Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Andrei Popov <Andrei.Popov@microsoft.com> Thu, 09 February 2017 22:02 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1935129CAC for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 14:02:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.889
X-Spam-Level:
X-Spam-Status: No, score=-3.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSbSn-n2hO3A for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 14:02:38 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0106.outbound.protection.outlook.com [104.47.42.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ADAB1295DB for <unbearable@ietf.org>; Thu, 9 Feb 2017 14:02:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rHCJ1Rp1Fbniy2fmJSg/Pc1Y935pVt5IV3nsy6L71ZI=; b=lGo411TRfK25frt6B7zqS9qh9p7Kd/FHimWoN5oaIgV7lLst/8ofGz2midsrl76Ef/tUghFwkew3VOFBjMZ/t5tD7FI024EOpxZ2nC5s6hv3p5q0I0kbS8EkLPF1+A4Yda+TEE/ZU9mIpUnnauYzyEPYba4eAsRucDxZrc+FPHw=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Thu, 9 Feb 2017 22:02:36 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0888.026; Thu, 9 Feb 2017 22:02:36 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Amos Jeffries <squid3@treenet.co.nz>, "unbearable@ietf.org" <unbearable@ietf.org>
Thread-Topic: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Thread-Index: AQHSgZVjoAIXC6BWu0OMPbiyGCJ7xqFeen4AgAC16ACAACoXcIABs6+AgAABzNA=
Date: Thu, 09 Feb 2017 22:02:36 +0000
Message-ID: <CY1PR0301MB084285FAEE85584F5BCB25CE8C450@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <e56976df-c7e7-6dde-8f27-9aeb152f66ab@KingsMountain.com> <CY1PR0301MB084254BDDD2E72104D20BE9A8C430@CY1PR0301MB0842.namprd03.prod.outlook.com> <C97FF7A1-5EAB-4117-A9D2-65C9A9993A8F@ve7jtb.com> <CADHfa2A-kpD_swEzMue33eeKj=Xd6_au2KL=XD+AmYq=m6hrdw@mail.gmail.com> <43DD0CF0-4043-448D-BE38-FAFFDE779B57@ve7jtb.com> <CY1PR0301MB08423324E89771A0EEDD72068C420@CY1PR0301MB0842.namprd03.prod.outlook.com> <d975388a-7a09-4842-89dc-7a2bd94ba0ff@treenet.co.nz>
In-Reply-To: <d975388a-7a09-4842-89dc-7a2bd94ba0ff@treenet.co.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-ms-office365-filtering-correlation-id: 467ca159-bf41-4c66-18bb-08d451375bb5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB0842;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0842; 7:Ih6ZNwt42T+CLPj6C7OM/Y+THvOIkhKaOye/gvbCFuj26qg/XR/qju5M1N5tiJw3hwHSwMiX3BXeJQc8c+8Etaa01gDlTj5W8a6jOxzRJzYmIrUI4883OY9pwekfP3vJdBnimxoxGM9z7CDOYpe7p1X2hKg9z7TwmVoKIvQot5xCKFjFiSA+E2WIlGURKLZOW4tBJ9xCpdEjBIs3mKbqoOWJIZJ1A7SkZGwf9bJ0uF0mR/MU+R+FxCLWjWl/zcrR/A1PRB7Ptl2t1Z7ExHr1LDhgWxBN4vxNG/NhuKl6OKJWyuGAFin0MuNgz+smahoh5ogp3Lq6llUgvbXvVQ2NoJciV8zZtDIgUs8bv08PRtx65/bik3ZAdCUfuTClhuMXVyvELOkaNVZPwPoQMxRbHFGfOQrsJlL8p2o7KpTNCuzXSoXF19ZTVntxyQwv+MQ0bS5F+ieRmIqw8wROjiEb4G0euQRZExgG9lfBQh8BN1Im6cATOAb/Lv8GGADqXDBLdJx1a+6vDTbCEaJBuNKazjUJfk9fLk95VVo+GdyOYWw=
x-microsoft-antispam-prvs: <CY1PR0301MB0842D0479B2B9E323072B5758C450@CY1PR0301MB0842.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123562025)(20161123558025)(6072148); SRVR:CY1PR0301MB0842; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0842;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39850400002)(39450400003)(39860400002)(39840400002)(199003)(189002)(230783001)(50986999)(54356999)(8676002)(76176999)(122556002)(106356001)(68736007)(9686003)(5005710100001)(8936002)(305945005)(97736004)(93886004)(8990500004)(74316002)(2900100001)(2950100002)(38730400002)(10290500002)(102836003)(7736002)(7696004)(3660700001)(6116002)(81156014)(189998001)(105586002)(101416001)(106116001)(81166006)(2906002)(53936002)(5660300001)(6506006)(55016002)(25786008)(3280700002)(33656002)(6436002)(77096006)(86612001)(2501003)(86362001)(10090500001)(92566002)(6246003)(229853002)(99286003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0842; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2017 22:02:36.8157 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0842
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/4N2L8pK8W-YC9AYcqIExY8h1ajA>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 22:02:40 -0000
Hi Amos, > The Connection header is not particularly about proxies. It is simply about distinguishing hop-by-hop things from end-to-end so any naive/old HTTP recipient can keep the relevant data secure in a fail-closed way. ...and TB can be handled hop-by-hop or passed on for subsequent validation; both are valid use-cases. It would be a concern if the backend servers were to assume that any TB header (and the contained TB message) floating around is always valid. Instead what the specs currently say is that if you receive a TB message, you've got to validate it before accepting a bound token. If validation fails, the bound token is rejected. It seems therefore that stripping TB headers does not "fail closed", but simply eliminates the possibility that the contained TB message may get verified further down the line. It is true that a proxy could forward Sec-Token-Binding's contents as a custom header, possibly specified in another document. This is a valid design; I'm just not convinced that this should be the only possible design. Cheers, Andrei
- [Unbearable] on not listing 'Sec-Token-Binding' i… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Dirk Balfanz
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Brian Campbell
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH