Re: [Unbearable] Adam Roach's Yes on draft-ietf-tokbind-https-14: (with COMMENT)

Adam Roach <adam@nostrum.com> Tue, 05 June 2018 18:50 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 915A7131141; Tue, 5 Jun 2018 11:50:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.878
X-Spam-Level:
X-Spam-Status: No, score=-1.878 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ef9Q9Fp386Dz; Tue, 5 Jun 2018 11:50:40 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA5F4126F72; Tue, 5 Jun 2018 11:50:40 -0700 (PDT)
Received: from Svantevit.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w55IobUA071520 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 5 Jun 2018 13:50:37 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.local
To: Nick Harper <nharper@google.com>
Cc: Dirk Balfanz <balfanz@google.com>, The IESG <iesg@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, Tokbind WG <unbearable@ietf.org>, tokbind-chairs@ietf.org, draft-ietf-tokbind-https@ietf.org
References: <152575956787.20253.13180458622500226833.idtracker@ietfa.amsl.com> <CADHfa2DPni78gNNZyQr6Tbt6DTzVWY+md7L4220NPTDprUCp6A@mail.gmail.com> <c103c5d7-3508-23b5-aae0-165dcd81db17@nostrum.com> <CACdeXiKnuLxR5ZVn9D9p9CHk+SBqFMOJGeziKjVNAw9AifvmMQ@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <b9cc789a-6b18-38d1-e693-479071c70f16@nostrum.com>
Date: Tue, 5 Jun 2018 13:50:31 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <CACdeXiKnuLxR5ZVn9D9p9CHk+SBqFMOJGeziKjVNAw9AifvmMQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------28B798A08218A2DA6C2B6135"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/5Eqv3tX0ex_aVzOuCkhQ2lnORT0>
Subject: Re: [Unbearable] Adam Roach's Yes on draft-ietf-tokbind-https-14: (with COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2018 18:50:43 -0000

On 6/5/18 1:46 PM, Nick Harper wrote:
>
>
> On Mon, Jun 4, 2018 at 3:11 PM, Adam Roach <adam@nostrum.com 
> <mailto:adam@nostrum.com>> wrote:
>
>     On 6/4/18 4:56 PM, Dirk Balfanz wrote:
>>     Hi Adam,
>>
>>     thanks for the feedback. Most of it is addressed in the new draft
>>     (https://tools.ietf.org/html/draft-ietf-tokbind-https-16
>>     <https://tools.ietf.org/html/draft-ietf-tokbind-https-16>). See
>>     below (inline) for details.
>>
>>
>
>     Thanks! Some responses inline.
>
>
>>
>>         ----------------------------------------------------------------------
>>         COMMENT:
>>         ----------------------------------------------------------------------
>>
>>         Thanks to everyone who worked on this document. I am
>>         balloting "Yes", but
>>         still have a handful of comments, including several that I
>>         believe are
>>         rather important.
>>
>>
>>         ---------------------------------------------------------------------------
>>
>>         §2:
>>
>>         >  Once a client and server have negotiated the Token Binding
>>         Protocol
>>         >  with HTTP/1.1 or HTTP/2 (see [I-D.ietf-tokbind-protocol] and
>>         >  [I-D.ietf-tokbind-negotiation])
>>
>>         Presuming this document is intended to cover use of TLS 1.3,
>>         I believe this
>>         list needs to also include [I-D.ietf-tokbind-tls13].
>>
>>
>>     Actually, the document doesn’t address TLS 1.3 - that will be
>>     covered in a separate document.
>
>     Please adjust the title, abstract, and introduction to make this
>     clear. I see neither prose nor technical mechanism in this
>     document that precludes use with TLS 1.3, and it's virtually
>     guaranteed that implementors will try to use it with TLS 1.3
>     unless there is clear text saying not to.
>
>
> I think this document does cover using Token Binding with TLS 1.3, but 
> only once draft-ietf-tokbind-tls13 is published. (I.e. before the 
> draft is published, it does not cover TLS 1.3, because 
> draft-ietf-tokbind-protocol is limited to TLS 1.2, but once 
> draft-ietf-tokbind-tls13 is published, this automatically covers TLS 
> 1.3 as well.)


Then please add an informative reference to draft-ietf-tokbind-tls13.

/a