IETF Logo Mail Archive

Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

=JeffH <Jeff.Hodges@KingsMountain.com> Thu, 09 February 2017 17:05 UTC

Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E511B129C01 for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 09:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLf8M6Yiple8 for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 09:05:41 -0800 (PST)
Received: from gproxy7-pub.mail.unifiedlayer.com (gproxy7-pub.mail.unifiedlayer.com [70.40.196.235]) by ietfa.amsl.com (Postfix) with SMTP id 975F2129F34 for <unbearable@ietf.org>; Thu, 9 Feb 2017 09:05:40 -0800 (PST)
Received: (qmail 1823 invoked by uid 0); 9 Feb 2017 17:05:40 -0000
Received: from unknown (HELO cmgw3) (10.0.90.84) by gproxy7.mail.unifiedlayer.com with SMTP; 9 Feb 2017 17:05:40 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw3 with id ih4a1u0142UhLwi01h4d8V; Thu, 09 Feb 2017 10:04:38 -0700
X-Authority-Analysis: v=2.1 cv=WOnsABcR c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=n2v9WMKugxEA:10 a=48vgC7mUAAAA:8 a=d5h6PwwjwPkCndJaT-EA:9 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22
Received: from [173.224.162.69] (port=10931 helo=[10.225.80.61]) by box514.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1cbs94-0005CC-35 for unbearable@ietf.org; Thu, 09 Feb 2017 10:04:34 -0700
To: IETF TokBind WG <unbearable@ietf.org>
From: =JeffH <Jeff.Hodges@KingsMountain.com>
Message-ID: <935ac509-1e0f-3fed-0239-04cf390ef2ce@KingsMountain.com>
Date: Thu, 09 Feb 2017 09:04:33 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box514.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - KingsMountain.com
X-BWhitelist: no
X-Source-IP: 173.224.162.69
X-Exim-ID: 1cbs94-0005CC-35
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([10.225.80.61]) [173.224.162.69]:10931
X-Source-Auth: jeff.hodges+kingsmountain.com
X-Email-Count: 1
X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTE0LmJsdWVob3N0LmNvbQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/EaUCbx_z3QVtIb3sSUHXFq83TMk>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 17:05:45 -0000

 >> I agree with this for security considerations reasons -- we want
 >> the Sec-Token-Binding header to be hop-by-hop in sync with the
 >> underlying TLS connection and not be "leaked" downstream unless it
 >> is a conscious decision, e.g., in the tls terminating reverse proxy
 >> (TTRP) case.
 >>
 >>
 > But the client is only making a connection to a server and client
 > does not know whether it makes sense for that server to forward or
 > not. And it shouldn't know that.

correct, agreed.

 > Sec-Token-Binding shouldn't be listed in Connection header field by
 > a client.

listing Sec-Token-Binding in the Connection header means ([RFC7230] 
Section 6.1)..

    6.1.  Connection

     The "Connection" header field allows the sender to indicate desired
     control options for the current connection.  In order to avoid
     confusing downstream recipients, a proxy or gateway MUST remove or
     replace any received connection options before forwarding the
     message.

..which is what we want by default for security considerations reasons, 
I think.

As Dirk noted:
  >
  > If the proxy has qualms about violating the spec by forwarding the
  > Sec-Token-Binding header despite its being listed in the Connect
  > header, it can always just use a different header name, like
  > "Private-Forwarded-Token-Binding", or whatever - some  mechanism
  > proprietary to the proxy and downstream server.

Thus, a comment on 
<https://tools.ietf.org/html/draft-campbell-tokbind-tls-term> (which 
i'll endeavor to write up more fully anon) is that it should either 
define another header field for conveyance of the 
EncodedTokenBindingMessage (along with the header field it already 
defines) or have the header field it already defines convey both the 
EncodedTokenBindingMessage and the EKM et al.

=JeffH

v2.30.2 | Report a Bug | By Email | System Status