Re: [OAUTH-WG] Token Binding Presentations?

John Bradley <ve7jtb@ve7jtb.com> Fri, 17 March 2017 18:09 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AC2F124D68 for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cs0QkORgp07t for <oauth@ietfa.amsl.com>; Fri, 17 Mar 2017 11:09:41 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1229712894E for <oauth@ietf.org>; Fri, 17 Mar 2017 11:09:40 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id v127so71012383qkb.2 for <oauth@ietf.org>; Fri, 17 Mar 2017 11:09:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=B3dteBEQDUA4W/lS4yT5f5jFwnGGxMVlVBE5oXhUqC0=; b=z9ZxwPR7bg2x34fhDuwKuSRsIVVLp+HBDOK3FnDPIFG6fz5QDcWweNmX24uOANShxt i68aa/FEJ42tFI42Fp9z/3vqXbN/d+5Gqp9vVJDy0UtJBaAvbR52ZjlRXVBF2A9kxgQP g1jy8PRwpVSXUISu8VgWtr2XSgGo1KDHtRefdM/xmadgmH4XadVRCrGv1Srp+SugdKeL FAPQn/s90+ae297xS0j0A+XoH3ffgOYdXTomlldDGZHbNsSxYJXJqGnZmhEHosgUAyJ9 GUwHPhlI9h5IKsaEbMp13Cqs6pDjTSw4ZNKoClhwsiSuP+Ju6p7zqQuN8jxep55P0udx iqFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=B3dteBEQDUA4W/lS4yT5f5jFwnGGxMVlVBE5oXhUqC0=; b=pDJjU6unqU8uzgoz60DOzHYNM8pZfw9/ALTn2viFOaR0xSLyhVaKSmw2Fb7GcDzBzt 69AzhEgrZVwljIfciQg5BnYm/OD3KYZ+2zrtjuH1oTO7GjijhoSScOVmgjLEJEm1L4GE 57I0fZ/vKjD2AsfwnEkIgNzE9q1bWd2QjSOuUZ2tAxmNLgluV4NM+XdXwWZ266UwX2M4 j3IIrvlQ06BqWMjM+7x7BPzcPGonbV16h4zUiAIPnVC3ic0zWITNuTOd4e6L/4Wm2nQe E5053/3SgMCxZ05VsWJOuOm5sKzyyQ/3+04yCKliXPqpe1dYB9HNhyBAK249FTE5ygih PR6Q==
X-Gm-Message-State: AFeK/H1y+t4gvaGiRmUWOFix6hSkfD8g7vDvmSNqralY2xOTZnmGdBTN8bcpzPrnjX6QuE9D
X-Received: by 10.55.103.10 with SMTP id b10mr13767628qkc.207.1489774180061; Fri, 17 Mar 2017 11:09:40 -0700 (PDT)
Received: from [192.168.86.177] ([191.115.0.180]) by smtp.gmail.com with ESMTPSA id m62sm6420696qkf.31.2017.03.17.11.09.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Mar 2017 11:09:39 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <AF566AF4-E305-41DD-A29F-D8350759E9CD@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 17 Mar 2017 15:09:36 -0300
In-Reply-To: <SN1PR0301MB20291FD3A379F49B97867DCDA6390@SN1PR0301MB2029.namprd03.prod.outlook.com>
Cc: Jim Manico <jim@manicode.com>, IETF OAUTH <oauth@ietf.org>
To: Anthony Nadalin <tonynad@microsoft.com>
References: <411649D9-563A-49DA-8151-80DF5F45F3F8@manicode.com> <7D4461D3-A779-4FFF-A467-9C2FA4BAE991@ve7jtb.com> <SN1PR0301MB20291FD3A379F49B97867DCDA6390@SN1PR0301MB2029.namprd03.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a1148513cd004ea054af1140d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1q4tlTO-P4WlKU7sNw5cKpi7zlA>
Subject: Re: [OAUTH-WG] Token Binding Presentations?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 18:09:44 -0000

Yes I was referring to support for token binding at the TLS level in Edge & IE and perhaps other HTTP API support. for token binding negotiation on TLS connections.  

Not support for things built on top of token binding.   

IIS being updated to token bind cookies is another matter that I haven't seen any timing on.

Chrome on most if not all platforms and Edge on RS2 i believe should all support servers token binding cookies in the 3 to 6 month timeframe to be conservative.

I know Google has already turned on token binding negotiation for some web parts of Google.

John B.




> On Mar 17, 2017, at 2:59 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:
> 
> I’m unaware of any support for “OAuth” Token Binding from Microsoft, so I assume you are talking just about Token Binding cookies
>   <>
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
> Sent: Friday, March 17, 2017 10:43 AM
> To: Jim Manico <jim@manicode.com>
> Cc: IETF OAUTH <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Token Binding Presentations?
>  
> This has some of the basic info, but needs some updating.   http://www.browserauth.net/ <http://www.browserauth.net/>
>  
> Other than that there are the specs in the Token binding WG and the one we just updated for OAuth.
>  
> With Microsoft supporting it in RS2 coming out in a month or so I would hope to see some developer documentation from them soon.
>  
> John B.
>  
> On Mar 17, 2017, at 12:09 PM, Jim Manico <jim@manicode.com <mailto:jim@manicode.com>> wrote:
>  
> Hello OAuthers,
> 
> I'm trying to get my head around token binding beyond the RFC. Are there any presentations or other media on token binding that any of you are aware of? My google-fu is coming up empty.
> 
> Thanks and Aloha,
> - Jim
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>