[secdir] Security review of draft-ietf-tokbind-negotiation-10
Hilarie Orman <hilarie@purplestreak.com> Sun, 26 November 2017 19:57 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F04E1201F8; Sun, 26 Nov 2017 11:57:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SoOcySYa-Eqq; Sun, 26 Nov 2017 11:57:33 -0800 (PST)
Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113F8126C0F; Sun, 26 Nov 2017 11:57:32 -0800 (PST)
Received: from in02.mta.xmission.com ([166.70.13.52]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1eJ33T-0003aO-N3; Sun, 26 Nov 2017 12:57:31 -0700
Received: from mta2.zcs.xmission.com ([166.70.13.66]) by in02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1eJ33T-0002EY-0u; Sun, 26 Nov 2017 12:57:31 -0700
Received: from localhost (localhost [127.0.0.1]) by mta2.zcs.xmission.com (Postfix) with ESMTP id C600E6002C4; Sun, 26 Nov 2017 12:57:30 -0700 (MST)
Received: from mta2.zcs.xmission.com ([127.0.0.1]) by localhost (mta2.zcs.xmission.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id whpoOHsoBSsa; Sun, 26 Nov 2017 12:57:30 -0700 (MST)
Received: from zms04.zcs.xmission.com (zms04.zcs.xmission.com [166.70.13.74]) by mta2.zcs.xmission.com (Postfix) with ESMTP id B20596002C1; Sun, 26 Nov 2017 12:57:30 -0700 (MST)
Date: Sun, 26 Nov 2017 12:57:30 -0700
From: Hilarie Orman <hilarie@purplestreak.com>
To: The IESG <iesg@ietf.org>, secdir <secdir@ietf.org>, draft-ietf-tokbind-negotiation.all@ietf.org
Message-ID: <75635360.9316064.1511726250689.JavaMail.zimbra@purplestreak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [104.173.238.67]
X-Mailer: Zimbra 8.7.4_GA_1730 (zclient/8.7.4_GA_1730)
Thread-Index: 9yZNkNtSTPXVMHPSgNb9afzW95voQw==
Thread-Topic: Security review of draft-ietf-tokbind-negotiation-10
X-XM-SPF: eid=1eJ33T-0002EY-0u; ; ; mid=<75635360.9316064.1511726250689.JavaMail.zimbra@purplestreak.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=166.70.13.66; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-SA-Exim-Connect-IP: 166.70.13.66
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ******;The IESG <iesg@ietf.org>, secdir <secdir@ietf.org>, draft-ietf-tokbind-negotiation.all@ietf.org
X-Spam-Relay-Country: US
X-Spam-Timing: total 341 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 3.3 (1.0%), b_tie_ro: 2.3 (0.7%), parse: 1.13 (0.3%), extract_message_metadata: 4.9 (1.4%), get_uri_detail_list: 0.74 (0.2%), tests_pri_-1000: 3.0 (0.9%), tests_pri_-950: 0.90 (0.3%), tests_pri_-900: 0.93 (0.3%), tests_pri_-400: 16 (4.7%), check_bayes: 15 (4.4%), b_tokenize: 4.9 (1.4%), b_tok_get_all: 4.2 (1.2%), b_comp_prob: 1.91 (0.6%), b_tok_touch_all: 2.1 (0.6%), b_finish: 0.61 (0.2%), tests_pri_0: 295 (86.5%), check_dkim_signature: 0.68 (0.2%), check_dkim_adsp: 47 (13.9%), tests_pri_500: 3.7 (1.1%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Tn14G02GSCb4ZuEbetKleC7ET3I>
Subject: [secdir] Security review of draft-ietf-tokbind-negotiation-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Nov 2017 19:57:34 -0000
Security review of Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation draft-ietf-tokbind-negotiation-10 Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. From the abstract "This document specifies a Transport Layer Security (TLS) extension for the negotiation of Token Binding protocol version and key parameters." Token binding assures that the necessary authentication information for a TLS channel is bound solely to that one channel. As a preliminary to that binding, the two participants must agree on a protocol version for establishing a token and the key parameters. The TLS extension for this negotiation in the HELLO messages is the subject of the document under review. The extension seems to me to be necessary, sufficient, secure, and Ready. Hilarie
- [secdir] Security review of draft-ietf-tokbind-ne… Hilarie Orman