[Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
=JeffH <Jeff.Hodges@KingsMountain.com> Tue, 07 February 2017 22:17 UTC
Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6569112950A for <unbearable@ietfa.amsl.com>; Tue, 7 Feb 2017 14:17:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_7zeUD9sNmo for <unbearable@ietfa.amsl.com>; Tue, 7 Feb 2017 14:16:59 -0800 (PST)
Received: from gproxy5-pub.mail.unifiedlayer.com (gproxy5-pub.mail.unifiedlayer.com [67.222.38.55]) by ietfa.amsl.com (Postfix) with SMTP id 8A7021294E5 for <unbearable@ietf.org>; Tue, 7 Feb 2017 14:16:59 -0800 (PST)
Received: (qmail 25757 invoked by uid 0); 7 Feb 2017 22:15:12 -0000
Received: from unknown (HELO cmgw2) (10.0.90.83) by gproxy5.mail.unifiedlayer.com with SMTP; 7 Feb 2017 22:15:12 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw2 with id hyF91u0052UhLwi01yFCgY; Tue, 07 Feb 2017 15:15:12 -0700
X-Authority-Analysis: v=2.1 cv=H5NInYoi c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=n2v9WMKugxEA:10 a=48vgC7mUAAAA:8 a=QZB_nyJot4CiqQdncX0A:9 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22
Received: from [173.224.162.88] (port=34921 helo=[10.244.66.209]) by box514.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1cbE2W-0000un-T6 for unbearable@ietf.org; Tue, 07 Feb 2017 15:15:08 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
To: IETF TokBind WG <unbearable@ietf.org>
Message-ID: <e56976df-c7e7-6dde-8f27-9aeb152f66ab@KingsMountain.com>
Date: Tue, 07 Feb 2017 14:15:06 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box514.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - KingsMountain.com
X-BWhitelist: no
X-Source-IP: 173.224.162.88
X-Exim-ID: 1cbE2W-0000un-T6
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([10.244.66.209]) [173.224.162.88]:34921
X-Source-Auth: jeff.hodges+kingsmountain.com
X-Email-Count: 1
X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTE0LmJsdWVob3N0LmNvbQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/JbYpnS5qX-TNL474L2Go8PVrxUQ>
Subject: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 22:17:01 -0000
the below is kind of long (read it anyway :) The summary is we need to
make a conscious decision regarding the Connection HTTP request header
field and whether we provide guidance regarding it and the
Sec-Token-Binding header (and what guidance if so), or not. This seems
to have ramifications for the nascent draft-campbell-tokbind-tls-term
draft, unless I'm misunderstanding things.
=JeffH
In working through the list of "Considerations for New Header Fields" at
the end of rfc7231 section 8.3.1 [1], there are these two items..
o Whether it is appropriate to list the field-name in the Connection
header field (i.e., if the header field is to be hop-by-hop; see
Section 6.1 of [RFC7230]).
o Under what conditions intermediaries are allowed to insert,
delete, or modify the field's value.
Given the specifics in [RFC7230] Section 6.1 [2]..
6.1. Connection
The "Connection" header field allows the sender to indicate desired
control options for the current connection. In order to avoid
confusing downstream recipients, a proxy or gateway MUST remove or
replace any received connection options before forwarding the
message.
When a header field aside from Connection is used to supply control
information for or about the current connection, the sender MUST list
the corresponding field-name within the Connection header field. A
proxy or gateway MUST parse a received Connection header field before
a message is forwarded and, for each connection-option in this field,
remove any header field(s) from the message with the same name as the
connection-option, and then remove the Connection header field itself
(or replace it with the intermediary's own connection options for the
forwarded message).
Hence, the Connection header field provides a declarative way of
distinguishing header fields that are only intended for the immediate
recipient ("hop-by-hop") from those fields that are intended for all
recipients on the chain ("end-to-end"), enabling the message to be
self-descriptive and allowing future connection-specific extensions
to be deployed without fear that they will be blindly forwarded by
older intermediaries.
..it offhand seems that one would want to list "Sec-Token-Binding" in
the Connection header field because Sec-Token-Binding is ostensibly
about the connection and is hop-by-hop because TLS is hop-by-hop.
However, given our current thinking wrt TB and TLS Terminating Reverse
Proxies [3], where we are contemplating one approach where such "TTRPs"
pass-through the Sec-Token-Binding header field and add a corresponding
Token-Binding-Context header, one would not want to list
Sec-Token-Binding in the Connection header (because a TTRP would then
strip it off). However there are implementation and security
considerations with this.
As one proposal, we could say in HTTPSTB something along the lines of..
[...]
Clients SHOULD NOT list the Sec-Token-Binding header field as
a connection option in the Connection header field (Section 6.1
of [RFC7230]) in order to generally enable Sec-Token-Binding
header field pass-through by intermediaries, e.g., by TLS
terminating reverse proxies (TTRP). Intermediaries MUST NOT
modify the Sec-Token-Binding header field's value. See also the
security considerations section.
[...]
Security Considerations
[...]
Not listing Sec-Token-Binding in the Connection header: this
enables TTRPs to transparently convey the Sec-Token-Binding header
field, containing a Token Binding Message, to the next tier ("backend
servers"), e.g., where security tokens containing Token Binding IDs
may be minted and validated. The communication between a TTRP and
backend servers needs to be secured against eavesdropping and
modification by unintended parties. The Token Binding Message itself
may be validated by the TTRP or by a backend server. Though, in the
latter case, the data necessary to perform such validation (i.e., the
EKM, etc.) needs to be conveyed to the entity performing it. Such
conveyance is out of scope for this specification.
Listing Sec-Token-Binding in the Connection header: if done, this
may help in ensuring that Token Binding IDs are not inadvertently
revealed to unintended parties, though may cause difficulties with
web sites employing TTRPs.
[...]
Or, we could just say "clients SHOULD list the Sec-Token-Binding header
field as a connection option in the Connection header field", but that
will create problems for TTRPs [3].
Or, we can just not mention the Connection header and see if anyone
raises questions about it during further WG and IETF-wide review.
thoughts?
[1] <https://tools.ietf.org/html/rfc7231#section-8.3.1>
[2] <https://tools.ietf.org/html/rfc7230#section-6.1>
[3] <https://tools.ietf.org/html/draft-campbell-tokbind-tls-term>
- [Unbearable] on not listing 'Sec-Token-Binding' i… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Dirk Balfanz
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Brian Campbell
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH