Re: [Unbearable] ramifications of longer EKMs
Brian Campbell <bcampbell@pingidentity.com> Thu, 23 February 2017 23:59 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 143DC129C6F for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 15:59:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L47QnRZ5z6fb for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 15:59:57 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2C27129BB4 for <unbearable@ietf.org>; Thu, 23 Feb 2017 15:59:57 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id v200so3319872ywc.3 for <unbearable@ietf.org>; Thu, 23 Feb 2017 15:59:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=G8w4afRv+JJAnDGqzX+8CBJOr4WuUuVOfpBal7L5FZ8=; b=g/8d0CLi0bTJ1WQP/wpbusbsxwlstVKjuAFxmpqbc/GE8A5UqqEWFn6hV2+4NgXO4M EEfx8fZ2RRieBAPJD3CG7vTA/giYAGjNZ58TkJuUPbrYCWqcGMTbDIzKBjEyqRxA4faD YXUMY+imW97dxST6pUmeLYoKSx7yu7pi+5XDg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=G8w4afRv+JJAnDGqzX+8CBJOr4WuUuVOfpBal7L5FZ8=; b=FVO3ogG92doKcLzAm+/GmRaqgfIoP3zNnggWimR2+NU2jkSwM8hRuj6xl8+5+M4gga igV1v84ZSi/mFeWEPHIK4TouFjeGs2gQYwSpHmVRsA2mARgbfxXIrXJtqtwgGy04SovF IxTBI0itY0wYLUfnxWnWWG6p/ZCDbh8bJ8shJBJgO7O7HdjVDtS0G6BkxTzgnO9Jdia8 N5Mp3pciDPjY8bzu10VJpJ4CKbZTdSFtpl/H/TivLylZvKI45BVsrbyYF6GNSNvjogvj 5kjjbXuxJObdjwcCQxNOQl5cl1CaWwK1nZHPTsxh2r5GRZ8Z/xXzVabOVXdlL2zjT/ST 4org==
X-Gm-Message-State: AMke39nF0pz96JrFvQcXXwSpKkSL9SFw0Q3Ru1/jr225pEqpPXTOVv1Ue7wiHaqV7AOCm58YrVc2vJtn9PwCSwXa
X-Received: by 10.13.214.129 with SMTP id y123mr11326540ywd.25.1487894396885; Thu, 23 Feb 2017 15:59:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.126.131 with HTTP; Thu, 23 Feb 2017 15:59:26 -0800 (PST)
In-Reply-To: <CY1PR0301MB0842CE7EE8AB1A0BC01C95268C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CA+k3eCTRAdwW9xj2JRcs7LwgXJtWj=zDFrZVGJVLmV-vHuYstw@mail.gmail.com> <CY1PR0301MB0842D765811AA4C37AE332938C500@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQw4KErXHrQWx=uEmf6OKvp9nGQYiC2nWk4+exorxjDCg@mail.gmail.com> <CY1PR0301MB0842C76A829D345AAC18FB988C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CY1PR0301MB0842026E974F75CE28AA264C8C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQZKAf7BOWKBDQqBDR63OBKOogyuDT+j1JCqSDU3EUuQg@mail.gmail.com> <SN1PR0301MB2029AD297BE87DE6330FFBE6A6530@SN1PR0301MB2029.namprd03.prod.outlook.com> <CY1PR0301MB0842CE7EE8AB1A0BC01C95268C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 23 Feb 2017 16:59:26 -0700
Message-ID: <CA+k3eCRJ5_HSxbTk8M0D9J8XNoPy_shBHYQZPgf7UC9As2V61A@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c076d5afd759e05493b688d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/59Pq_kJfs-GTqylj7Sgkzb-DeRM>
Cc: Anthony Nadalin <tonynad@microsoft.com>, IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] ramifications of longer EKMs
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 23:59:59 -0000
Thanks Andrei. I admit to having had some fondness for option 4). But I guess, at this point, I'd lean towards 3) as well. It simplifies the TTRP case as well as server processing logic (assuming the logic would be generalized to accommodate future TB key params with a longer EKM). On Thu, Feb 23, 2017 at 2:00 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote: > Tokbind-tls-term does not necessarily have to be on the standards track, > but I think the issue Brian has raised deserves discussion regardless of > the destiny of tokbind-tls-term. > > > > WRT Brian’s listed options, I prefer 3) or, failing that, 1). > > Option 2) affects the tokbind-tls-term document, not the core I-Ds; from > the core I-D perspective it is identical to option 1). > > Option 4) makes the TB key parameter negotiation less definitive. It says > that the length of the EKM now depends not only on the signature scheme of > the TB key that signs this EKM, but also on the type of the Binding, and on > the signature scheme of a different, unrelated TB key. > > > > Cheers, > > > > Andrei > > > > *From:* Anthony Nadalin > *Sent:* Thursday, February 23, 2017 9:54 AM > *To:* Brian Campbell <bcampbell@pingidentity.com>; Andrei Popov < > Andrei.Popov@microsoft.com> > *Cc:* IETF Tokbind WG <unbearable@ietf.org> > *Subject:* RE: [Unbearable] ramifications of longer EKMs > > > > I’m not sure the value of standardizing the tokbind-tls-term, not sure how > much interoperability requirements there are here, maybe this should be an > experimental until we figure out if there is a need and if so what are the > requirements > > > > >
- [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Anthony Nadalin
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs John Bradley
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs John Bradley
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs John Bradley
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell