[Unbearable] wrt token binding and Fetch

=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 27 July 2018 15:31 UTC

Return-Path: <jeff.hodges@kingsmountain.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 034DC130F8D for <unbearable@ietfa.amsl.com>; Fri, 27 Jul 2018 08:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5Y6bNV63rQS for <unbearable@ietfa.amsl.com>; Fri, 27 Jul 2018 08:31:30 -0700 (PDT)
Received: from gproxy10-pub.mail.unifiedlayer.com (gproxy10-pub.mail.unifiedlayer.com [69.89.20.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 852C6130F8A for <unbearable@ietf.org>; Fri, 27 Jul 2018 08:31:30 -0700 (PDT)
Received: from cmgw15.unifiedlayer.com (unknown [10.9.0.15]) by gproxy10.mail.unifiedlayer.com (Postfix) with ESMTP id B56E71421BB for <unbearable@ietf.org>; Fri, 27 Jul 2018 09:14:41 -0600 (MDT)
Received: from box514.bluehost.com ([74.220.219.114]) by cmsmtp with ESMTP id j4S1f3FNej0soj4S1fAGKr; Fri, 27 Jul 2018 09:14:41 -0600
X-Authority-Reason: nr=8
Received: from c-67-188-157-169.hsd1.ca.comcast.net ([67.188.157.169]:59832 helo=[10.0.0.71]) by box514.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1fj4S1-004Ful-B2; Fri, 27 Jul 2018 09:14:41 -0600
To: IETF TokBind WG <unbearable@ietf.org>
From: =JeffH <Jeff.Hodges@KingsMountain.com>
Cc: Vinod Anupam <vanupam@google.com>, Nick Harper <nharper@google.com>, Jeffrey Yasskin <jyasskin@google.com>
Message-ID: <a88156bb-2962-c707-318a-ca85a4f6c34f@KingsMountain.com>
Date: Fri, 27 Jul 2018 08:14:40 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box514.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - KingsMountain.com
X-BWhitelist: no
X-Source-IP: 67.188.157.169
X-Source-L: No
X-Exim-ID: 1fj4S1-004Ful-B2
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: c-67-188-157-169.hsd1.ca.comcast.net ([10.0.0.71]) [67.188.157.169]:59832
X-Source-Auth: jeff.hodges@kingsmountain.com
X-Email-Count: 1
X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTE0LmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/EtOLlWQu_OqOHU3Shs_ofAljTY8>
Subject: [Unbearable] wrt token binding and Fetch
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 15:31:32 -0000

Current open PR:

   Update Fetch to support Token Binding
   https://github.com/whatwg/fetch/pull/715

(the above obsoletes the original PR 
<https://github.com/whatwg/fetch/pull/325>)

reviewed: 
<https://github.com/whatwg/fetch/pull/715#pullrequestreview-140826499>

Summary: seems close to land-able in terms of addressing first-order 
integration with Fetch, although it does not seem to address 
second-order needs for other browser-internal functionality (eg 
WebAuthn) to be able to access connection token binding status and 
information. cf. https://github.com/w3c/webauthn/issues/360

HTH,

=JeffH