Re: [Unbearable] Ben Campbell's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 26 June 2018 18:54 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 834AE13111B; Tue, 26 Jun 2018 11:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnDf_zSShoU3; Tue, 26 Jun 2018 11:54:50 -0700 (PDT)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680091.outbound.protection.outlook.com [40.107.68.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 703F9130E14; Tue, 26 Jun 2018 11:54:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F316XmDLTte21G2eJRWux+I5TRPaGIb0p9tkWipWi/k=; b=Vo0mgwX+Y18UWsSO8le8jmOP8vtDLI5ef9x1cxFIrmqVR5KWcRArF4QEipS1KR25qVjHuR3gtdVtY2Q3qNpZiYTfq3BHEuNRL9+fhJd4RGMSj1n3KhPy8/0yPeOGNaoS2dYOt+bI3wUh79whAnG3VDz/jrsrE5XC6+8DIbmJHHw=
Received: from CY4PR21MB0774.namprd21.prod.outlook.com (10.173.192.20) by CY4PR21MB0776.namprd21.prod.outlook.com (10.173.192.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.2; Tue, 26 Jun 2018 18:54:48 +0000
Received: from CY4PR21MB0774.namprd21.prod.outlook.com ([fe80::9d01:113b:290a:750b]) by CY4PR21MB0774.namprd21.prod.outlook.com ([fe80::9d01:113b:290a:750b%3]) with mapi id 15.20.0930.005; Tue, 26 Jun 2018 18:54:48 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Ben Campbell <ben@nostrum.com>, Eric Rescorla <ekr@rtfm.com>
CC: Dirk Balfanz <balfanz=40google.com@dmarc.ietf.org>, "draft-ietf-tokbind-https@ietf.org" <draft-ietf-tokbind-https@ietf.org>, Tokbind WG <unbearable@ietf.org>, The IESG <iesg@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, "tokbind-chairs@ietf.org" <tokbind-chairs@ietf.org>
Thread-Topic: [Unbearable] Ben Campbell's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)
Thread-Index: AQHT59XA5IIayh1w/kSwtbPg5+4zz6RQtRGAgCE0KwCAAUGXgIAAAMlw
Date: Tue, 26 Jun 2018 18:54:47 +0000
Message-ID: <CY4PR21MB0774D87B730D6A726AA272568C490@CY4PR21MB0774.namprd21.prod.outlook.com>
References: <152589833077.4037.7403393365772291429.idtracker@ietfa.amsl.com> <CADHfa2Aj9_-X-rtPR7OU-_cEXC=MnHpv88O_HTmB0-Yd-X_LLA@mail.gmail.com> <CABcZeBOb9G3jTnOg6ucba2060EqObM8LEo9F16mCCvwdHaU9=A@mail.gmail.com> <94E6261D-7920-4C65-BDB3-A0B3144323C5@nostrum.com>
In-Reply-To: <94E6261D-7920-4C65-BDB3-A0B3144323C5@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:8:28b5:a023:971b:e42c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0776; 7:DjXpLgRc5EUIsz4ucG3wFp9pwL86kBTk/gQLAEx+8m9sf4lh7DBqbxNE5aCwxbB4Wc5BE+u/6L8G+7QAeSMEu24czw3ZIqa/X3+rAM7N0oapzvnFQDJtNe2v78fjyhJ1IhM9F6KfsIG10I5pTjObOpfsqIYjSBV2MIphAQbMOqZDc5uobBNV/aDFPPL4DgSqic/nWWUFBcj5mvguoZ0j4jdLapucLOqYPpOzwHYPjrlfUWM1rw6jpJEKZQkyBKFj
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 6569ec09-6894-4dbc-6934-08d5db964a42
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600026)(711020)(48565401081)(2017052603328)(7193020); SRVR:CY4PR21MB0776;
x-ms-traffictypediagnostic: CY4PR21MB0776:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-microsoft-antispam-prvs: <CY4PR21MB07760DEACBDC241FC37C29828C490@CY4PR21MB0776.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(120809045254105)(275740015457677);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231254)(2018427008)(944501410)(52105095)(10201501046)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:CY4PR21MB0776; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0776;
x-forefront-prvs: 071518EF63
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(136003)(366004)(396003)(346002)(51914003)(199004)(13464003)(189003)(256004)(186003)(486006)(55016002)(99286004)(2906002)(11346002)(476003)(14444005)(446003)(6306002)(9686003)(53546011)(8936002)(7696005)(6116002)(229853002)(76176011)(68736007)(86362001)(6436002)(5660300001)(106356001)(110136005)(10090500001)(5250100002)(97736004)(54906003)(86612001)(53936002)(46003)(33656002)(6246003)(22452003)(316002)(72206003)(478600001)(14454004)(305945005)(6506007)(4326008)(966005)(81156014)(7736002)(81166006)(74316002)(8676002)(10290500003)(8990500004)(2900100001)(93886005)(25786009)(105586002)(102836004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0776; H:CY4PR21MB0774.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: B+2Nu40W3KtmQIRX8uRo54vPzInPH0OLZ3RDLvH/QdqmVOwzz9vcz8K/XIfteowwrIa+CFzH7TggFu2/eMf5jQriX8+nQ3AHZcBMI4ommVmVIIhDxQJIoqXcUAHJA6nEepnAHyo2B19io2sdEUR0tYOYED2gzSLKdaPcp2S5tqaMeK6Lv1QJt5XeETL/WD+pNQ6mvr+9AjLqc+N7is6Pam80TAxwv+UOh4EQHU+2QV3bGVhioM8r5gbyYbcReFrPtoeq9YUcKEXmxcBBeDTMOiMWMaE3s/CpOieZQO5IM3FYDY2KwE3wWbRQAxK6Mc8WyQo9z+XwdgZSS/r7dmab9nzDE1RBMKJgGVviwSMoCm0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6569ec09-6894-4dbc-6934-08d5db964a42
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2018 18:54:47.8185 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0776
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/ESB7gyeJ2cW5JyAANHxknzBfzd4>
Subject: Re: [Unbearable] Ben Campbell's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jun 2018 18:55:05 -0000

Hi Ben,

Thanks for the review.

> Are the “applications” from paragraph 3 the same as those from paragraph 2?

Yes, the same throughout paragraphs 1, 2 and 3.

> It seems like paragraph 2 is talking more about local APIs (at least, I see that was mentioned in the text in version 17 but not in 18), but paragraph 3 uses an example of a signal from a server. (I can accept that the difference in control may be weak enough for web applications that the distinction does not matter.)

The APIs provided by the TB implementation and called by the application are local APIs.
The application needs to make a decision whether to request that the TB implementation include a Referred binding in the TB message or not.
In the example, the server provides a signal to the application using the Include-Referred-Token-Binding-ID HTTP response header.
The signal could be different, or an application may have out-of-band ways to determine this (e.g. a local database of RP->IDP associations).

Cheers,

Andrei

-----Original Message-----
From: Ben Campbell <ben@nostrum.com> 
Sent: Tuesday, June 26, 2018 11:41 AM
To: Eric Rescorla <ekr@rtfm.com>
Cc: Dirk Balfanz <balfanz=40google.com@dmarc.ietf.org>rg>; draft-ietf-tokbind-https@ietf.org; Tokbind WG <unbearable@ietf.org>rg>; The IESG <iesg@ietf.org>rg>; John Bradley <ve7jtb@ve7jtb.com>om>; tokbind-chairs@ietf.org
Subject: Re: [Unbearable] Ben Campbell's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)

Hi, thanks for the pointer.

The text in version 18 is sufficient to clear my discuss. I have one remaining (or maybe new) non-blocking question for section 6:

Are the “applications” from paragraph 3 the same as those from paragraph 2? It seems like paragraph 2 is talking more about local APIs (at least, I see that was mentioned in the text in version 17 but not in 18), but paragraph 3 uses an example of a signal from a server. (I can accept that the difference in control may be weak enough for web applications that the distinction does not matter.)

I did not check my editorial comments.

Thanks!

Ben.

> On Jun 25, 2018, at 6:30 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Ben,
> 
> Does the following new text address your concern:
> https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?modeAsFormat=html/a
> scii&url=https://raw.githubusercontent.com/TokenBinding/Internet-Draft
> s/master/draft-ietf-tokbind-https-18.xml
> 
> 
> On Mon, Jun 4, 2018 at 1:26 PM, Dirk Balfanz <balfanz=40google..com@dmarc.ietf.org> wrote:
> Hi Ben,
> 
> thanks for the feedback. Most of it is addressed in the new draft (https://tools.ietf.org/html/draft-ietf-tokbind-https-16). See below (inline) for details.
> 
> On Wed, May 9, 2018 at 1:38 PM Ben Campbell <ben@nostrum.com> wrote:
> Ben Campbell has entered the following ballot position for
> draft-ietf-tokbind-https-14: Discuss
> 
> When responding, please keep the subject line intact and reply to all 
> email addresses included in the To and CC lines. (Feel free to cut 
> this introductory paragraph, however.)
> 
> 
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> I plan to ballot "YES", but I want to clear up once concern first:
> 
> After reading section 6 several times, I don't know what it means. I 
> think it's [...]
> 
> Addressed in new draft.
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Substantive Comments:
> 
> §1.1: Please consider using the boilerplate from 8174 across the 
> cluster. Both this and the protocol draft have lower case keyword instances.
> 
> Addressed in new draft.
> 
> 
> §8.2:
> - Does it really make sense to wait for a user to request the keys be expired?
> I suspect the average user does this about never. Did the working 
> group discuss possibly making the keys default to expiring after some period of time?
> 
> Yes, we did discuss it. This was chosen consciously to be in sync with cookies and their expirations / manual user-initiated purges.
> 
> - Why
> is the SHOULD in paragraph 2 not a MUST?
> 
> Addressed in new draft.
> 
> 
> Editorial Comments:
> 
> §2:
> - Paragraph 1: "The ABNF of the Sec-Token-Binding header field is (in 
> [RFC7230] style, see also Section 8.3 of [RFC7231]):" The open parenthesis before "in"
> seems misplaced. Also, as written the comma after "style" creates a 
> comma splice. (Note that this pattern occurs elsewhere in the 
> document.)
> 
> - Paragraph 3: The paragraph is a single hard-to-parse sentence. 
> Please consider breaking into simpler sentences.
> 
> Addressed in new draft.
> 
> 
> - example: Am I correct to assume the backslashes are just for print 
> purposes and are not in the actual message? If so, please mention that.
> 
> Addressed in new draft.
> 
> 
> § 2.1:
> - first paragraph, "Within the latter context...": There was no former context.
> I suggest "Within that context..."
> 
> Addressed in new draft.
> 
> - 2nd paragraph: The first sentence is hard to parse. I suggest 
> breaking it into separate paragraphs, or restructure without the 
> center-imbedding.
> 
> Addressed in new draft.
> 
> - 2nd to last paragraph: Does "SHOULD generally"
> mean the same as just "SHOULD"?
> 
> Addressed in new draft.
> 
> 
> §5.1: 2nd paragraph: Unneeded comma in "... itself, to another server..."
> 
> Addressed in new draft.
> 
> 
> §5.2,
> - last bullet: " (between client and Token Consumer)" seems more than 
> parenthetical. Please consider removing the parentheses.
> 
> Addressed in new draft.
> 
> - paragraph after last
> bullet: The parenthetical phrase starting with "(proving 
> possession...) is quite long and makes the sentence hard to parse. 
> Given that the concept is covered in the immediately preceding paragraph, can it be removed?
> 
> Addressed in new draft.
> 
> 
> §7.1 and §7.2: These sections seem to be copied from (or restate 
> requirements
> in) the protocol and negotiation drafts. Can they be included by 
> reference instead, or at least attributed?
> 
> Addressed in new draft.
> 
> 
> §7.2, 2nd paragraph: This seams like a restatement of §7.1.
> 
> Addressed in new draft.
> 
> 
> §8.3: Unneeded comma in first sentence.
> 
> Addressed in new draft.
> 
> Thanks again for the thoughtful comments!
> 
> Dirk.
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable
> 
>