IETF Logo Mail Archive

Re: [Unbearable] one proposal for a charter - please dicsuss

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 08 December 2014 23:42 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 593EB1A0222 for <unbearable@ietfa.amsl.com>; Mon, 8 Dec 2014 15:42:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwuK2yzC7Ev1 for <unbearable@ietfa.amsl.com>; Mon, 8 Dec 2014 15:42:02 -0800 (PST)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 204F11A00E1 for <unbearable@ietf.org>; Mon, 8 Dec 2014 15:42:02 -0800 (PST)
Received: by mail-la0-f50.google.com with SMTP id pn19so4789322lab.23 for <unbearable@ietf.org>; Mon, 08 Dec 2014 15:42:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=abFp1KXy3BLnwWNdv9W+RQow1kKZsSSHUudnPdAWiDc=; b=DuEzFlViOR4QPkPabbh31Uwgx6OM8UClImRuNePKkfog5ly1h7cEHQP0PF4FWMl5XK c2sOES0GkGM76gtLaQ9FXD+QvSgDsyOKTSKGT52TT0hp7m9Vos9ymiIAi2tXFAH9g0eo mAjosNI6kIMGCDwkj66AITUJ+hSpwxqBt/BCc6r3hIgduVO1cAUeGHAhhgT7cfx+4xKj fxBMiRNJwdj/+Ti2fEDG4lRjPj8kylOzwFkifa9HqxZ9xI4iXJJhbL2Y7ySkOetCObdP ma6SB172GWyOkvrPBN0oTLgR3OTi2zW9J7RoE0eGOuav8Ar/DPHpyq2lSxDGwv9atOfy oXJw==
MIME-Version: 1.0
X-Received: by 10.152.27.227 with SMTP id w3mr18831113lag.24.1418082120587; Mon, 08 Dec 2014 15:42:00 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Mon, 8 Dec 2014 15:42:00 -0800 (PST)
In-Reply-To: <54863200.4030600@cs.tcd.ie>
References: <54863200.4030600@cs.tcd.ie>
Date: Mon, 08 Dec 2014 18:42:00 -0500
X-Google-Sender-Auth: axH2EJCHWgMCaf71fK0OOFzFVJg
Message-ID: <CAMm+LwjsTNc=wK2m4t1K5K6d2dN_v6q9DHzB6vxxG+adXvmrew@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="089e0158c2920f607b0509bcf932"
Archived-At: http://mailarchive.ietf.org/arch/msg/unbearable/JsTXUiIMliyYQ2N5bgJqpBJrjRE
Cc: unbearable@ietf.org
Subject: Re: [Unbearable] one proposal for a charter - please dicsuss
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 23:42:04 -0000

On Mon, Dec 8, 2014 at 6:19 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hi all,
>
> There's about 70+ people on the list now so let's kick off.
>
> Andrei sent Kathleen and I the charter proposal below a while
> ago. For myself I don't think its quite right yet but I'd
> rather hear what you all think. So please discuss...
>
> Cheers,
> S.
>
>
> Token Binding (TB)
>
> Charter for Working Group
>
> Web services generate various security tokens (e.g.  HTTP cookies, OAuth
> tokens, etc.) for web applications to access protected resources.
> Currently these are bearer tokens, i.e. any party in possession of such
> token gains access to the protected resource. Attackers export bearer
> tokens from client machines or from compromised network connections,
> present these bearer tokens to Web services, and impersonate
> authenticated users. The idea of Token Binding is to prevent such
> attacks by cryptographically binding security tokens to the TLS layer.
>
> The tasks of this working group are as follows:
> 1.            Specify the Token Binding protocol v1.0.
> 2.            Specify the use of the Token Binding protocol in
> combination with HTTPS.
>
> It is a goal of this working group to prevent security token export and
> replay attacks, but other issues associated with the use of security
> tokens are out of scope. It is a goal of this working group to design
> the Token Binding protocol such that it would be also useable with
> application protocols other than HTTPS, however specifying such uses is
> not a primary goal.
>

Umm, I am still rather fuzzy about what is proposed here Stephen.

In particular I don't think we are getting away from bearer tokens, we are
just hiding them different.

This is a draft I have been working on for a while. It allows a token to be
bound to a HTTP/TLS channel.

http://tools.ietf.org/html/draft-hallambaker-httpsession-03


It might help if we had a definition of bearer token. I don't think that
formulation is helping. The problem is not that we have bearer tokens, it
is that our proofs of possession force them to be disclosed in plaintext to
the party checking them.

Is an RSA private key a bearer token?
How about a kerberos ticket?


Presenting this as a problem with the token puts us off track. The problem
is with the way we use them.

v2.23.0 | Report a Bug | By Email