IETF Logo Mail Archive

Re: [Unbearable] AD Review: draft-ietf-tokbind-protocol-15.txt

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 09 October 2017 19:29 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 181F3132949; Mon, 9 Oct 2017 12:29:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eGYLfRO_FQ_6; Mon, 9 Oct 2017 12:29:45 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0132.outbound.protection.outlook.com [104.47.40.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B1F1286C7; Mon, 9 Oct 2017 12:29:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=oBqiuL5GKMuYK6761ZVD8TJskIPb6huFLgQi/iu51i8=; b=ZrDH5zEYxHeHwoyotelnfwCs/KdTPJK0C4vc73DwuJtk32PwVCIk4EtYBvcJKyC0Xkx86X3Qb6d561pkeT5KlTtTk4xbCys5zmvpxS+q+zUcQn85xvHL3fAruimRHu8HgnJCGb6zQq0H+primu0/uWPbLANOzZsJGqKW9fY9j5I=
Received: from CY4PR21MB0120.namprd21.prod.outlook.com (10.173.189.14) by CY4PR21MB0758.namprd21.prod.outlook.com (10.173.192.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.156.0; Mon, 9 Oct 2017 19:29:43 +0000
Received: from CY4PR21MB0120.namprd21.prod.outlook.com ([10.173.189.14]) by CY4PR21MB0120.namprd21.prod.outlook.com ([10.173.189.14]) with mapi id 15.20.0156.001; Mon, 9 Oct 2017 19:29:43 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: IETF Tokbind WG <unbearable@ietf.org>, "draft-ietf-tokbind-protocol@ietf.org" <draft-ietf-tokbind-protocol@ietf.org>
Thread-Topic: AD Review: draft-ietf-tokbind-protocol-15.txt
Thread-Index: AQHTP6TRt9yVMQ3hAEWvH3AdHSYtFaLbzabAgAAbDYCAAAEbQA==
Date: Mon, 09 Oct 2017 19:29:42 +0000
Message-ID: <CY4PR21MB0120ADBB603D41EA6626642A8C740@CY4PR21MB0120.namprd21.prod.outlook.com>
References: <CABcZeBNUx5=WaFv1FdSpCrUR_Cud_y3Z914J40zTezLmaHuuzQ@mail.gmail.com> <CY4PR21MB01206A90DB61E78720B790F68C740@CY4PR21MB0120.namprd21.prod.outlook.com> <CABcZeBOc5mYn2PeU6t0cTqbuec7dwwVxPP4geaMBW-dE5U2Hxg@mail.gmail.com>
In-Reply-To: <CABcZeBOc5mYn2PeU6t0cTqbuec7dwwVxPP4geaMBW-dE5U2Hxg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:e::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0758; 6:tRpqXuCqHt6DftmURh9Nbd8wikm5C9oTTREwaK0wsg7gTsRoatbqTWvINbn1qyzsGjFEOOsIZauApl+9AyeuJX6S4gtML/3dgJ8vt6erbR+Ld5TCsvrGBobcijSsbIW97p8rykVD3DRnNupGTU0l0gb2Ce8j2LnRNYZ55mQWXRLwJtBLFPyh0k33Nq7mv4ckNxK48esxfF4e3KkExDz3vk1GPalR75HPe3Hnw9jB4HsaBOC4gh3gWJpHyBxurfBA0ZptqDDWRWv1sev4SEfk0D3Hs4Y/z2p9k7HuQJQ5r6res+SkYrnZ0SYSkW1KaUtt64Ir9n8/OFQt/etmvYL2rg==; 5:oCOwzn8aIYXujCLWTdFyZPCJXRsvf9pTBb2CBJHroNtNV8DVNpvlt++aBnC9eIkEkTV+Y3xfvO8x52uZXjj/0SgeNaCV5IxWXTk6V8OriBFSA4UvpW7hKnkK0xjbjmzkm81JhUwJAIHZdu1WLGLxyw==; 24:7oi+8itJsUPKPOKLA7ddYAOopN58sonxVVb4NeVn/6emcgQ8R/f4Jks9ky1Ez7h8t7AZ4eN7kWCopELHwCehYFbPM9GzTi7WOwIcal8WrLA=; 7:ebPCXJD4SisPlfkXamxxVECUGbao5sloxG4drg0uG+Degk/3nUr+klzmO7cgVR18hZslN449+fxo56nByyLOeOEq28F3pVHX2Jcxd76/9DJfjAgOIgqdy11+yGAW9KW2izh+6iAfMwZGrq8H+fk1MfljdhVBp7xDH/xN2p51K97bp6gxhMTcIs7+v5Fk14Rs1ouJ6qfro6QZwtcVWFJBkyB4bmUN/xm7InFexoTnJwc=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: e362e880-bb1f-447a-e6fe-08d50f4c17cb
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(48565401081)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:CY4PR21MB0758;
x-ms-traffictypediagnostic: CY4PR21MB0758:
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(89211679590171)(192374486261705)(189930954265078)(100405760836317)(219752817060721)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR21MB07581D99131B34D320BAD5678C740@CY4PR21MB0758.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123562025)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0758; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0758;
x-forefront-prvs: 045584D28C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(346002)(47760400005)(199003)(51444003)(43544003)(51914003)(189002)(50944005)(24454002)(377454003)(3280700002)(3660700001)(10090500001)(8936002)(53546010)(25786009)(478600001)(10290500003)(236005)(9686003)(53946003)(99286003)(6306002)(54896002)(55016002)(189998001)(72206003)(606006)(54356999)(86362001)(76176999)(50986999)(101416001)(86612001)(2906002)(19609705001)(14454004)(2900100001)(8990500004)(790700001)(6506006)(6116002)(7696004)(5660300001)(81156014)(81166006)(106356001)(229853002)(102836003)(105586002)(230783001)(2950100002)(6916009)(8676002)(7736002)(77096006)(22452003)(4326008)(6246003)(54906003)(966005)(53936002)(97736004)(33656002)(74316002)(6436002)(316002)(68736007)(579004)(559001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0758; H:CY4PR21MB0120.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0120ADBB603D41EA6626642A8C740CY4PR21MB0120namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e362e880-bb1f-447a-e6fe-08d50f4c17cb
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2017 19:29:43.1891 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0758
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/Av1h7AZejQ4sAqNiCctyfLt29r4>
Subject: Re: [Unbearable] AD Review: draft-ietf-tokbind-protocol-15.txt
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 19:29:50 -0000

Will rename, to help avoid confusion.

Thanks,

Andrei

From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: Monday, October 9, 2017 12:23 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>; draft-ietf-tokbind-protocol@ietf.org
Subject: Re: AD Review: draft-ietf-tokbind-protocol-15.txt



On Mon, Oct 9, 2017 at 10:49 AM, Andrei Popov <Andrei.Popov@microsoft.com<mailto:Andrei.Popov@microsoft.com>> wrote:
Hi Eric,

Thanks for the review.


  *   Specifically can you verify that you intended to deviate from the TLS data structures?
Yes, TB specs reuse the “TLS Presentation Language”, but we define our own data structures. Where the WG was not satisfied with the TLS-style formatting of values, we changed them. The formats we use are the result of prolonged discussions and represent the current WG consensus.

OK, I've got no problem with that as long as it's intentional


TLS WG RFCs define a lot of generic names such as “ECPoint”. I felt at liberty to redefine them in a different protocol spec produced by a different WG. If you think this is a bad idea, I don’t mind renaming, e.g., “TB_ECPoint”. Should I go ahead and rename?

I think that would be better, but I could live without if you think it's really bad. Minimally I think you need to call it out in the text, though.

-Ekr


Cheers,

Andrei

From: Eric Rescorla [mailto:ekr@rtfm.com<mailto:ekr@rtfm.com>]
Sent: Saturday, October 7, 2017 12:45 PM
To: IETF Tokbind WG <unbearable@ietf.org<mailto:unbearable@ietf.org>>; draft-ietf-tokbind-protocol@ietf.org<mailto:draft-ietf-tokbind-protocol@ietf.org>
Subject: AD Review: draft-ietf-tokbind-protocol-15.txt


A rich version of this review can be found at:

https://mozphab-ietf.devsvcdev.mozaws.net/D48<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=W856D6FDlIXeYngiYusDRBDzFzkZ3KoCpYqfyojmtqo%3D&reserved=0>
1.       If you make an account and login, you can respond to the comments

and we can try to resolve them before you produce a new draft.
2.       When you're ready to produce a new draft, you can either upload

it to the draft repo or send me the pre-draft and either way I'll
take care of getting it uploaded here, so we can see diffs, etc.



This document seems like it is in fairly good shape. See below for comments. Specifically can you verify that you intended to deviate from the TLS data structures?

INLINE COMMENTS
View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-307&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=hVf1650fx3r7Lnbgh32L25JUwx4FnlwQUMEswd0gFGk%3D&reserved=0>draft-ietf-tokbind-protocol.txt:111
with the private key. The corresponding public key is included in
the Token Binding identifier structure (described in the Section 3.2
"TokenBinding.tokenbindingid"). Token Bindings are long-lived, i.e.,

the rest of this would be clear if you said "Token Binding ID" here.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-306&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=lKU4dIN5S4JiWFHTBjw2wHIzB%2BdFeFjQbGB0fuh3Zj0%3D&reserved=0>draft-ietf-tokbind-protocol.txt:114
they encompass multiple TLS connections and TLS sessions between a
given client and server. To protect privacy, Token Binding IDs are
never conveyed over insecure connections and can be reset by the user

Can you clarify that while the TB is long-lived, the PoP needs to be refreshed at least as often as you do a full TLS handshake.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-308&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=ctlvGcCUAo4MxrWonLJPyiI6%2FU1g%2FVhWSkpBfG23QXY%3D&reserved=0>draft-ietf-tokbind-protocol.txt:121
cryptographic hash) in the token. Later on, when a client presents a
security token containing a Token Binding ID, the server ensures the
ID in the token matches the ID of the Token Binding established with

I would say "verifies that"

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-309&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=PUHGJWU4gXOlvRhShnXDtP6VMgcJ%2FOd7RoTOb3gepik%3D&reserved=0>draft-ietf-tokbind-protocol.txt:209
opaque point <1..2^8-1>;
} ECPoint;

ECPoint also exists in RFC 4492, but with different semantics. You should rename.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-310&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=WuHbRliA%2FMT7fDeLF9PANvQSipnX%2B8HHosNHynuX%2Fcw%3D&reserved=0>draft-ietf-tokbind-protocol.txt:231
opaque extension_data<0..2^16-1>;
} Extension;
IMPORTANT: this definition conflicts with the RFC5246 Extension type, so you should rename it, thus allowing a merged grammar.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-311&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=44FpSI29Z2%2FOvrzotVZsS4KuD%2FUTbjnehNoEW2Dgzq8%3D&reserved=0>draft-ietf-tokbind-protocol.txt:240
TokenBindingID tokenbindingid;
opaque signature<0..2^16-1>; /* Signature over the concatenation
of tokenbinding_type,

Does 0 bytes make sense here

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-317&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=yQiqrG9E9kg9ysxZxb021uA1BvVWn%2Bz5rdBezYsPYbk%3D&reserved=0>draft-ietf-tokbind-protocol.txt:249
TokenBinding tokenbindings<0..2^16-1>;
} TokenBindingMessage;

This zero seems wrong, as you require at least one TokenBinding structure and those cannot be zero length.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-313&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=Aiu9X1ySApS6NLsMh%2BjUeaqq3TFHrxKZ6bl2h%2B2aSX8%3D&reserved=0>draft-ietf-tokbind-protocol.txt:264
o referred_token_binding - used when requesting tokens that are
intended to be presented to a different server.

Requesting?

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-324&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=m4gKe%2FdyEYA3ojgkU5Xn%2BxUWw2lPrQhsVGIA%2Bm95VUo%3D&reserved=0>draft-ietf-tokbind-protocol.txt:275
referred_token_binding. Such a bound token enjoys the protections
discussed below in Section 7 "Security Considerations".
IMPORTANT: This does not appear to be the case. Did the text go missing? In general, this referred case seems fairly confusing and needs more explication in this document.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-314&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=P%2FHkbEIHSyrFl5hhw5T3XkvJhZphC1emZOfMm0ICqk4%3D&reserved=0>draft-ietf-tokbind-protocol.txt:282
parameters, the length (in bytes) of the Token Binding public key,
and the Token Binding public key itself. Token Binding ID can be
obtained from the TokenBinding structure by discarding the Token

Nit: "The Token Binding ID"

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-315&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=TzjkrJWQIH44w9HVNk5efwsNgRbCJdKgyMnTyUVIUuI%3D&reserved=0>draft-ietf-tokbind-protocol.txt:296
define Token Binding keys using other elliptic curves with their
corresponding signature and point formats.
IMPORTANT: As read, this is a different format than that in RFC 4492, because it does not include the type field required by X9.62. I have two comments about this:

  1.  It seems unwise to use a different format than TLS. Was that intentional?
  2.  If the WG has consensus to do so, that should be called out very clearly.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-316&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249789390&sdata=QOLWnvph%2BZvVLXBubWOChrBEZGC3ZxUhyApYg9P%2B7NQ%3D&reserved=0>draft-ietf-tokbind-protocol.txt:319
[FIPS.186-4.2013]. R and S are encoded in big-endian format,
preserving any leading zero bytes.
IMPORTANT: This is also a different format than that specified in RFC 4492. See the above comments.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-318&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=4i%2BpvrB7mEjtfvTPXtcxCBUJplqS2stDLTEnJ5o%2BJQg%3D&reserved=0>draft-ietf-tokbind-protocol.txt:394
keys MUST NOT be broader than the scope of the tokens, as defined by
the application protocol.

I find this a little hard to read. I think what you're saying is that (for instance) in HTTP you need to scope the key no more widely than the cookie?

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-319&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=fmKe9GW%2Fk2O9yIMmDzGrqHRDtT7VpxBtD3cfW2gBSI8%3D&reserved=0>draft-ietf-tokbind-protocol.txt:455
be rejected by the server. The effect of this is application-
specific, e.g. failing requests, a requirement for the client to re-
authenticate and present a different token, or connection

Nit: "e.g." has a comma after it.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-320&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=VcQfStUVKadYgd4ejNEQCgM9XTlb0vA5dpxhUY5F0rU%3D&reserved=0>draft-ietf-tokbind-protocol.txt:462
Security tokens can be bound to the TLS layer in a variety of ways:
by embedding the Token Binding ID or its cryptographic hash in the
token, or by maintaining a database mapping tokens to Token Binding

This isn't a binding to the TLS layer but rather a binding to the Token ID, I think.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-321&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=k0jq%2BZuyjs%2BCBMDVhpiccoysluaHGrQWFZUG4zmvQjA%3D&reserved=0>draft-ietf-tokbind-protocol.txt:514
An initial set of registrations for this registry follows:

These registration lists would benefit from some judicious whitespace. E.g.,

Value: 0

Description: rsa2048_pkcs1.5

Specification: this document



Value: 1

Or alternately:

Value: 0



Description: rsa2048_pkcs1.5



Specification: this document





Value: 1

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-322&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=sSVc%2FMe8FiUVAgqTUcW9Curq%2FN7q1y2EamFpUCdJVIg%3D&reserved=0>draft-ietf-tokbind-protocol.txt:615
The manner in which a token is bound to the TLS layer is application-
defined and beyond the scope of this document. However, the
resulting bound token needs to be integrity-protected, so that an

This doesn't seem right: the binding is provide by the EKM signature.

View Inline<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48%23inline-323&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=OEhVCzPI%2BunT0vcn6szxljRHSUmn0nXR17xVjQ5MIYg%3D&reserved=0>draft-ietf-tokbind-protocol.txt:643
mode where they don't store or use tokens supplied by the server,
e.g. "in private" browsing. When operating in this special privacy
mode, applications SHOULD use newly generated Token Binding keys and

Nit: "e.g." has a comma after it.

REPOSITORY
rIETFREVIEW ietf-review

REVISION DETAIL
https://mozphab-ietf.devsvcdev.mozaws.net/D48<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2FD48&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=IiVTCIVdUTRA2kZaWBlXbc2iEvdDpjPa7DQQp7O2szg%3D&reserved=0>

EMAIL PREFERENCES
https://mozphab-ietf.devsvcdev.mozaws.net/settings/panel/emailpreferences/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmozphab-ietf.devsvcdev.mozaws.net%2Fsettings%2Fpanel%2Femailpreferences%2F&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C37e312945a6b4933d22608d50dbbf2e8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636430023249799398&sdata=funLgRZntFDjz%2FQT%2Bg5YC%2Bm%2Br8y1IXOQ2RiSPd4lX0M%3D&reserved=0>

To: ekr-moz, ekr

v2.23.0 | Report a Bug | By Email