[OAUTH-WG] Re: [WIMSE] New Version Notification for draft-mw-oauth-tls-session-bound-tokens-07.txt

KARTHIK RAMPALLI <karthik@glyphzerolabs.com> Sun, 05 July 2026 03:54 UTC

Return-Path: <karthik@glyphzerolabs.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E0BF910EDAA78 for <oauth@mail2.ietf.org>; Sat, 4 Jul 2026 20:54:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783223688; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=XcxTWF8yIAQmR+Nt2w64w/Lp02f3Cl7zVz4k6RDguKPvYv+qbrRaNLik/VXnZV8nJ ETFMNVbO491Aqo8FHqtA5dLk3WuiC5jfuG/DpYOYGETqT3C0fFEpvX7z2EQ5a81rJK 2+Gqoj6220iMQ1u4/HTgpDEqrVDSUgXLyPaedVYs=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=glyphzerolabs-com.20251104.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1qLdfsM4_NS for <oauth@mail2.ietf.org>; Sat, 4 Jul 2026 20:54:48 -0700 (PDT)
Received: from mail-yx1-xb133.google.com (mail-yx1-xb133.google.com [IPv6:2607:f8b0:4864:20::b133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4B61510EDA9F4 for <oauth@ietf.org>; Sat, 4 Jul 2026 20:54:47 -0700 (PDT)
Received: by mail-yx1-xb133.google.com with SMTP id 956f58d0204a3-664b05d408bso1415217d50.1 for <oauth@ietf.org>; Sat, 04 Jul 2026 20:54:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1783223681; cv=none; d=google.com; s=arc-20260327; b=EsQozOSIR69uGfN9vu9aSoTk5I7AyoO7ocWzimfeEZkCh46Z6rXEPCSXdoosi3T6EZ GnRJdzlBO5ZB3v0jFKg0IjCZzSfbaerHVU44Edg12Sx7EXn8CLkzqFXrq+RstTfjqQAi b0nXpu7OMcRut69PoawaiCIjj2iCUjTnmOC2xhDUTE/f+eeo2qFcaFs1TtCq07UzW/pi SUqznxlpZJhP4+PuTh7F8u2ZBrZvynLFUZu3MYbX2gULkseskeNYnzd/grKbuV8NLA6s +0yILOEaDIDmW/jsWsJdrF3hHhfvYQ9b4qUlkqKp8YeeREpuG3PbM6+hor6NdyxkEmOf WiNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; fh=xlu8HWlZG86ztRPfFHwyHtxZPx328gxdBjYGk+fVtiU=; b=EUbe78u6DGx7hWOXxtcjKyl9hqBM2iusiebWdtlIAUuLPDD5H5kWN+MF5LHmPIovu+ bYxXTNauC5Md7XfMsOWhYqHb1MuVI+8V2VrizUC/vrforS5mHCbAuUCYTxOIaA8TKU7H BCcWrKd0zWhVqnem3zuOlyDKEMoun7SSW2FwcOWMgRyiPy9jB43V86to3MvlzGgX1DHj d5wKXMaeHw9UvE/OKsYSxWx8FrnwznV5OKgugJw9a06KpTqEO6zqDLSdR3sQ2usf8pTY 3iupj3fVxLH7PZ26hTVcVTm29E4kYKK6Ep+35tMOXVY/KatYByKLcpeWHWv20y9NmKWH tGzg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=glyphzerolabs-com.20251104.gappssmtp.com; s=20251104; t=1783223681; x=1783828481; darn=ietf.org; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to :content-type; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; b=IGa/vZFHqU3JxQRidQ/M2MabuFKn0naWXMAdCPKSF6tSBTgpdhL6xF0BqfyAObzYBq cOe/JmB4rTRYAG6x7OAH3Lh0NmV8f5ghplt9YRWfTWfp79v7CQl9HJeWHN3qD8ZUDtZr fnwDDleTUZT5AgpR329dCcheshf84MwlOvtnEINOtONyOHy3JTugY3FZnR8tRbn6l/jZ g2llgu4rChGztASVZ3dZTO+oEYB66uRBIgtDkkfcMREpYdeOkKiCiN6ITd0qGriFx8s2 vWwAAI00vSZZKA/DcEqkz2oYtVLm0GMMtSCZGmDEBXE/OTwT5yMHjBFmYeWpJIbdl7Fz brkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783223681; x=1783828481; h=content-type:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to:content-type; bh=BzuYsqeoW9SFqfKwdSocXPwyRWsQ4pZ4WtsK3dWwzb0=; b=V+BAWjRwMvvDWXOpwoOkI3ez+gCTr0qsghR2WspMZoYaCe3r+NmxBLu9phGWDeH5L3 6UNo1vuD3mKQzkSy98jq6dQtqLVZRWdNuBUoQ9T50Ai92ayHLCKl01YGFcAQB3Uxf1AL L/K738BQllZo8f4CYn5XPUB2kCuthsBtqmwzrvukLQpLrxHACXnuwOotwjEAw+KhghE8 DaesJZt2TCmolvDOanZd7/N4gQnfs6BFJy04xgis5OoVN4hAx9+LJhezCrIXDFlDGl8y NZUKw4Z7egq5J/t1/zXYDOzGc8KrTgjtejCllOi2AqlCuiTJuXj+OiIhv7SyYdGQlaAD axtA==
X-Gm-Message-State: AOJu0YwhTw0EZWv1lPRDqAIdmolzCs9fuQklwII/ro/bD77H0U+/fKVi PcT1pPg6DAjY6Klk73y4++5pMFRDAZjcJRL1bD2urnCWWZHYEdItXxfEIu4CtUcYbH2GF34ALk8 JjiWVJladZqZ2VOYA8rTuA5UkHFuELhIAMXl2yDtX5TpatvHCtaj45v6O
X-Gm-Gg: AfdE7cnW4RsHagIORbUu1Ht/h+U0eDqIN1g7VEVDd2vRuwz/bn5J84uuRCoHAbs1zLt /juA0O9X9BqbEqqEgcWxXUKDaqOsboWe5OUNd5qgU7WErkhuHa7lXJrf/UvkH9EvqcM3Hy9e6io lw5qocEh2o4v4zLPASgkmnXph/UMXGTbBIf6OfccnIyZZmQfJtTzBQWmEZMb6LbhnUwdemaJX8U S/Ik+osR9OPWSZ3XXL7Es+wBpAe/UroJ7OT2S5K2WaS3gh/L2oQLpCrF5+lYqsxnNdEFvP+Ox7Y UFALFh5rdkDcYwybn5lvUSDSx4ni
X-Received: by 2002:a05:690e:120d:b0:664:f895:4221 with SMTP id 956f58d0204a3-66652e1d45bmr5792729d50.2.1783223681333; Sat, 04 Jul 2026 20:54:41 -0700 (PDT)
MIME-Version: 1.0
References: <178202483055.1161830.7622353127448912940@dt-datatracker-f9b87776f-8pmmg> <CAKOuegD4JP91fF_Q6StWniACZgvo9pbsecY83FBxbOMU17gRQA@mail.gmail.com> <CAK08nYZ9d51oZCmPBOLMKitbg15sCRPMtd5VA24h2zVzBZFuVQ@mail.gmail.com>
In-Reply-To: <CAK08nYZ9d51oZCmPBOLMKitbg15sCRPMtd5VA24h2zVzBZFuVQ@mail.gmail.com>
From: KARTHIK RAMPALLI <karthik@glyphzerolabs.com>
Date: Sun, 05 Jul 2026 12:54:30 +0900
X-Gm-Features: AVVi8Cc3-H3mWcyWqmnovo8SV1prJf3aGZmD0EAP_AbxsmGe45yi_ihoSTDeins
Message-ID: <CAGVw8=1Eih0aWyY7n+RfhF4MK=Z=uDMGvEU+yjsSt0FJmTCEhw@mail.gmail.com>
To: Songbo Bu <king347608@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000014c88a0655d51e60"
Message-ID-Hash: U5YEW5D5MHTURZ6BAEBXJ2TIM3L53WXX
X-Message-ID-Hash: U5YEW5D5MHTURZ6BAEBXJ2TIM3L53WXX
X-MailFrom: karthik@glyphzerolabs.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org, wimse@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: [WIMSE] New Version Notification for draft-mw-oauth-tls-session-bound-tokens-07.txt
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0syjFAvukKUTC5YpuEtKeAHgsUY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Ramki, Songbo, all,

Supporting Songbo's request-target-binding point, with one vocabulary
suggestion from the mapping discussion elsewhere on this list: the two
configurations of this draft are two different rows of a verifier's
decision table, and naming them separately avoids overclaim in both
directions.

Without htm/htu, the Session-Binding Proof is a possession-row entry: it
proves the presenter holds the mTLS key on this connection, which is a real
and useful property, and exactly the possession-proving transport
that draft-rampalli-cross-org-delegation-mapping-00 records as the shared
dependency of the delegation-chain and human-authorization layers. What it
does not do in that configuration is bind any single request: as Songbo
says, the same proof authorizes any token-valid request on the connection,
which matters under HTTP/2 and HTTP/3 multiplexing where one connection
carries many logical tasks.

With htm/htu, or a comparable per-request binding, the mechanism starts
contributing to the authorization-inputs row as well: this operation, on
this target, within these bounds. For agentic multi-hop deployments that is
the configuration that matters, because the unit of authorization is the
action, not the connection. Per-request context binding is also the design
point of draft-rampalli-suradar-00, which binds each request to its action
context rather than to the session; I read the two as compatible points on
the same axis, with session binding as the floor and per-request binding as
the profile agent deployments should pin.

Songbo's verifier-order point (workload identity first, then token and
session binding, then resource authorization) is the same
diagnostically-separate-rows structure the mapping records, and stating it
in the draft would make the composition with WIT/WPT concrete to implement.

Karthik Rampalli
Glyphzero, Inc.

On Sun, Jun 21, 2026 at 6:09 PM Songbo Bu <king347608@gmail.com> wrote:

> Hi Ramki, all,
>
> I read the -07 summary with the WIMSE boundary in mind. The split
> makes sense to me: WIT/WPT proves workload identity at the application
> layer; this draft binds the access token to the concrete TLS
> connection, which is a different replay boundary.
>
> One implementation-facing point I would like to see tightened is
> request-target binding. If `htm`/`htu` remain optional and a proof is
> reusable for all requests on the same connection, the base profile is
> primarily a stolen-token replay defense, not a per-request
> authorization proof. That is fine, but for agent/sidecar deployments
> with HTTP/2 or HTTP/3 multiplexing, reverse proxies, and multiple
> logical tasks on one TLS connection, the draft should be very explicit
> about when per-request claims are expected.
>
> Concretely, I would suggest:
>
> * Define the canonical form of `htu` precisely if it is used:
> scheme/authority/path/query handling, percent-encoding, path
> normalization, and whether a relative path is ever sufficient.
> * Add guidance that deployments multiplexing distinct resources,
> tenants, users, or agent tasks over one connection should use
> `htm`/`htu` or a comparable request binding; otherwise the same
> session proof can authorize any token-valid request on that
> connection.
> * In the WIMSE section, say explicitly that the verifier order is
> workload identity/attestation first, then token/session binding, then
> resource authorization. That makes the composition with WIT/WPT easier
> to implement.
>
> This does not change the core mechanism. It just keeps the security
> boundary clear for the agentic multi-hop case that motivates the
> draft.
>
> Best,
> Songbo
>
>
> On Sun, 21 Jun 2026 00:30:27 -0700, Ramki Krishnan <ramkri123@gmail.com>
> wrote:
> > Dear All,
> >
> > Cross-posting to wimse@: §5 positions this draft as complementary to
> WIMSE WIT/WPT — WIT/WPT proves workload identity at the application layer;
> this draft binds the OAuth token to the specific TLS connection.
> >
> > -07 is available:
> https://datatracker.ietf.org/doc/draft-mw-oauth-tls-session-bound-tokens/
> >
> > What it is. A PoP profile for OAuth 2.0 access tokens, scoped to mTLS
> deployments where the verifier is a direct TLS endpoint or co-located
> sidecar. The primary motivation is bearer-token replay in autonomous
> multi-hop agentic AI workflows, where RFC 8693 delegation chains amplify
> the consequences of any single token compromise. The Session-Binding Proof
> binds a token to the current TLS connection via the TLS Exporter (RFC 5705
> / RFC 8446 §7.5), amortized to one signature per (token, connection) pair.
> >
> > What it isn't. Not a revival of TLS Token Binding (RFC 8471–8473): no
> new TLS extension, no persistent client keys, binding scoped to the TLS
> session. Not for browsers (EKM not exposed to JavaScript). Not for remote
> TLS termination. All explicitly out of scope, stated up front in §1.
> >
> > Why not per-hop DPoP + RFC 8693. Per-hop DPoP can gate chain extension;
> this draft doesn't claim otherwise. Session binding is structurally
> stronger on three axes (§5.2.1, new in -07): key custody outside the agent
> runtime, attestation provenance of the binding key, and N vs. N×M
> signatures across multi-hop chains.
> >
> > Threat model (§6). T1–T5 unchanged. New T6: stolen-token chain extension
> at the authorization server (AS) — a stolen session-bound token cannot be
> exchanged for a successor without possession of the binding key. Composes
> with draft-mw-oauth-actor-chain for the AS-visible prior-hop evidence half
> of the multi-hop story.
> >
> > Implementation Status (RFC 7942) added in §10. Feedback particularly
> welcome on §5.2.1, T6, the cross-protocol key reuse analysis (§6), and the
> WIMSE/OAuth boundary articulation (§5).
> >
> > Thanks, Ramki (on behalf of the co-authors)
> >
> > ---------- Forwarded message ---------
> > From: <internet-drafts@ietf.org>
> > Date: Sat, Jun 20, 2026 at 11:53 PM
> > Subject: New Version Notification for
> draft-mw-oauth-tls-session-bound-tokens-07.txt
> > To: Diego R. Lopez <diego.r.lopez@telefonica.com>, A Prasad <
> a.prasad@oracle.com>, Ramki Krishnan <ramkri123@gmail.com>, Srinivasa
> Addepalli <srinivasa.addepalli@aryaka.com>
> >
> > A new version of Internet-Draft
> draft-mw-oauth-tls-session-bound-tokens-07.txt
> >
> > has been successfully submitted by ramki krishnan and posted to the
> >
> > IETF repository.
> >
> > Name: draft-mw-oauth-tls-session-bound-tokens
> >
> > Revision: 07
> >
> > Title: TLS-Session-Bound Access Tokens for OAuth 2.0
> >
> > Date: 2026-06-20
> >
> > Group: Individual Submission
> >
> > Pages: 45
> >
> > URL:
> https://www.ietf.org/archive/id/draft-mw-oauth-tls-session-bound-tokens-07.txt
> >
> > Status:
> https://datatracker.ietf.org/doc/draft-mw-oauth-tls-session-bound-tokens/
> >
> > HTML:
> https://www.ietf.org/archive/id/draft-mw-oauth-tls-session-bound-tokens-07.html
> >
> > HTMLized:
> https://datatracker.ietf.org/doc/html/draft-mw-oauth-tls-session-bound-tokens
> >
> > Diff:
> https://author-tools.ietf.org/iddiff?url2=draft-mw-oauth-tls-session-bound-tokens-07
> >
> > Abstract:
> >
> > This document defines a mechanism for binding OAuth 2.0 access tokens
> >
> > to a specific mutual TLS (mTLS) connection. The binding is achieved
> >
> > through a proof token that incorporates the TLS Exporter value (RFC
> >
> > 5705) derived from the current connection and an access token hash,
> >
> > signed by the client's private key corresponding to its mTLS
> >
> > certificate. This mechanism prevents stolen bearer tokens from being
> >
> > replayed on a different TLS connection. The proof is constructed
> >
> > once per (token, connection) pair and reused across all requests on
> >
> > that connection, delivering session binding with no per-request
> >
> > signing overhead and no additional key management beyond what mTLS
> >
> > already provides. The mechanism is applicable to TLS 1.2, TLS 1.3,
> >
> > and QUIC transports. While applicable to any OAuth 2.0 access token
> >
> > presented over mTLS, this specification is primarily motivated by the
> >
> > OAuth 2.0 Token Exchange protocol (RFC 8693), where multi-hop
> >
> > delegation chains in autonomous, agent-driven architectures create
> >
> > elevated replay risk.
> >
> > The IETF Secretariat
> >
> > --
> >
> > Thanks,
> > Ramki
>
> --
> WIMSE mailing list -- wimse@ietf.org
> To unsubscribe send an email to wimse-leave@ietf.org
>