IETF Logo Mail Archive

Re: [Unbearable] Switching exporters for 0-RTT Token Binding

Nick Harper <nharper@google.com> Thu, 27 April 2017 21:48 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9323A129412 for <unbearable@ietfa.amsl.com>; Thu, 27 Apr 2017 14:48:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYSRi3FqYj0M for <unbearable@ietfa.amsl.com>; Thu, 27 Apr 2017 14:48:41 -0700 (PDT)
Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6397C129BEF for <unbearable@ietf.org>; Thu, 27 Apr 2017 14:45:16 -0700 (PDT)
Received: by mail-lf0-x22c.google.com with SMTP id 75so24597195lfs.2 for <unbearable@ietf.org>; Thu, 27 Apr 2017 14:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=p9lxKzi+5z8Z13Ik6ZH73a/mcRMdBelBqsI9taAMLCI=; b=IaPwpEIgi+AraiwRFSAiNWzOnV+Iihkbl2iJcOZ7SW3HcH4FwPlUANj1zsbgXc/GxJ +8uhQlqGEQ/F2ywBAz2GxqA9j0JEJzOL5AmHMQGdYO9FXcbSyUy1rPf8XF9mBDkS3hIQ Lc4tDkXaNNPVFmezRGNsnC/dcdbHho3BLG65KAPlmxDACYUqE7+Kv0xsHGkK537xpFqm 5/aw/MackkNhwy3hmkO5SzLw2C7s04qmpn4mQ9PFfUcydM9i6vBnGLfWpOKa8kX8Kk/0 3DswRoPPPgReFgITkfH07j/uke0A+C9vkt5wTuTU9ueHluoTsvzeipUaw425HIyN59fk +muA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=p9lxKzi+5z8Z13Ik6ZH73a/mcRMdBelBqsI9taAMLCI=; b=pPcf0bOiMHPDqxz6GvOEMKJttO6JTzsOVwKiVb0VEHGz/uGG4QGPCSH3QikEMBpCfw hRCUMQzjGESnOTpIcirwRbaa/CW9NTcmJQ08J9RnuCLuVXUgnnG2XRh6k84sToqL3gwo ZTecbld1OJ9QJd/y4XxcQ7DJxguA1Q41U2Y5zEAgdT160Uc+6bRKueSTwU+mLMwf528s btAqlIjCd8wooVJJrIqwTd90AcvjmG+VRbJ7ypPhMaXdBh4nNelAbzAII8IjRVKC9tTW CdKF71xorA2H6sHGFG0wOLQtYT0J+Y0dLvhVrcPj0ikiFqf0wlXI3LsUCdWG/iUDJOey OECQ==
X-Gm-Message-State: AN3rC/558CS/Cr1Vq0Ik5xeDD+ucqZTPLhv7tgZP8y3+gp4s0wo9tNLi XelT8b29lNx78dAT62zGiXMvzfi+CrL9
X-Received: by 10.46.76.10 with SMTP id z10mr3013964lja.8.1493329514455; Thu, 27 Apr 2017 14:45:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.150.149 with HTTP; Thu, 27 Apr 2017 14:44:53 -0700 (PDT)
In-Reply-To: <20170420020846.GY30306@kduck.kaduk.org>
References: <CACdeXiLF3G8tBO5z5L2mfe5N-kYMv_4TNFS2_0YdecquMM_kuw@mail.gmail.com> <20170420020846.GY30306@kduck.kaduk.org>
From: Nick Harper <nharper@google.com>
Date: Thu, 27 Apr 2017 14:44:53 -0700
Message-ID: <CACdeXiLPb-QwLhG89ahV_q8q3n16jA+WEnsTzKTAyMtYcVF4Pw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/3ofFhjvsazSqZIZ6w2txHLIc3Lk>
Subject: Re: [Unbearable] Switching exporters for 0-RTT Token Binding
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 21:48:44 -0000

On Wed, Apr 19, 2017 at 7:08 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> On Tue, Apr 18, 2017 at 03:24:40PM -0700, Nick Harper wrote:
>> One of the issues raised in Chicago around 0-RTT Token Binding is
>> whether or not to switch from the 0-RTT exporter to the normal
>> exporter, and I'd like to get some feedback from the Working Group on
>> this.
>>
>> The two options I'm considering are as follows:
>> 1) Always use the 0-RTT exporter on connections where 0-RTT data is accepted.
>> 2) Use the 0-RTT exporter for Token Binding messages sent in 0-RTT.
>> The client switches to using the normal exporter soon after the
>> handshake finishes, but it may send some Token Binding messages
>> post-handshake using the 0-RTT exporter.
>> In both cases, if the server rejects 0-RTT data, the client uses the
>> normal exporter (i.e. the client behaves the same as in TBPROTO).
>
> To make the obligatory statement of hopefully obvious facts, 0-RTT
> data MUST NOT be used absent a profile that defines its use.
> Presumably the situation of most interest here is HTTP right now,
> and many people would presume that the HTTP profile for early data
> will say "just concatenate the two streams", but those are just
> presumptions.  Perhaps some other profile would be appropriate for
> non-HTTP cases, though with no concrete proposal it hardly seems
> worth time to think about other than to note that whatever decision
> may be reached here might be limited to HTTP in its applicability.
>
> If one presupposes that the profile for the use of 0-RTT is
> "concatenate the streams", then the arguments against (1) are
> weakened (though not entirely removed).  But I'm not sure what level
> of consensus there is for such a (pre)supposition.

I have definitely been assuming an application profile of HTTP that
concatenates the streams, and the use-case in mind for 0-RTT Token
Binding is with HTTP.
>
> Having not fully thought through the matter, I still lean towards
> (2), with the justification that token binding can be thought of as
> an attempt to prove live possession of a key [associated to a token]
> on a connection where that token is used.  The 0-RTT exporter does
> not have a server contribution, so it's hard to really prove
> liveness of possession using just it.  I acknowledge that there is
> engineering work remainng to be done in making (2) practical/usable,
> and am not really in a position to contribute much to that work, but
> that's my current thinking on the matter.
>
> -Ben

I have similar reservations for (1) in that it doesn't really prove
liveness of possession, but (2) only has this liveness of possession
at some points in the protocol (i.e. after it has switched exporters).
If a server is doing 0-RTT Token Binding, then it doesn't need the
stronger exporter for all requests - the weaker exporter is fine for
some. I don't see a reason to upgrade partway through to the stronger
exporter just because it is stronger. However, if there are use cases
for accepting the weaker exporter at the beginning of a connection but
then requiring the stronger exporter later in the connection, then (2)
sounds like a good idea. (Preferring the stronger exporter isn't
enough for this use case - it would need to require it, and absent
option (2) the implementer of this use case would put the requests
needing the stronger exporter on a separate, non-0-RTT, connection.)

For those considering implementing 0-RTT Token Binding, do you have
any such use cases in mind or is option (1) good?

v2.23.0 | Report a Bug | By Email