[Unbearable] Comments on draft-ietf-tokbind-https-08 (Token Binding over HTTP)
Denis <denis.ietf@free.fr> Sun, 19 March 2017 18:16 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89021128D40 for <unbearable@ietfa.amsl.com>; Sun, 19 Mar 2017 11:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level:
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgHAOEXKj-2c for <unbearable@ietfa.amsl.com>; Sun, 19 Mar 2017 11:16:40 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FD53128CD5 for <unbearable@ietf.org>; Sun, 19 Mar 2017 11:16:40 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id BF0537803A5 for <unbearable@ietf.org>; Sun, 19 Mar 2017 19:16:37 +0100 (CET)
To: IETF Tokbind WG <unbearable@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <1d9db310-be8b-58c6-49ac-bd701b69157f@free.fr>
Date: Sun, 19 Mar 2017 19:16:36 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------D4404AB7ED1CD1F6B0440F34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/4U-Wk2M3agzxIU_eCmchjp8fjcc>
Subject: [Unbearable] Comments on draft-ietf-tokbind-https-08 (Token Binding over HTTP)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Mar 2017 18:16:46 -0000
On February 27, I sent an email with the following topic: WGLC 3 on core documents. On page 14 within the Security Considerations section, the same kind of change as the one requested for draft-ietf-tokbind-protocol-13 (The Token Binding Protocol Version 1.0) should be done, i.e. add a new section called: "7.2. Client collusion" with the following text: *Token Binding over HTTP does not prevent cooperating clients from* *sharing a bound token.A client could intentionally export a bound* *token with the corresponding Token Binding private key, or perform* *signatures using this key on behalf of another client.* The draft has not been revised accordingly for the Chicago meeting. Denis