Re: [Unbearable] Fwd: I-D Action: draft-ietf-tokbind-ttrp-01.txt

Brian Campbell <> Thu, 03 August 2017 20:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 33BEF12ECEF for <>; Thu, 3 Aug 2017 13:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hliH2L1nkAXG for <>; Thu, 3 Aug 2017 13:21:11 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8B9AE126DEE for <>; Thu, 3 Aug 2017 13:21:11 -0700 (PDT)
Received: by with SMTP id y129so10364689pgy.4 for <>; Thu, 03 Aug 2017 13:21:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Cq1xSUIn1ycQttolfh2v6K7OLsiK5XOhZ8egwRpJw0k=; b=ANtzDIVOHu5Jpgi3gEjpFmCZ14zpCFfIxKKnM+A9IsdTLoVB9gxgiIBEeBIzCzINCn 3eR35I2tvjUUllWUX2xy4naXieQCJNRNfAM4BmvaULwPexkZZ8jf+zv+1HJOspIGyLM6 e2L+roSAOg+rDzFFuuMSSHNr1xlaH7EKrH1Ok=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Cq1xSUIn1ycQttolfh2v6K7OLsiK5XOhZ8egwRpJw0k=; b=bYEb+oq8BpH6nHJssMrQvEeCVNjHrTigxUM52xo+OiPN0n9TVW8AXmWFJUiM9ftJAY Apn/PxdR4xcmKxozHwvn5QA6o6dhQv4DYWxQ5YqWjI7FrS3DM9IjYA6muPm5T6ZA1Jai 45bRMrwTEoHGyvelUZQ2YNupSofFRK5cgqtlCgNHNNGII45Bx/eOzvERjGOWUgU3DTAG zth+WwUqJv2YCRxztCt/PEUSLmHUuPlgtQZalgCG/4xX/FlYHJMoQ7D1IXvijyPv50+1 ZjeVAWOt8KcdipkGbvIkSs1l8kf4g+K1SeP9QZaAQ81g/a+HZgERZihQ2UoTwagnkqO2 XGvA==
X-Gm-Message-State: AIVw113WPgjhMGR45UeI2Jo7TgobnzNnSNr17oOHtZLU7llWovyd7MX9 aaD5QRd1JdT1cY5QqRfEFUnfHYdzL/RDOzYgwnZKTHRgqZrOO0Xo+WVERMHCNnJ5TCDvetwpDPE njZgphXs3Xt4=
X-Received: by with SMTP id m10mr42210pfa.232.1501791671123; Thu, 03 Aug 2017 13:21:11 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 3 Aug 2017 13:20:40 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
From: Brian Campbell <>
Date: Thu, 3 Aug 2017 14:20:40 -0600
Message-ID: <>
To: Bill Cox <>
Cc: Vladimir Dzhuvinov <>, Tokbind WG <>
Content-Type: multipart/alternative; boundary="94eb2c112c3e159f490555df1fc3"
Archived-At: <>
Subject: Re: [Unbearable] Fwd: I-D Action: draft-ietf-tokbind-ttrp-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Aug 2017 20:21:13 -0000

On Thu, Aug 3, 2017 at 9:31 AM, Bill Cox <> wrote:

> One question about the spec: Why must the "sec-token-binding" header be
> removed?  I did that originally in an implementation, and was asked to stop
> "molesting the headers".

This is largely to try and comply with HTTPSTB
<> that says the
"Sec-Token-Binding" header is sent by the client when TB is negotiated on
the TLS connection.  On the connection from the TTRP to the backend, the
TTRP is the client and TB isn't negotiated (most likely anyway).

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*