[OAUTH-WG] Token Binding & -security-topics-13?
Brian Campbell <bcampbell@pingidentity.com> Mon, 23 December 2019 23:22 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B18B6120D5B for <oauth@ietfa.amsl.com>; Mon, 23 Dec 2019 15:22:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVcmNZ7dYNaP for <oauth@ietfa.amsl.com>; Mon, 23 Dec 2019 15:22:56 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 097CB12002F for <oauth@ietf.org>; Mon, 23 Dec 2019 15:22:56 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id l18so5628192lfc.1 for <oauth@ietf.org>; Mon, 23 Dec 2019 15:22:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=brFLNr85IifzaPWLkodO5w8YfScOzYcrNohiLVXndLo=; b=HtkIksyiCAM4cgCbUVsp+D2rgHjVgEEm+p/jQs7V3Siur5sADHmtWgdjTO4MogDBGP /7TQllzZet226sP5GFqDR6r4s3pdMPbeWA6YV5CHZjPoP6bzy8HNkuFBgDISHqGOX7It U/SWKymBoda/T1oAhq77OLl8VT0t8++uXI4hPYvPkDgXl2zUsGsFoLI6SXjQ9dwAXlzE W6sEN5qowk+DDeEU1yxRNJcRYgTYhPGUaP4h50VYGxVjWemx4fxRPr0/8Q4uuXqjr5t5 MSFSkjZ9DupPOCl1Rf7adjIHkIa1MzsUgj5a58Qp6m17KzMj9JwwKc/kNSByahTsgEtN BjYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=brFLNr85IifzaPWLkodO5w8YfScOzYcrNohiLVXndLo=; b=LZHM1h8fImmIfvpz71c61w78gzfCoGaRwejQgv96GW+SedFAIeI7Al4gQZWJdJg1IO PwdZsAKWfjXvdz9DcEiHfFXbv80FVLxq0BpOik5RYtU6yMvquWXQKZ/0XpqfO54w/fDi 0g87pf65GtXLMOSUUV9nHqqUEbu5yzfdQg6m6GUzNr6wQN6+LPhLuXeWOIaQsQP8i0p0 FrwsGRNfnVei5yPMZx/ehBkZep3XJIRzfa1ir3B41Yb9CgkrG4VQ7JHIWJoU086Ib6Kh G8lvAEXUhdn5iLNU4lyZhkbzgUiOWdH+ysouh7dZYjzJw9cekQjL7lCFDKWIdxwRnpDl imKQ==
X-Gm-Message-State: APjAAAXLyMBOYZglC3YxIYeFBtXAPGDbOrVCfS5R3J2svu0Wg70gPgV8 EcLDQkIFQn7ZnLxCmz3rZdAwH50RpMVTqzp253ktML/xjXKldt3hVCXRQ+cvfwIr9Vv1hM5dU1H LPk4yekkRwgE2z4CenNA=
X-Google-Smtp-Source: APXvYqxsP69WsIgVDcY0pt9aDvioWcB2pMYE6kCI2Yo7ziil5SsV0mkSXx5Zl6At6FLQ5A/q1TjqwjKsY9CbCFObGII=
X-Received: by 2002:ac2:4884:: with SMTP id x4mr17663075lfc.92.1577143373882; Mon, 23 Dec 2019 15:22:53 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Dec 2019 16:22:26 -0700
Message-ID: <CA+k3eCR3qJhmOgQyBkXNvLLadv494Pn_0Gm2=a9kniEtc89orw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008faaf9059a674eb4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RKujONej-92dT5lr9cLu6hHnw8I>
Subject: [OAUTH-WG] Token Binding & -security-topics-13?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2019 23:22:59 -0000
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 mentions or suggests the use of token binding as an option in a few places. However, the OAuth 2.0 Token Binding draft expired back in April and is looking highly unlikely to progress or be updated further. It's also pretty much undeployable given the current lack of support in platforms, browsers and TLS/HTTP libraries. Perhaps the Security Best Current Practice document should remove reference to draft-ietf-oauth-token-binding or at least de-emphasize it considerably? That token binding isn't a viable option leaves only the soon-to-be RFC of MTLS as the only real option in recommendation of https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.2 which has: Authorization servers SHOULD use TLS-based methods for sender- constrained access tokens as described in Section 4.8.1.2, such as token binding [I-D.ietf-oauth-token-binding] or Mutual TLS for OAuth 2.0 [I-D.ietf-oauth-mtls] in order to prevent token replay. Maybe this already rather aspirational SHOULD should allow for non-TLS or application-based methods as well, to at least allow room in the BCP for the possibility of using some yet-to-be-determined PoP method that might come along in the future? -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Token Binding & -security-topics-13? Brian Campbell