Re: [Unbearable] draft-ietf-tokbind-negotiation feedback
Andrei Popov <Andrei.Popov@microsoft.com> Wed, 29 March 2017 22:28 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AEB7126C23 for <unbearable@ietfa.amsl.com>; Wed, 29 Mar 2017 15:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJH-baxM5SZh for <unbearable@ietfa.amsl.com>; Wed, 29 Mar 2017 15:28:37 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0131.outbound.protection.outlook.com [104.47.36.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14D07126CC7 for <unbearable@ietf.org>; Wed, 29 Mar 2017 15:28:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JHYBJgliSASo0ZeQLKXYZzn42uVXNilCVvxZ6Ar/104=; b=I/AhKcsgmSNMRmATtM0S9zOR8u4w2S0addi7dPokHXQqEI47+HJZgTjrM9sNFZ+KGvmFK0pCzgrcgWIbkD4f0fTTEn/kt6jIU1mtbJ33ufGqZJO99lsWkPJntlJPC4tzoW1NwLKZ+hK8snhecEnadrkkdCV0caVRPicn27ojFv0=
Received: from DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) by DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Wed, 29 Mar 2017 22:28:34 +0000
Received: from DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) by DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) with mapi id 15.01.1019.006; Wed, 29 Mar 2017 22:28:33 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Leif Johansson <leifj@sunet.se>, "unbearable@ietf.org" <unbearable@ietf.org>
Thread-Topic: [Unbearable] draft-ietf-tokbind-negotiation feedback
Thread-Index: AQHSqNhTYAUj76lO00KyORSoNtT/jqGsYu4AgAACnlA=
Date: Wed, 29 Mar 2017 22:28:33 +0000
Message-ID: <DM2PR21MB009186380A77A474CEA74AF18C350@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiKy_CEorSMRBLquY6kV39bzvoyhcR-3Ncm1i+Jsht5sXg@mail.gmail.com> <302ddafb-6922-9d17-8792-09f617ffe6b5@sunet.se>
In-Reply-To: <302ddafb-6922-9d17-8792-09f617ffe6b5@sunet.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sunet.se; dkim=none (message not signed) header.d=none;sunet.se; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8::1d2]
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0091; 7:XrggzYUSg/ysLhcTe8EN5HqMKKgJ4C6ZUKOfQw1+BIqf8zOfl6v0BO1b6N7L9YfzEOWO8h7z2scRiAkbZ2kKg/Pecoqh7YOgThbj0InF/e+oeI0lwYv+KlFBro2IouhBgCMBdzACMxRxZpqf7PVmWQQTu29+mkR5sUBTgxJqUhT39yA9T2y2myRyLZc2qSOBAkDTUmouPqJ10J9lw7xAUJ41Rm245lVzqs/rMbywcMdIdJqQSDfhsFr0Fbij2E0HhxuukscuA6mvuEmdX3smzBt/TrrB4E6coq67KSMhgy7bSZ2A2ZnvUnpOXrwtBike6k2MIGah+c4ddy2NIZVpD2tVDJ0tO8eC7Q6/MUfrc+A=
x-ms-office365-filtering-correlation-id: d06ea0b0-40bc-4a8b-8653-08d476f2ef94
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:DM2PR21MB0091;
x-microsoft-antispam-prvs: <DM2PR21MB00910AA3C37B1519FB056F008C350@DM2PR21MB0091.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006052)(93001052)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406075)(20161123558025)(6072148); SRVR:DM2PR21MB0091; BCL:0; PCL:0; RULEID:; SRVR:DM2PR21MB0091;
x-forefront-prvs: 0261CCEEDF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39850400002)(39450400003)(39400400002)(39840400002)(39860400002)(13464003)(377454003)(24454002)(377424004)(7736002)(6436002)(53936002)(33656002)(189998001)(6506006)(2900100001)(77096006)(38730400002)(25786009)(53546009)(6246003)(122556002)(10290500002)(229853002)(55016002)(6306002)(99286003)(9686003)(305945005)(102836003)(6116002)(10090500001)(5005710100001)(7696004)(76176999)(2906002)(2501003)(50986999)(74316002)(54356999)(2950100002)(8676002)(3660700001)(86612001)(230783001)(8936002)(5660300001)(3280700002)(86362001)(81166006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0091; H:DM2PR21MB0091.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2017 22:28:33.5320 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0091
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/CJ4TsEnZGwy1HvUDKLnXkPETLdE>
Subject: Re: [Unbearable] draft-ietf-tokbind-negotiation feedback
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 22:28:39 -0000
Hi Nick, As discussed earlier, I will add text to the next revision of TBNEGO saying that TB negotiation in TLS 1.3 is out of scope for this spec. Then you can describe TLS 1.3 TB negotiation in draft-ietf-tokbind-tls13-0rtt or a separate spec. Cheers, Andrei -----Original Message----- From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Leif Johansson Sent: Wednesday, March 29, 2017 3:18 PM To: unbearable@ietf.org Subject: Re: [Unbearable] draft-ietf-tokbind-negotiation feedback On 2017-03-30 00:03, Nick Harper wrote: > As far as I can tell, draft-ietf-tokbind-negotiation (TBNEGO) does not > limit which versions of TLS that the extension can be used with. I'm > assuming that draft-ietf-tls-tls13 (TLS 1.3) will get published before > draft-ietf-tokbind-negotiation. Section 4.2.7 (Early Data Indication) > of TLS 1.3 (draft 19) specifies that "Future extensions MUST define > their interaction with 0-RTT.". Since we're post WGLC its increasingly critical keep very careful track of issues that crop up. Can you open an issue for this on github? Please continue discussion here as usual. Cheers Leif > > I see two potential options to reconcile this disagreement: > > 1) Have TBNEGO specify something like "Token Binding and 0-RTT MUST > NOT both be negotiated on the same connection" and let > draft-ietf-tokbind-tls13-0rtt update TBNEGO later. > 2) Specify in TBNEGO a max TLS version of 1.2, and have > draft-ietf-tokbind-tls13-0rtt or another draft specify the behavior of > the extension in TLS 1.3 and higher. > > Does this WG think this is something that needs to be addressed? Are > there other options to consider? > > _______________________________________________ > Unbearable mailing list > Unbearable@ietf.org > https://www.ietf.org/mailman/listinfo/unbearable > _______________________________________________ Unbearable mailing list Unbearable@ietf.org https://www.ietf.org/mailman/listinfo/unbearable
- [Unbearable] draft-ietf-tokbind-negotiation feedb… Nick Harper
- Re: [Unbearable] draft-ietf-tokbind-negotiation f… Leif Johansson
- Re: [Unbearable] draft-ietf-tokbind-negotiation f… Nick Harper
- Re: [Unbearable] draft-ietf-tokbind-negotiation f… Andrei Popov