[Unbearable] Review by Michael Jones of draft-ietf-tokbind-https-08
Mike Jones <Michael.Jones@microsoft.com> Thu, 16 March 2017 03:48 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D1A6130141 for <unbearable@ietfa.amsl.com>; Wed, 15 Mar 2017 20:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZD2oITSHeBJT for <unbearable@ietfa.amsl.com>; Wed, 15 Mar 2017 20:48:08 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0092.outbound.protection.outlook.com [104.47.42.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A1B8131442 for <unbearable@ietf.org>; Wed, 15 Mar 2017 20:48:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RlLWYuJJDuVLyZ49DbUImL8nDaAcN2bvyqaZVYiXk40=; b=a4PBO5Q+wE/8BAa/hYo5yNGFobEbIoh7/5NNGJOpNr6kDQgnqdQbviP/HPbjM7PO9veo2wwO2WyepCV9YEvAuPgf4EO6Jk85zyzh5rsUsMctgf9Dwh4lMHbVd1kvpov3LXptZ5ZnVNIs8iknoaOpYSi2oK8lcG5+gTXSKcSVvMU=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0501.namprd21.prod.outlook.com (10.172.122.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.991.0; Thu, 16 Mar 2017 03:48:07 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0991.003; Thu, 16 Mar 2017 03:48:07 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "unbearable@ietf.org" <unbearable@ietf.org>
Thread-Topic: Review by Michael Jones of draft-ietf-tokbind-https-08
Thread-Index: AdKd1Arm516Ad4lTTU6DbZ1V0Y532Q==
Date: Thu, 16 Mar 2017 03:48:06 +0000
Message-ID: <CY4PR21MB050466CC7FC55A6D2023FE13F5260@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0501; 7:wuci044MShIn51awALQbKl4/WRwGtCS9plMR19s74bf8exiIeWqiR1HA9uGzr0B7BOOT0y99BtsWicWM4fVVMk24R9VgH/hQl24dQGFl4+axyrgcME7Zdj0H1hLnrhGBq2yq+7rWSOLv03Xq381lirr7J38IT0+9lrdfflEEzxkrrj+5FJ7YlHuQtEUfet8PoX+l2jiR1Ynt8K6TnlC/TeqeW/LSiumWxYClQ+XtokSSXugmWNg4/nz/XbbAs/Qxw85r3d0BkhIFwzfkwVt2lL5W27jy94D4+yLqlY1DNelSnvv0jLNan+pYYIwwyrt8KGw2DKLTpwZjYv0KcChYmZuF8KEzglOacAfezHIHG4I=
x-ms-office365-filtering-correlation-id: 0678b415-a090-4ab4-6f9b-08d46c1f41da
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254029)(48565401081); SRVR:CY4PR21MB0501;
x-microsoft-antispam-prvs: <CY4PR21MB0501EC23E58FA944B745DC80F5260@CY4PR21MB0501.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(21748063052155)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(93006012)(93001012)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123562025)(20161123560025)(20161123555025)(20161123564025)(6072148); SRVR:CY4PR21MB0501; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0501;
x-forefront-prvs: 024847EE92
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39850400002)(39840400002)(39860400002)(39450400003)(66066001)(99286003)(3280700002)(6916009)(9686003)(230783001)(2351001)(86612001)(50986999)(81166006)(110136004)(55016002)(25786008)(6116002)(102836003)(1730700003)(6436002)(790700001)(53936002)(2906002)(6506006)(5640700003)(53376002)(54896002)(77096006)(7696004)(86362001)(2501003)(8676002)(38730400002)(3846002)(6306002)(5660300001)(8990500004)(33656002)(10090500001)(97736004)(3660700001)(5630700001)(54356999)(8936002)(122556002)(189998001)(74316002)(10290500002)(5005710100001)(2900100001)(7736002)(403724002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0501; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050466CC7FC55A6D2023FE13F5260CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2017 03:48:06.9101 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0501
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/IQYd1A0AwhRTofoCT0lrc88ORkA>
Subject: [Unbearable] Review by Michael Jones of draft-ietf-tokbind-https-08
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Mar 2017 03:48:12 -0000
I read all of draft-ietf-tokbind-https-08 today. My resulting review comments follow. A lot of these are things that the RFC Editor would catch, but you might as well correct them before IETF review.
IMPORTANT:
Section 5.2: Change "the Token Binding ID in the identity token" to "the Token Binding ID (or a cryptographic hash of it) in the identity token".
Section 5.2: Change "include in the token the Token Binding ID" to "include in the token the Token Binding ID (or a cryptographic hash of it)".
It's important to explicitly describe and sanction the usage of cryptographic hashes of the TBID in security tokens, since it's what the OpenID Connect and OAuth Token Binding specs actually do (for space reasons).
NITS:
Author list: Change "Paypal" to "PayPal".
Abstract: When editing other specs to become RFCs, IESG reviewers told me that references must not be present in the abstract, because it will be used in contexts such as references about the document, which the document itself is not present. Therefore, delete [RFC5246] and [I.D.ietf-tokbind-protocol] from the abstract, while keeping the spec names that precede those references.
Abstract: Delete the underscores around "first-party", "federated", and "different". It's not clear why they are there and they are very distracting when reading the text. Likewise, delete underscores used in this way other places in the draft, such as in the introduction.
Introduction: Add a comma after "e.g.". This needs to be done in other places as well.
Introduction: Add an informative to reference to [RFC6749] upon first use of the term "OAuth".
Section 2: Change "pad characters" to "padding characters".
Section 2: Change "Section 4.2. "Server Processing Rules"" to Section 4.2 (Server Processing Rules)". Make similar parallel changes where applicable.
Section 2.1: Delete the comma in "various application protocols, and application contexts".
Section 2.1: "Add a hyphen to "general purpose".
Section 2.1, paragraph 2: Change "(below)" to a section reference. Also, this sentence is torturously complicated. Break it into two or three concise sentences.
Section 2.1, paragraph 2: Change "as described below" to "as described in <xref target="SECTION"/>". If this section reference is to Section 8.1, then delete the last sentence, which says "See also Section 8.1, below.".
Section 4 title: Change "First-party" to "First-Party".
Section 4: Add a comma between "misuse" and "since".
Section 4: Change "[I-D.ietf-tokbind-protocol] Section 5" to "Section 5 of [I-D.ietf-tokbind-protocol]".
Section 5.1: Change "OpenID Connect identity token" to "OpenID Connect ID Token".
Section 5.1: Add an informative reference to OpenID Connect upon first use of the term. The correct reference text is supplied at the end of this review.
Section 5.1: Add a comma after "In this section".
Section 5.1: Add a comma after "Below" in "Below we specify".
Section 5.2: Change "(where the identity token is called "ID Token")" to "(in which the identity token is called an "ID Token")". Also change the "(where" to "(in which" in the following SAML clause.
Section 5.2: Change the colon to a semicolon in "said client can use the identity token: The Relying Party will".
Section 5.2: Change "reveals" to "uses".
Section 5.2: Add a comma after "at the very least".
Section 5.2: Change "redirect from Token Consumer to Token Provider" to "redirect from the Token Consumer to the Token Provider".
Section 5.3: Change "a" to "an" in "it SHOULD include a Include-Referred-Token-Binding-ID".
Section 5.3: Change "[RFC7231] Section 8.3" to "Section 8.3 of [RFC7231]".
Section 5.3: Change "(see above)" to "as described in <xref target="SECTION"/>".
Section 5.3: Put commas around "for some deployment-specific reason".
Section 5.5: Remove the quotation remarks around "ID Token".
Legend: Change "the "ID Token" in OIDC," to "the ID Token in OpenID Connect;".
Legend: Change "Open ID Connect" to "OpenID Connect".
Section 6: Change "See Section 8 "Privacy Considerations"" to "See Section 8 (Privacy Considerations)".
Section 7.3: Change the colon after "moot" to a period or semicolon.
Section 7.3: Change the colon after "field" to a period or semicolon.
Section 7.3: Change "trick C to send" to "trick C into sending".
Section 7.3: Add a comma after "as if C controls a certain key pair".
Section 7.3: Change "Javascript" to "JavaScript". (This correction needs to occur in other locations as well.)
Section 7.4: Add a comma after "in a federated sign-in scenario".
Section 7.4: Delete the semicolon in "Token Provider; or it can".
Section 7.4: Change "as we do above" to "as is done above".
Section 7.4: Delete the comma in "message sent by the client to the Token Consumer, and any message".
Section 7.4: Delete the comma in "controls the redirect URL, and can tamper".
Section 7.4: Change "trick the Token Provider to issue" to "trick the Token Provider into issuing".
Section 7.4: Change "can not" to "cannot".
Section 8.1: Change "[I-D.ietf-tokbind-protocol] section 4.1" to "Section 4.1 of [I-D.ietf-tokbind-protocol]".
Section 8.2 title: Change "Life Time" to "Lifetime".
Section 8.2: Change "across an extended period of time" to "for an extended period of time".
Section 8.2: Change "web" to "Web". Likewise, do this in other places that the proper name "Web" is not capitalized.
Section 8.2: Change "life time" to "lifetime".
Section 8.3: Delete the comma in "communicating endpoints, that receive".
Section 8.3: Delete the comma in "other than their own, obtain".
Section 8.3: Change ", see Section 6 "Implementation Considerations"" to ", per Section 6 (Implementation Considerations)".
Finally, I'll say that there are a lot of tortured uses of long parenthetical phrases in this spec. At the very least, in cases in which the parentheses enclose a complete sentence or sentences, separate the parenthetical phrase from the containing sentence. For instance, 8.3 contains this text:
An application's various communicating endpoints, that receive Token
Binding IDs for TLS connections other than their own, obtain
information about the application's other TLS connections (in this
context, "an application" is a combination of client-side and server-
side components, communicating over HTTPS, where the client side may
be either or both web browser-based or native application-based).
At the very least, free the parenthetical sentences, as follows:
An application's various communicating endpoints, that receive Token
Binding IDs for TLS connections other than their own, obtain
information about the application's other TLS connections. (In this
context, "an application" is a combination of client-side and server-
side components, communicating over HTTPS, where the client side may
be either or both web browser-based or native application-based.)
The reference to use for OpenID Connect <xref target="OpenID.Core"/> is:
<reference anchor="OpenID.Core" target="http://openid.net/specs/openid-connect-core-1_0.html">
<front>
<title>OpenID Connect Core 1.0</title>
<author fullname="Nat Sakimura" initials="N." surname="Sakimura">
<organization abbrev="NRI">Nomura Research Institute, Ltd.</organization>
</author>
<author fullname="John Bradley" initials="J." surname="Bradley">
<organization abbrev="Ping Identity">Ping Identity</organization>
</author>
<author fullname="Michael B. Jones" initials="M.B." surname="Jones">
<organization abbrev="Microsoft">Microsoft</organization>
</author>
<author fullname="Breno de Medeiros" initials="B." surname="de Medeiros">
<organization abbrev="Google">Google</organization>
</author>
<author fullname="Chuck Mortimore" initials="C." surname="Mortimore">
<organization abbrev="Salesforce">Salesforce</organization>
</author>
<date day="8" month="November" year="2014"/>
</front>
</reference>
Best wishes,
-- Mike