Re: [Unbearable] ramifications of longer EKMs
Andrei Popov <Andrei.Popov@microsoft.com> Thu, 23 February 2017 21:00 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E64C12A2E2 for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 13:00:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ffgg532tUsxP for <unbearable@ietfa.amsl.com>; Thu, 23 Feb 2017 13:00:52 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0121.outbound.protection.outlook.com [104.47.36.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1ECC12A2CC for <unbearable@ietf.org>; Thu, 23 Feb 2017 13:00:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZgiqD9paAN153fTotf4R9bgB9zBwNRbEWxKV0gzx6to=; b=gIa9YruR5ZNPO5f3gdQLStq5vRr61D9XTjt6nmPAxN2JbPzh8DfH7/Ng5od1M95XTLldiAi2VspOvxJU0He+FsO72mg3flckfCjvOKPUPJql8DlZwitevwfgsY6WltqZD3F3b0o8lXrGt3ZRoBlUwz2AairVpbD6d2YXGj4+ASs=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB2026.namprd03.prod.outlook.com (10.164.2.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.919.13; Thu, 23 Feb 2017 21:00:49 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0919.018; Thu, 23 Feb 2017 21:00:50 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [Unbearable] ramifications of longer EKMs
Thread-Index: AQHSjVYgmQf/q9+NMUG8uI+0qEZ9BqF1ncIggAAZn4CAAACqsIAADg1QgADNxwCAAE0DAIAAJ7Pw
Date: Thu, 23 Feb 2017 21:00:49 +0000
Message-ID: <CY1PR0301MB0842CE7EE8AB1A0BC01C95268C530@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CA+k3eCTRAdwW9xj2JRcs7LwgXJtWj=zDFrZVGJVLmV-vHuYstw@mail.gmail.com> <CY1PR0301MB0842D765811AA4C37AE332938C500@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQw4KErXHrQWx=uEmf6OKvp9nGQYiC2nWk4+exorxjDCg@mail.gmail.com> <CY1PR0301MB0842C76A829D345AAC18FB988C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CY1PR0301MB0842026E974F75CE28AA264C8C530@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQZKAf7BOWKBDQqBDR63OBKOogyuDT+j1JCqSDU3EUuQg@mail.gmail.com> <SN1PR0301MB2029AD297BE87DE6330FFBE6A6530@SN1PR0301MB2029.namprd03.prod.outlook.com>
In-Reply-To: <SN1PR0301MB2029AD297BE87DE6330FFBE6A6530@SN1PR0301MB2029.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-ms-office365-filtering-correlation-id: fb2b8a26-1fba-4622-812f-08d45c2f0c18
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB2026;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB2026; 7:BKx5A5yOqLAdTNQXeFOZxZrbkAj/BAgYA8mB5nxE63AclBQddB+bXI0w8rfPwtcgLyyh8VEIp7J6yj19kAuA6T9WXpWAwz6wzPi79qGE7lQLuGtFjJV+CAfsHj27hUER2ybL1cENnKraC1XrKoqgVN+pwWxCr8DPbGpyCvWsaZaPqQb+ZT95UY2+6BrWppEcvytuhAiff4g4LMdc+rJqLmbbRUFS875Eqvk8VxWYwkXNrXv8R0Ucp6SGqHPZ/roS7+ix5XDBfb+G25X2s4xVnrIknRKOdyllidAHBflU7wZt5cdAj6p79qh0cDPJehojqgnWVf4SUzYAWe1YEwFOmtXbwyzlH7Kdk2Ic+QNAxkQ=
x-microsoft-antispam-prvs: <CY1PR0301MB2026A09882416DD758F9F08E8C530@CY1PR0301MB2026.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123558025)(20161123555025)(20161123564025)(20161123562025)(6072148); SRVR:CY1PR0301MB2026; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB2026;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39450400003)(39860400002)(39840400002)(39850400002)(199003)(377454003)(189002)(8990500004)(10290500002)(10090500001)(2561002)(5005710100001)(97736004)(122556002)(6436002)(7696004)(54356999)(76176999)(93886004)(189998001)(50986999)(1511001)(4326007)(3280700002)(2950100002)(790700001)(102836003)(6116002)(5660300001)(2906002)(3660700001)(2421001)(7736002)(74316002)(105586002)(19609705001)(33656002)(81166006)(92566002)(8676002)(106116001)(101416001)(53546006)(86612001)(81156014)(68736007)(8936002)(55016002)(86362001)(99286003)(2900100001)(9686003)(25786008)(6306002)(54896002)(6246003)(77096006)(229853002)(53936002)(6506006)(38730400002)(106356001)(148743002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB2026; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB0842CE7EE8AB1A0BC01C95268C530CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2017 21:00:50.0202 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB2026
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/87pYGzWQ3rone6MDNP7oaZFK5Uc>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] ramifications of longer EKMs
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 21:00:53 -0000
Tokbind-tls-term does not necessarily have to be on the standards track, but I think the issue Brian has raised deserves discussion regardless of the destiny of tokbind-tls-term. WRT Brian’s listed options, I prefer 3) or, failing that, 1). Option 2) affects the tokbind-tls-term document, not the core I-Ds; from the core I-D perspective it is identical to option 1). Option 4) makes the TB key parameter negotiation less definitive. It says that the length of the EKM now depends not only on the signature scheme of the TB key that signs this EKM, but also on the type of the Binding, and on the signature scheme of a different, unrelated TB key. Cheers, Andrei From: Anthony Nadalin Sent: Thursday, February 23, 2017 9:54 AM To: Brian Campbell <bcampbell@pingidentity.com>; Andrei Popov <Andrei.Popov@microsoft.com> Cc: IETF Tokbind WG <unbearable@ietf.org> Subject: RE: [Unbearable] ramifications of longer EKMs I’m not sure the value of standardizing the tokbind-tls-term, not sure how much interoperability requirements there are here, maybe this should be an experimental until we figure out if there is a need and if so what are the requirements
- [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Anthony Nadalin
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs John Bradley
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs John Bradley
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell
- Re: [Unbearable] ramifications of longer EKMs Andrei Popov
- Re: [Unbearable] ramifications of longer EKMs John Bradley
- Re: [Unbearable] ramifications of longer EKMs Brian Campbell