Re: [Unbearable] Fwd: New Version Notification for draft-campbell-tokbind-tls-term-00.txt
John Bradley <ve7jtb@ve7jtb.com> Wed, 11 January 2017 23:50 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9345D1295BE for <unbearable@ietfa.amsl.com>; Wed, 11 Jan 2017 15:50:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSa-ecpdojpg for <unbearable@ietfa.amsl.com>; Wed, 11 Jan 2017 15:50:55 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D057129476 for <unbearable@ietf.org>; Wed, 11 Jan 2017 15:50:54 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id a20so4044336qkc.1 for <unbearable@ietf.org>; Wed, 11 Jan 2017 15:50:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ima9U5PLDC7ez8WH282Zd0vzVjuEIhBVY+ucDnCKs/8=; b=fTmfwgOEDL5ExE429hUrSY5AdbQSALWTLqoRVzqGBaijN7NoxohWrkhyFq/c6WaiKk OIZcsKa6PF7HgzK9xOHcnVPWstBGuNEGm2luOjG9aZCsdsdqUsDNtm8dRXNFxUCHVMqy gpkb/GJl5sn9WC3qykHnLCNRUogylTV/ffAgLUYVKaw3LfoTsrReyU4lmgQ4p4ZMJi3g Ex5Nn8+P/E+xt6CcEByjtkZk1mSR89sjy5WrnFo/PxQ1zgj7YLdWrWGTRllcgFy8WTLR Tm+6pDjh7/5dyCHAJb7UlTxdLXCxHv282vUnwnOrIm6yh6SXgGMPmZ3wy+BWhY7FKHs0 qKuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ima9U5PLDC7ez8WH282Zd0vzVjuEIhBVY+ucDnCKs/8=; b=ZLLK3Q+DYODDJnHC7KS/9yE1MVd3sATMa+CZjqL97Gh71+N1LYyDQ9UnrqfM+XJe5E k8Yya0Bkf8vfK2DvVPWnhS+I3qxOZGoSTxzCl7MF5rU7CIKl0jqitlSoR4aiv5kZ/vWs vqnZYETFj4pZkG5ItMeEM1ItGKTBPRwiFmBq4nEA63WIEUpLjB3+oObX5sNDMWhXoAMk FWfBmi1wYaI+zSUtt8r7vUUIQLmlHRBBpdaYNsZ+TEyd3TXgodRSrpqWJaVj8gprYNYY PWT69LjX1eX7KhJ1Ibz5bHf3AkS2h09BINkuyUj8MBfd4BnDurxKW5902uW+d0wOwumF M58A==
X-Gm-Message-State: AIkVDXL/HUZnuGikMIVJi7jX7eNkCTZTXe6O+YlTseeaHUifX54s8FFqXrYhZLh/umN+Mefz
X-Received: by 10.55.157.17 with SMTP id g17mr11854239qke.122.1484178653942; Wed, 11 Jan 2017 15:50:53 -0800 (PST)
Received: from jbradley-r.lan ([191.115.178.163]) by smtp.gmail.com with ESMTPSA id q145sm5274228qke.37.2017.01.11.15.50.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Jan 2017 15:50:53 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <48079792-5928-4497-8D3F-D64E0A61CADC@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 11 Jan 2017 20:50:17 -0300
In-Reply-To: <CA+k3eCQxYLj7EZ=FYhHdMw_jEGZK2JztTgjuzigfYGPEri3m9w@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <148416636025.8139.11121446658834117013.idtracker@ietfa.amsl.com> <CAAX2Qa0qotXJnvW+5XV_B68Dbt3hZAZqi71wh_gqMyny7rfFog@mail.gmail.com> <CA+k3eCTp0_ENf8PAdd+dXDL4RRvU2D45gz294oCDFPiUA-610A@mail.gmail.com> <D0B30BC6-673A-4361-B6B9-4597EF07E44F@ve7jtb.com> <CA+k3eCQxYLj7EZ=FYhHdMw_jEGZK2JztTgjuzigfYGPEri3m9w@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c06f1b6771dee0545da450c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/DJvazyHu6BMBJWY0NSyGP6EOFM0>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] Fwd: New Version Notification for draft-campbell-tokbind-tls-term-00.txt
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2017 23:50:57 -0000
The application specific handling of rejected token bindings is probably simplest if handled at the server. The other option would be to add error codes about why it failed. This proposal would let the application layer do all of the token binding processing without modifying TLS on the server. The other consumers of something like this would be a cloud Access Security Broker, that is auditing (Snooping) on connections. That might have TLS on both sides as it could be in the cloud. I don’t think there would be any issue with re-wrappoing this in another mutual TLS connection. John B. > On Jan 11, 2017, at 8:39 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > > I wavered back and forth on it, to be honest. The change in TBPROTO-11/HTTPSTB-07 to application specific handling of rejected Token Bindings rather than terminating the connection tilted me in this direction. My sense of the room in Seoul was also that there was some preference for this approach (some said so explicitly but my general feeling about the room seemed to be such). It lets the TLS terminator be as dumb as possible with respect to token binding, which I suspect will be desirable in many cases. It feels (to me anyway) like the more logical separation of duties where the TLS terminator/reverse proxy does the negotiation and connection and then provides just enough info from the TLS layer to the upstream application that will do the message/token processing and validation. That's some of my thinking on it anyway. > > On Wed, Jan 11, 2017 at 3:19 PM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote: > Thanks Brian, > > Perhaps you can explain why you chose to pass along the EKM and additional parameters to the server and have it validate the token binding vs having the reverse proxy validate it and pass along the validated token binding ID. > > I would like to capture that to the list as it will be asked. > > After some discussion we can decide if the WG wants to adopt this draft as a WG document. > > John B. > >> On Jan 11, 2017, at 6:00 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: >> >> Hi Unbearable Folks, >> >> I've uploaded the below individual draft, which is an initial attempt at describing how Token Binding would work with HTTP applications behind TLS terminating reverse proxies. This is the document that at end of the meeting in Seoul I said I was going to work on. But despite it taking me a long time to write, it isn't very long so should be an easy and quick read. Feedback is of course welcome. >> >> Thanks, >> Brian >> >> >> >> ---------- Forwarded message ---------- >> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> >> Date: Wed, Jan 11, 2017 at 1:26 PM >> Subject: New Version Notification for draft-campbell-tokbind-tls-term-00.txt >> >> >> >> A new version of I-D, draft-campbell-tokbind-tls-term-00.txt >> has been successfully submitted by Brian Campbell and posted to the >> IETF repository. >> >> Name: draft-campbell-tokbind-tls-term >> Revision: 00 >> Title: HTTPS Token Binding and TLS Terminating Reverse Proxies >> Document date: 2017-01-11 >> Group: Individual Submission >> Pages: 7 >> URL: https://www.ietf.org/internet-drafts/draft-campbell-tokbind-tls-term-00.txt <https://www.ietf.org/internet-drafts/draft-campbell-tokbind-tls-term-00.txt> >> Status: https://datatracker.ietf.org/doc/draft-campbell-tokbind-tls-term/ <https://datatracker.ietf.org/doc/draft-campbell-tokbind-tls-term/> >> Htmlized: https://tools.ietf.org/html/draft-campbell-tokbind-tls-term-00 <https://tools.ietf.org/html/draft-campbell-tokbind-tls-term-00> >> >> >> Abstract: >> This document defines an HTTP header field that enables a TLS >> terminating reverse proxy to convey the information a backend server >> needs in order for it to process and validate a Token Binding Message >> sent by the client. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>. >> >> The IETF Secretariat >> >> >> >> _______________________________________________ >> Unbearable mailing list >> Unbearable@ietf.org <mailto:Unbearable@ietf.org> >> https://www.ietf.org/mailman/listinfo/unbearable <https://www.ietf.org/mailman/listinfo/unbearable> > >
- [Unbearable] Fwd: New Version Notification for dr… Brian Campbell
- Re: [Unbearable] Fwd: New Version Notification fo… John Bradley
- Re: [Unbearable] Fwd: New Version Notification fo… Brian Campbell
- Re: [Unbearable] Fwd: New Version Notification fo… John Bradley