy98jq6dQtqLVZRWdNuBUoQ9T50Ai92ayHLCKl01YGFcAQB3Uxf1AL L/K738BQllZo8f4CYn5XPUB2kCuthsBtqmwzrvukLQpLrxHACXnuwOotwjEAw+KhghE8 DaesJZt2TCmolvDOanZd7/N4gQnfs6BFJy04xgis5OoVN4hAx9+LJhezCrIXDFlDGl8y NZUKw4Z7egq5J/t1/zXYDOzGc8KrTgjtejCllOi2AqlCuiTJuXj+OiIhv7SyYdGQlaAD axtA==
X-Gm-Message-State: AOJu0YwhTw0EZWv1lPRDqAIdmolzCs9fuQklwII/ro/bD77H0U+/fKVi PcT1pPg6DAjY6Klk73y4++5pMFRDAZjcJRL1bD2urnCWWZHYEdItXxfEIu4CtUcYbH2GF34ALk8 JjiWVJladZqZ2VOYA8rTuA5UkHFuELhIAMXl2yDtX5TpatvHCtaj45v6O
X-Gm-Gg: AfdE7cnW4RsHagIORbUu1Ht/h+U0eDqIN1g7VEVDd2vRuwz/bn5J84uuRCoHAbs1zLt /juA0O9X9BqbEqqEgcWxXUKDaqOsboWe5OUNd5qgU7WErkhuHa7lXJrf/UvkH9EvqcM3Hy9e6io lw5qocEh2o4v4zLPASgkmnXph/UMXGTbBIf6OfccnIyZZmQfJtTzBQWmEZMb6LbhnUwdemaJX8U S/Ik+osR9OPWSZ3XXL7Es+wBpAe/UroJ7OT2S5K2WaS3gh/L2oQLpCrF5+lYqsxnNdEFvP+Ox7Y UFALFh5rdkDcYwybn5lvUSDSx4ni
X-Received: by 2002:a05:690e:120d:b0:664:f895:4221 with SMTP id 956f58d0204a3-66652e1d45bmr5792729d50.2.1783223681333; Sat, 04 Jul 2026 20:54:41 -0700 (PDT)
MIME-Version: 1.0
References: <178202483055.1161830.7622353127448912940@dt-datatracker-f9b87776f-8pmmg> <CAKOuegD4JP91fF_Q6StWniACZgvo9pbsecY83FBxbOMU17gRQA@mail.gmail.com> <CAK08nYZ9d51oZCmPBOLMKitbg15sCRPMtd5VA24h2zVzBZFuVQ@mail.gmail.com>
In-Reply-To: <CAK08nYZ9d51oZCmPBOLMKitbg15sCRPMtd5VA24h2zVzBZFuVQ@mail.gmail.com>
From: KARTHIK RAMPALLI <karthik@glyphzerolabs.com>
Date: Sun, 05 Jul 2026 12:54:30 +0900
X-Gm-Features: AVVi8Cc3-H3mWcyWqmnovo8SV1prJf3aGZmD0EAP_AbxsmGe45yi_ihoSTDeins
Message-ID: <CAGVw8=1Eih0aWyY7n+RfhF4MK=Z=uDMGvEU+yjsSt0FJmTCEhw@mail.gmail.com>
To: Songbo Bu <king347608@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000014c88a0655d51e60"
Message-ID-Hash: U5YEW5D5MHTURZ6BAEBXJ2TIM3L53WXX
X-Message-ID-Hash: U5YEW5D5MHTURZ6BAEBXJ2TIM3L53WXX
X-MailFrom: karthik@glyphzerolabs.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org, wimse@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: [WIMSE] New Version Notification for draft-mw-oauth-tls-session-bound-tokens-07.txt
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0syjFAvukKUTC5YpuEtKeAHgsUY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Ramki, Songbo, all, Supporting Songbo's request-target-binding point, with one vocabulary suggestion from the mapping discussion elsewhere on this list: the two configurations of this draft are two different rows of a verifier's decision table, and naming them separately avoids overclaim in both directions. Without htm/htu, the Session-Binding Proof is a possession-row entry: it proves the presenter holds the mTLS key on this connection, which is a real and useful property, and exactly the possession-proving transport that draft-rampalli-cross-org-delegation-mapping-00 records as the shared dependency of the delegation-chain and human-authorization layers. What it does not do in that configuration is bind any single request: as Songbo says, the same proof authorizes any token-valid request on the connection, which matters under HTTP/2 and HTTP/3 multiplexing where one connection carries many logical tasks. With htm/htu, or a comparable per-request binding, the mechanism starts contributing to the authorization-inputs row as well: this operation, on this target, within these bounds. For agentic multi-hop deployments that is the configuration that matters, because the unit of authorization is the action, not the connection. Per-request context binding is also the design point of draft-rampalli-suradar-00, which binds each request to its action context rather than to the session; I read the two as compatible points on the same axis, with session binding as the floor and per-request binding as the profile agent deployments should pin. Songbo's verifier-order point (workload identity first, then token and session binding, then resource authorization) is the same diagnostically-separate-rows structure the mapping records, and stating it in the draft would make the composition with WIT/WPT concrete to implement. Karthik Rampalli Glyphzero, Inc. On Sun, Jun 21, 2026 at 6:09 PM Songbo Bu <king347608@gmail.com> wrote: > Hi Ramki, all, > > I read the -07 summary with the WIMSE boundary in mind. The split > makes sense to me: WIT/WPT proves workload identity at the application > layer; this draft binds the access token to the concrete TLS > connection, which is a different replay boundary. > > One implementation-facing point I would like to see tightened is > request-target binding. If `htm`/`htu` remain optional and a proof is > reusable for all requests on the same connection, the base profile is > primarily a stolen-token replay defense, not a per-request > authorization proof. That is fine, but for agent/sidecar deployments > with HTTP/2 or HTTP/3 multiplexing, reverse proxies, and multiple > logical tasks on one TLS connection, the draft should be very explicit > about when per-request claims are expected. > > Concretely, I would suggest: > > * Define the canonical form of `htu` precisely if it is used: > scheme/authority/path/query handling, percent-encoding, path > normalization, and whether a relative path is ever sufficient. > * Add guidance that deployments multiplexing distinct resources, > tenants, users, or agent tasks over one connection should use > `htm`/`htu` or a comparable request binding; otherwise the same > session proof can authorize any token-valid request on that > connection. > * In the WIMSE section, say explicitly that the verifier order is > workload identity/attestation first, then token/session binding, then > resource authorization. That makes the composition with WIT/WPT easier > to implement. > > This does not change the core mechanism. It just keeps the security > boundary clear for the agentic multi-hop case that motivates the > draft. > > Best, > Songbo > > > On Sun, 21 Jun 2026 00:30:27 -0700, Ramki Krishnan <ramkri123@gmail.com> > wrote: > > Dear All, > > > > Cross-posting to wimse@: §5 positions this draft as complementary to > WIMSE WIT/WPT — WIT/WPT proves workload identity at the application layer; > this draft binds the OAuth token to the specific TLS connection. > > > > -07 is available: > https://datatracker.ietf.org/doc/draft-mw-oauth-tls-session-bound-tokens/ > > > > What it is. A PoP profile for OAuth 2.0 access tokens, scoped to mTLS > deployments where the verifier is a direct TLS endpoint or co-located > sidecar. The primary motivation is bearer-token replay in autonomous > multi-hop agentic AI workflows, where RFC 8693 delegation chains amplify > the consequences of any single token compromise. The Session-Binding Proof > binds a token to the current TLS connection via the TLS Exporter (RFC 5705 > / RFC 8446 §7.5), amortized to one signature per (token, connection) pair. > > > > What it isn't. Not a revival of TLS Token Binding (RFC 8471–8473): no > new TLS extension, no persistent client keys, binding scoped to the TLS > session. Not for browsers (EKM not exposed to JavaScript). Not for remote > TLS termination. All explicitly out of scope, stated up front in §1. > > > > Why not per-hop DPoP + RFC 8693. Per-hop DPoP can gate chain extension; > this draft doesn't claim otherwise. Session binding is structurally > stronger on three axes (§5.2.1, new in -07): key custody outside the agent > runtime, attestation provenance of the binding key, and N vs. N×M > signatures across multi-hop chains. > > > > Threat model (§6). T1–T5 unchanged. New T6: stolen-token chain extension > at the authorization server (AS) — a stolen session-bound token cannot be > exchanged for a successor without possession of the binding key. Composes > with draft-mw-oauth-actor-chain for the AS-visible prior-hop evidence half > of the multi-hop story. > > > > Implementation Status (RFC 7942) added in §10. Feedback particularly > welcome on §5.2.1, T6, the cross-protocol key reuse analysis (§6), and the > WIMSE/OAuth boundary articulation (§5). > > > > Thanks, Ramki (on behalf of the co-authors) > > > > ---------- Forwarded message --------- > > From: <internet-drafts@ietf.org> > > Date: Sat, Jun 20, 2026 at 11:53 PM > > Subject: New Version Notification for > draft-mw-oauth-tls-session-bound-tokens-07.txt > > To: Diego R. Lopez <diego.r.lopez@telefonica.com>, A Prasad < > a.prasad@oracle.com>, Ramki Krishnan <ramkri123@gmail.com>, Srinivasa > Addepalli <srinivasa.addepalli@aryaka.com> > > > > A new version of Internet-Draft > draft-mw-oauth-tls-session-bound-tokens-07.txt > > > > has been successfully submitted by ramki krishnan and posted to the > > > > IETF repository. > > > > Name: draft-mw-oauth-tls-session-bound-tokens > > > > Revision: 07 > > > > Title: TLS-Session-Bound Access Tokens for OAuth 2.0 > > > > Date: 2026-06-20 > > > > Group: Individual Submission > > > > Pages: 45 > > > > URL: > https://www.ietf.org/archive/id/draft-mw-oauth-tls-session-bound-tokens-07.txt > > > > Status: > https://datatracker.ietf.org/doc/draft-mw-oauth-tls-session-bound-tokens/ > > > > HTML: > https://www.ietf.org/archive/id/draft-mw-oauth-tls-session-bound-tokens-07.html > > > > HTMLized: > https://datatracker.ietf.org/doc/html/draft-mw-oauth-tls-session-bound-tokens > > > > Diff: > https://author-tools.ietf.org/iddiff?url2=draft-mw-oauth-tls-session-bound-tokens-07 > > > > Abstract: > > > > This document defines a mechanism for binding OAuth 2.0 access tokens > > > > to a specific mutual TLS (mTLS) connection. The binding is achieved > > > > through a proof token that incorporates the TLS Exporter value (RFC > > > > 5705) derived from the current connection and an access token hash, > > > > signed by the client's private key corresponding to its mTLS > > > > certificate. This mechanism prevents stolen bearer tokens from being > > > > replayed on a different TLS connection. The proof is constructed > > > > once per (token, connection) pair and reused across all requests on > > > > that connection, delivering session binding with no per-request > > > > signing overhead and no additional key management beyond what mTLS > > > > already provides. The mechanism is applicable to TLS 1.2, TLS 1.3, > > > > and QUIC transports. While applicable to any OAuth 2.0 access token > > > > presented over mTLS, this specification is primarily motivated by the > > > > OAuth 2.0 Token Exchange protocol (RFC 8693), where multi-hop > > > > delegation chains in autonomous, agent-driven architectures create > > > > elevated replay risk. > > > > The IETF Secretariat > > > > -- > > > > Thanks, > > Ramki > > -- > WIMSE mailing list -- wimse@ietf.org > To unsubscribe send an email to wimse-leave@ietf.org >
- [OAUTH-WG] New Version Notification for draft-mw-… Ramki Krishnan
- [OAUTH-WG] [WIMSE] New Version Notification for d… Songbo Bu
- [OAUTH-WG] Re: [WIMSE] New Version Notification f… KARTHIK RAMPALLI