Re: [Unbearable] Warren Kumari's No Objection on draft-ietf-tokbind-negotiation-12: (with COMMENT)

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 09 May 2018 18:07 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2AD127369; Wed, 9 May 2018 11:07:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knsavNN2NbIj; Wed, 9 May 2018 11:07:54 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0114.outbound.protection.outlook.com [104.47.34.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 390FB126FB3; Wed, 9 May 2018 11:07:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Mtgewht63wwXxTbFoRuQseVYK2BbS+zif2OExNLgMuM=; b=jDWFMgxUJ5yCR9v2/JLc2D8FlB/1dI80OvHSb4m8qgSQpv7Mf8v5CVxrGFHHlvFSOPWbxUoKbYgTnS+o7AfMLWDwt71b8FO8hQieM8ICcihYGWNRTWtwqNAlJo3V+tgrj1B8YegPh6IjlbebWgyCi3Oy/fjcY79rjvlo4nkYyQI=
Received: from DM5PR21MB0507.namprd21.prod.outlook.com (10.172.91.141) by DM5PR21MB0634.namprd21.prod.outlook.com (10.175.111.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.755.1; Wed, 9 May 2018 18:07:48 +0000
Received: from DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::49e8:420f:baa2:a62f]) by DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::49e8:420f:baa2:a62f%6]) with mapi id 15.20.0776.004; Wed, 9 May 2018 18:07:48 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Warren Kumari <warren@kumari.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-tokbind-negotiation@ietf.org" <draft-ietf-tokbind-negotiation@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, "tokbind-chairs@ietf.org" <tokbind-chairs@ietf.org>, "ve7jtb@ve7jtb.com" <ve7jtb@ve7jtb.com>, "unbearable@ietf.org" <unbearable@ietf.org>, "liushucheng@huawei.com" <liushucheng@huawei.com>
Thread-Topic: Warren Kumari's No Objection on draft-ietf-tokbind-negotiation-12: (with COMMENT)
Thread-Index: AQHT56cafEpBJJgQkEmeAx5fJimNvaQnsN2g
Date: Wed, 9 May 2018 18:07:48 +0000
Message-ID: <DM5PR21MB05070A1DC04DC37E7D8EF5AA8C990@DM5PR21MB0507.namprd21.prod.outlook.com>
References: <152587829673.3921.15943204349783206766.idtracker@ietfa.amsl.com>
In-Reply-To: <152587829673.3921.15943204349783206766.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:c::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR21MB0634; 7:PIQtZoMPFH4z7sfe44CY/PmN+mTvUnyUXOB0xMlSifvfXSmN0c0p7KdE5XuH2kOvC+X1SLcof3FRhinjrs2PZs2Yd07k8FM+xUOBxd4Vp7ferxOy6h7TWyhKbRZOKBNRCXFJqqj2tGbRLdMrkdiYpJB4EgbRVRkTfY+CYR0ay8+ah703u42y0SwxMw3ax/QbzlneanAMVtExFNTv6lpgMMnYexOX9LLopOjcZUxiEtutERe/cHdNlCcJjHeGyDLr; 20:HWzjszGX7ufucAhN+mHf7ZoffSyHgrrbOlIXgp+PLx2yFPQQOoBTGh4y+RlvA/S8zcQw9abQli9DCsbsmA+Cpm5FejWQTXbhgf4YfhVre0b7FXgKo2RcrUDmeL/6fw1WJy8UooI63M3SPBRhmRsaA41CHzeorIOyqzYhUkVO24c=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR21MB0634;
x-ms-traffictypediagnostic: DM5PR21MB0634:
x-microsoft-antispam-prvs: <DM5PR21MB06349C23A998D9BF9C54178B8C990@DM5PR21MB0634.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078)(50582790962513)(219752817060721);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(2018427008)(944501410)(52105095)(10201501046)(3002001)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:DM5PR21MB0634; BCL:0; PCL:0; RULEID:; SRVR:DM5PR21MB0634;
x-forefront-prvs: 0667289FF8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(366004)(39860400002)(346002)(396003)(376002)(13464003)(51914003)(189003)(199004)(110136005)(22452003)(6506007)(11346002)(106356001)(5250100002)(316002)(6116002)(486006)(46003)(6436002)(53936002)(10290500003)(476003)(97736004)(446003)(105586002)(72206003)(3660700001)(81166006)(4326008)(6346003)(2900100001)(99286004)(55016002)(53546011)(25786009)(6246003)(966005)(478600001)(5660300001)(102836004)(3280700002)(8936002)(74316002)(10090500001)(33656002)(2906002)(8990500004)(575784001)(9686003)(68736007)(7736002)(229853002)(6306002)(76176011)(86362001)(81156014)(7696005)(186003)(14454004)(54906003)(305945005)(8676002)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR21MB0634; H:DM5PR21MB0507.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-microsoft-antispam-message-info: McmaHvNQiLXD45NQIUIGNzviTKZm1dCzyZW0t+y0Otcpu+J8Lh3NBk+hkTBAG2btvCWl+9bm9EHNcBT2v1XrerjyScd6AhXXAbB0k1eBybXjAqFl3dfkOR0Wi9Oh99idExo0m4zul8prlXcV7WQb/BMqr7mHTcTOKOcu6K5sc6aFoefkJ07V5bUfKpoPxtGV
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: ff12004e-c969-41a7-5351-08d5b5d7c5d3
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ff12004e-c969-41a7-5351-08d5b5d7c5d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2018 18:07:48.2849 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR21MB0634
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/4JksAhPb_BSKKKplerBmvfIEKTw>
Subject: Re: [Unbearable] Warren Kumari's No Objection on draft-ietf-tokbind-negotiation-12: (with COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 18:07:57 -0000

Hi Warren,

Thanks for the review. Will make the change suggested by Will Liu in the next revision.

TLS 1.3 is sufficiently different that the TB WG decided to specify the use of TB with TLS 1.3 in a separate document.

Cheers,

Andrei

-----Original Message-----
From: Warren Kumari <warren@kumari.net> 
Sent: Wednesday, May 9, 2018 8:05 AM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tokbind-negotiation@ietf.org; John Bradley <ve7jtb@ve7jtb.com>om>; tokbind-chairs@ietf.org; ve7jtb@ve7jtb.com; unbearable@ietf.org; liushucheng@huawei.com
Subject: Warren Kumari's No Objection on draft-ietf-tokbind-negotiation-12: (with COMMENT)

Warren Kumari has entered the following ballot position for
draft-ietf-tokbind-negotiation-12: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fiesg%2Fstatement%2Fdiscuss-criteria.html&data=02%7C01%7CAndrei.Popov%40microsoft.com%7Cef4f94d5157a4ae1bae408d5b5be3b3c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636614751011830665&sdata=5wBkGrbBbh7jpzoGH3KYtPuE6CN4ls4klh4HkT1Xy7E%3D&reserved=0
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-tokbind-negotiation%2F&data=02%7C01%7CAndrei.Popov%40microsoft.com%7Cef4f94d5157a4ae1bae408d5b5be3b3c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636614751011830665&sdata=RGE3aQGPO7BxwbQo4bZ0l8utz3zDE%2Fm%2F8lVXd7tqMQA%3D&reserved=0



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Please also see Will LIU's OpsDir review here:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Freview-ietf-tokbind-negotiation-10-opsdir-lc-liu-2017-12-04%2F&data=02%7C01%7CAndrei.Popov%40microsoft.com%7Cef4f94d5157a4ae1bae408d5b5be3b3c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636614751011830665&sdata=mZ70PwPXXG78PxCvhtKN0XxvGnNIwZA98waxfxr44po%3D&reserved=0
It suggests a simple change which will remove confusion/ambiguity.

The document says (in the Introduction):
"The negotiation of the Token Binding protocol and key parameters in combination with TLS 1.3 and later versions is beyond the scope of this document."

How hard would it be to make it work with TLS 1.3? Actually, what part of it doesn't already? (I'm guessing I'm missing something super-obvious)...