Re: [Unbearable] Adam Roach's Yes on draft-ietf-tokbind-https-14: (with COMMENT)

Nick Harper <nharper@google.com> Tue, 05 June 2018 18:47 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5D213113D for <unbearable@ietfa.amsl.com>; Tue, 5 Jun 2018 11:47:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.209
X-Spam-Level:
X-Spam-Status: No, score=-18.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e0_5hskXahhs for <unbearable@ietfa.amsl.com>; Tue, 5 Jun 2018 11:47:12 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95C7C130DC4 for <unbearable@ietf.org>; Tue, 5 Jun 2018 11:47:09 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id s26-v6so4609524ioj.4 for <unbearable@ietf.org>; Tue, 05 Jun 2018 11:47:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZmJpObQ9RhdCBURi5MzfkngNftrKq7Y9BhjuHResdRA=; b=Gv2mcJBvALZjuNMqxFcdSzHToTCfNw+/HrMfk4OxHVyN7RxWUAai6KtvPbXPSngcOw UgUnLOVk6YAnQmX+GsaudMEt8cvs+M0nNske4uhKK6M29HrKV1ZweRh/e1H38AOxUQbW XdZq26xS9j+6IxZ6AUyJDBn3UeJndwnXwwxtqdpi7rPbB4AQRfKX3pwin2RhtQ/hKJBm CR+gn2Ohv8yBeY3PM2fRexjKV2ZJW2J1Vbj3t/marAWu9o63pMm6uXaShaibK9G+i5Qn JslnGbyMq3T7mlB02+bz0uTpnzIqQUzUJD2vLEiu1uhNZei8kLEOffaY33rK5KN69I9h jnKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZmJpObQ9RhdCBURi5MzfkngNftrKq7Y9BhjuHResdRA=; b=PA0dAYJ9M5dawi98aqhxZ+Q2rDBxwvsRJYiFhwwNnARb4gQKnFgjoDnB3fjTPf0s1/ KLjqtckYDRHpplr+8sH2oA6l5sr9d9/vLNA5+PuprdLqV5bkvCe5dB6cs/07Ok6Tfp0c 9NhjBCuSsmrOfchAqgDJHxdCW/dtbiuWskn344g6fKmzwXhO+82IdcfgYpT7wl2T0G/V ZXg4WKFcref26Ih3EQpsXyZBZUgOrKlWts2EwDprG/jfd00J5SaRXtC8z2IWiqy3F5I3 JTh6zKiwnMwn8t1YM6Aeu5agFEkDrlmig7mFyuJ6jjwfZdNXeWqT5Z3/q1ZumIECPefn 985A==
X-Gm-Message-State: APt69E1ZB7bRVTWRCWgOPbvi0Eit3IB7h+1h8IhY6/ghXlgQSri+NPcc dNMRPW9YoehbXmH2SwgYLq/E/ZKlGdTXs0Q+u+Xthg==
X-Google-Smtp-Source: ADUXVKKdkImLpfhmys9AkKq96vvhFXVZgQS+QrPmWb/ujoXahkPgDGtjP0/dvfxgHrcYYjgkT+9CUEzN4JDOpq5qu0I=
X-Received: by 2002:a6b:14cd:: with SMTP id 196-v6mr28385651iou.103.1528224428301; Tue, 05 Jun 2018 11:47:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:e0a:0:0:0:0:0 with HTTP; Tue, 5 Jun 2018 11:46:47 -0700 (PDT)
In-Reply-To: <c103c5d7-3508-23b5-aae0-165dcd81db17@nostrum.com>
References: <152575956787.20253.13180458622500226833.idtracker@ietfa.amsl.com> <CADHfa2DPni78gNNZyQr6Tbt6DTzVWY+md7L4220NPTDprUCp6A@mail.gmail.com> <c103c5d7-3508-23b5-aae0-165dcd81db17@nostrum.com>
From: Nick Harper <nharper@google.com>
Date: Tue, 5 Jun 2018 11:46:47 -0700
Message-ID: <CACdeXiKnuLxR5ZVn9D9p9CHk+SBqFMOJGeziKjVNAw9AifvmMQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Dirk Balfanz <balfanz@google.com>, The IESG <iesg@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, Tokbind WG <unbearable@ietf.org>, tokbind-chairs@ietf.org, draft-ietf-tokbind-https@ietf.org
Content-Type: multipart/alternative; boundary="000000000000309dbc056de97abc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/4ref_fNyig-XhSU1JPGv2-7F6bg>
Subject: Re: [Unbearable] Adam Roach's Yes on draft-ietf-tokbind-https-14: (with COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2018 18:47:15 -0000

On Mon, Jun 4, 2018 at 3:11 PM, Adam Roach <adam@nostrum.com> wrote:

> On 6/4/18 4:56 PM, Dirk Balfanz wrote:
>
> Hi Adam,
>
> thanks for the feedback. Most of it is addressed in the new draft (
> https://tools.ietf.org/html/draft-ietf-tokbind-https-16). See below
> (inline) for details.
>
>
>
> Thanks! Some responses inline.
>
>
>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Thanks to everyone who worked on this document. I am balloting "Yes", but
>> still have a handful of comments, including several that I believe are
>> rather important.
>>
>>
>> ------------------------------------------------------------
>> ---------------
>>
>> §2:
>>
>> >  Once a client and server have negotiated the Token Binding Protocol
>> >  with HTTP/1.1 or HTTP/2 (see [I-D.ietf-tokbind-protocol] and
>> >  [I-D.ietf-tokbind-negotiation])
>>
>> Presuming this document is intended to cover use of TLS 1.3, I believe
>> this
>> list needs to also include [I-D.ietf-tokbind-tls13].
>>
>
> Actually, the document doesn’t address TLS 1.3 - that will be covered in a
> separate document.
>
>
> Please adjust the title, abstract, and introduction to make this clear. I
> see neither prose nor technical mechanism in this document that precludes
> use with TLS 1.3, and it's virtually guaranteed that implementors will try
> to use it with TLS 1.3 unless there is clear text saying not to.
>

I think this document does cover using Token Binding with TLS 1.3, but only
once draft-ietf-tokbind-tls13 is published. (I.e. before the draft is
published, it does not cover TLS 1.3, because draft-ietf-tokbind-protocol
is limited to TLS 1.2, but once draft-ietf-tokbind-tls13 is published, this
automatically covers TLS 1.3 as well.)