Re: [Unbearable] (belated) WGLC draft-ietf-tokbind-ttrp
Denis <denis.ietf@free.fr> Mon, 17 September 2018 10:43 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57B4E130DDF for <unbearable@ietfa.amsl.com>; Mon, 17 Sep 2018 03:43:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hF266SxgiLfb for <unbearable@ietfa.amsl.com>; Mon, 17 Sep 2018 03:43:27 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C06E130DD7 for <unbearable@ietf.org>; Mon, 17 Sep 2018 03:43:27 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id A9DF97802BE; Mon, 17 Sep 2018 12:43:24 +0200 (CEST)
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: Tokbind WG <unbearable@ietf.org>
References: <bba419c9-103b-5cb0-4267-c5cec9c7b3dd@sunet.se> <6bea7c7b-80ec-9637-324e-730998c461ad@free.fr> <CA+iA6uh5rjoU-AUdOzt-kJkgo3MshZndu7RL59M-kWjx-ckzbw@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <93c77c77-9dfe-fe0b-4b3a-319c9dc7ec8e@free.fr>
Date: Mon, 17 Sep 2018 12:43:27 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CA+iA6uh5rjoU-AUdOzt-kJkgo3MshZndu7RL59M-kWjx-ckzbw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------2CADD7E7DBFF070902015E75"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/HwoRv9mOk3o-GBWaVVvjQk8Ayn0>
Subject: Re: [Unbearable] (belated) WGLC draft-ietf-tokbind-ttrp
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 10:43:30 -0000
Hans,
This has nothing to do with "private key sharing". Private keys are
usually protected by some hardware device which does not allow to export
these keys.
However, a legitimate user can *use* his hardware device which means
that he can ask to his device to perform some cryptographic computation
with the private keys
that are stored in it.
In the past, when doing a threat analysis, only external attackers were
being considered. Collaborative attacks is a different kind of threat
that should also be considered.
However, it only applies to some specific contexts:
If the security token contains a sufficient number of attributes
that allows to fully identify the bearer, the bearer will probably
refuse to collaborate with anybody else,
because that other body could fully impersonate him.
If the security token contains one or more attributes that do not
allow to fully identify the bearer, the bearer may accept to
collaborate with somebody else, because
he cannot be identified. Typical examples of such an attribute are:
"over 18" or "resident of Florida". Such attributes may allow to
access to a service.
Any solution using software only is unable to counter collaborative
attacks. Any solution using hardware devices that are only protecting
the private keys, /but not their usag//e/,
are also unable to counter collaborative attacks. The topic has nothing
to do with generic PKI principles and guidelines. However, adding some
additional explanations into
the security considerations section along those provided above could be
useful.
Denis
> Can we please stop adding text that says "don't share your private key
> with others" to IETF drafts? That is an inherent part of PKI and does
> not need to be repeated everywhere IMO, just like text about how
> verifying TLS server certificate should work is not repeated in drafts
> where TLS is a requirement. Perhaps a reference to generic PKI
> principles and guidelines may be included?
>
> Hans.
>
> On Mon, Sep 17, 2018 at 11:32 AM Denis <denis.ietf@free.fr
> <mailto:denis.ietf@free.fr>> wrote:
>
> Comments on draft-ietf-tokbind-ttrp-06: HTTPS Token Binding with
> TLS Terminating Reverse Proxies
>
> The introduction states:
>
> An HTTP server issuing cookies or other security tokens can
> associate them with the Token Binding ID, which ensures those
> tokens
> cannot be used successfully over a different TLS connection or
> by a different client than the one to which they were issued.
>
> When there are only external attackers, the sentence is correct
> but is incorrect when there is a collusion between a legitimate
> client and another client.
> The sentence should be corrected. Here is a proposal:
>
> An HTTP server issuing cookies or other security tokens can
> associate them with the Token Binding ID, which ensures those
> tokens
> cannot be used successfully over a different TLS connection or
> by a different client than the one to which they were issued,
> as long as
> there is no collusion between the legitimate client and
> another client.
>
> In the "Security Considerations" section (section 4), some
> explanations should be added. Here is a proposal:
>
> The token binding mechanism is efficient against external
> attackers, but, in case a legitimate client collaborates with
> another client,
> the mechanism can be defeated since the legitimate client,
> using the private key which proves possession of the security
> token, can perform
> all the cryptographic computations that the other client needs
> to demonstrate the possession of that security token.
>
> Denis
>
>> This message marks the start of a 2 week WGLC on
>> draft-ietf-tokbind-ttrp-06 as agreed in Montreal but only now effected
>> by your chair.
>>
>> Please provide your final comments, voices of support or objections
>> by COB Fri 28 Sept in any TZ.
>>
>> Best R
>> Leif
>>
>> _______________________________________________
>> Unbearable mailing list
>> Unbearable@ietf.org <mailto:Unbearable@ietf.org>
>> https://www.ietf.org/mailman/listinfo/unbearable
>
>
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org <mailto:Unbearable@ietf.org>
> https://www.ietf.org/mailman/listinfo/unbearable
>
>
>
> --
> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu>
> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>
- [Unbearable] (belated) WGLC draft-ietf-tokbind-tt… Leif Johansson
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Denis
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Hans Zandbelt
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Denis
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Andrei Popov
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Denis
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Andrei Popov
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Hans Zandbelt
- Re: [Unbearable] (belated) WGLC draft-ietf-tokbin… Brian Campbell