Re: [Unbearable] (belated) WGLC draft-ietf-tokbind-ttrp

Andrei Popov <> Mon, 17 September 2018 17:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A4BA81200D7 for <>; Mon, 17 Sep 2018 10:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.112
X-Spam-Level: *
X-Spam-Status: No, score=1.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jdhMInwod9j9 for <>; Mon, 17 Sep 2018 10:57:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3A2121274D0 for <>; Mon, 17 Sep 2018 10:57:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EgViC/lo4HfrpETfna+GWmcVmva5Jf8JTpBBoMPg4N4=; b=a2bpeZoNGe+Y2Blr8iYsWHNhbhqcfvB0V8+IsyHnVVYU88/e8SS4DlLCpFsAJc08FU1Sm/J5gPJA2NTzIhBOE5Jrs9ziL5LKr6vfMyDL0FfiURAk/5x+zUDGixTmqpkd/er4BP1ofmtsiD640oXKFbNwEgo3jBOtWmcfJ0RoaR8=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1185.6; Mon, 17 Sep 2018 17:57:23 +0000
Received: from ([fe80::290d:3ed5:7a6b:e1cc]) by ([fe80::290d:3ed5:7a6b:e1cc%2]) with mapi id 15.20.1185.003; Mon, 17 Sep 2018 17:57:23 +0000
From: Andrei Popov <>
To: Denis <>, Hans Zandbelt <>
CC: Tokbind WG <>
Thread-Topic: [Unbearable] (belated) WGLC draft-ietf-tokbind-ttrp
Thread-Index: AQHUS64L+Ni1zKXorUWBMu/ZxHbtwqT0O2GAgAAF2wCAAA3vgIAAePjg
Date: Mon, 17 Sep 2018 17:57:23 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2001:4898:80e8:b:28b2:a023:971b:e42c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0168; 6:1LC/FZT1Vki8t84KLbO3eAb3Lp7t/FiClGvYpWrC6oOA6CGeDPA7rP3gLI9P0TsTEG2yXvfw5sLtOWTzGbMcd2wJIkycusFhaqW5yMbokCveutHxv5DuEWib4fOEz3WQ5kas4oJZwVsuZoNenKbdBeMNoygkPo5MBUORo3mmiysGmUx7Poq4uX2DwC7tXVQ67p85/PKZ9I/0RGaIoZtb+qkpwkiR0C7V0r9QcgQmtehCBA1cnx9FyaB+1RDWF8ZEk/qLMDfucETwuIpjgG/LGeOhlSq+VbfryEJYhQeIsgE9vxwHJb26RPUEgER5drIag/e02ZlJGxspG9BTBnPaLtdkvzKAhV0Z6wmM9mjPIRqw5J5eFSKFsQjdtTCRJf60Wjw/Dv6JsRwstLdUXQVaun6DNghMLY8UCbLqSSklsu8wPIQl2JbhN3gBTZ6qW5eJ8SHEJSyqv2pgXjc02W2Eww==; 5:5OwGwNm1L4/pUCwD92llg7RZde5j4UT/7mrD7mS082GdOFYGaBI+a4UePKjSts/yNhJkOGWNfyaMx5PJrhkpxm1WOSUh9otA1HtkMvHNFer7Bia/UcEphMCsf65f9pMAoAFG2pXAsNYWJkBDL5PRHtZC55vq1pZ95/QN4ZrDuew=; 7:Ph/lfvEospz6XC2wcxkqOZg15mR2ygp/DoLnFf5ORDffSVHcuAYzNFKJgs2zniBLFoLobpEP32PpSFYq4rWOgqGRow5EIiznhzkuLnicWLTo7CZaSrsZuWVLy5w+r/evrNsfyjLh3PTurAiKZ0fDXry7kud6gJjbjUft2qGdUq1Lst6mfJ4gAxQ0kgyzJnO+te6QEaDxcu506LWzzlsf3k4dxcMMqkTk+Mjr8oQRhagZkI8ZFVTlsEN7YPrtdw20
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 83726541-1004-4205-126b-08d61cc70594
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7193020); SRVR:CY4PR21MB0168;
x-ms-traffictypediagnostic: CY4PR21MB0168:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(192374486261705)(158342451672863)(191636701735510)(21748063052155)(28532068793085)(219752817060721)(189930954265078);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231355)(944501410)(52105095)(2018427008)(10201501046)(3002001)(6055026)(149027)(150027)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123564045)(201708071742011)(7699050)(76991041); SRVR:CY4PR21MB0168; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0168;
x-forefront-prvs: 0798146F16
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(366004)(39860400002)(376002)(136003)(396003)(189003)(199004)(316002)(22452003)(53546011)(54896002)(6306002)(97736004)(93886005)(9686003)(2906002)(236005)(606006)(33656002)(9326002)(53936002)(6506007)(68736007)(25786009)(105586002)(7696005)(106356001)(790700001)(6116002)(76176011)(81156014)(81166006)(8676002)(8990500004)(8936002)(561944003)(74316002)(10290500003)(6246003)(99286004)(7736002)(478600001)(2900100001)(14454004)(5250100002)(11346002)(110136005)(446003)(14444005)(186003)(86362001)(486006)(229853002)(256004)(102836004)(10090500001)(966005)(4326008)(5660300001)(6436002)(6346003)(72206003)(55016002)(86612001)(4000630100001)(476003)(46003)(15866825006); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0168;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is );
x-microsoft-antispam-message-info: OM+l2XdK1EgAX18tvJw0tueqEOMsOzH7UsKErngEtPkfSMki+a3vDs/usrq+2kHrqsDTnU7N/fVujkHf5y1CA7HDofVX1/wHVGZ/UwMyiOEHrdMzlzgHlCJ9Y88ZoyzdFC3FHiR0QcQxNpNTe5cTiE2Vfs/X9Ccoj+lGpm2aYcVAX+uMHh0aG0wCGxuyjkeNdbOQGW2KPcUD4Drpzgv2NvuGZLHaxlfS8pym+SLffZE6n+IMwJlGXX34XBCU6+KgI6T8rw8c9vIqp/V69Re+0EnsOfsqzGffrKma9EfwNv9h/SZa+sLZH6i9z+jdR3s2z6uY3Jnd4za/ODkgsPws/GFp0iXGIhZMlOEZ/aAisAg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0774438584D60A8033A94EF18C1E0CY4PR21MB0774namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 83726541-1004-4205-126b-08d61cc70594
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2018 17:57:23.6513 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0168
Archived-At: <>
Subject: Re: [Unbearable] (belated) WGLC draft-ietf-tokbind-ttrp
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Sep 2018 17:57:29 -0000

Hi Denis,

IMHO this is already addressed in the security considerations:

“The Token Binding protocol does not prevent cooperating clients from
   sharing a bound token.  A client could intentionally export a bound
   token with the corresponding Token Binding private key, or perform
   signatures using this key on behalf of another client.”



From: Unbearable <> On Behalf Of Denis
Sent: Monday, September 17, 2018 3:43 AM
To: Hans Zandbelt <>
Cc: Tokbind WG <>
Subject: Re: [Unbearable] (belated) WGLC draft-ietf-tokbind-ttrp


This has nothing to do with "private key sharing". Private keys are usually protected by some hardware device which does not allow to export these keys.
However, a legitimate user can use his hardware device which means that he can ask to his device to perform some cryptographic computation with the private keys
that are stored in it.

In the past, when doing a threat analysis, only external attackers were being considered. Collaborative attacks is a different kind of threat that should also be considered.
However, it only applies to some specific contexts:
If the security token contains a sufficient number of attributes that allows to fully identify the bearer, the bearer will probably refuse to collaborate with anybody else,
because that other body could fully impersonate him.

If the security token contains one or more attributes that do not allow to fully identify the bearer, the bearer may accept to collaborate with somebody else, because
he cannot be identified. Typical examples of such an attribute are: "over 18" or "resident of Florida". Such attributes may allow to access to a service.
Any solution using software only is unable to counter collaborative attacks. Any solution using hardware devices that are only protecting the private keys, but not their usage,
are also unable to counter collaborative attacks. The topic has nothing to do with generic PKI principles and guidelines. However, adding some additional explanations into
the security considerations section along those provided above could be useful.

Can we please stop adding text that says "don't share your private key with others" to IETF drafts? That is an inherent part of PKI and does not need to be repeated everywhere IMO, just like text about how verifying TLS server certificate should work is not repeated in drafts where TLS is a requirement. Perhaps a reference to generic PKI principles and guidelines may be included?


On Mon, Sep 17, 2018 at 11:32 AM Denis <<>> wrote:
Comments on draft-ietf-tokbind-ttrp-06: HTTPS Token Binding with TLS Terminating Reverse Proxies

The introduction states:
An HTTP server issuing cookies or other security tokens can associate them with the Token Binding ID, which ensures those tokens
cannot be used successfully over a different TLS connection or by a different client than the one to which they were issued.
When there are only external attackers, the sentence is correct but is incorrect when there is a collusion between a legitimate client and another client.
The sentence should be corrected. Here is a proposal:
An HTTP server issuing cookies or other security tokens can associate them with the Token Binding ID, which ensures those tokens
cannot be used successfully over a different TLS connection or by a different client than the one to which they were issued, as long as
there is no collusion between the legitimate client and another client.
In the "Security Considerations" section (section 4), some explanations should be added. Here is a proposal:
The token binding mechanism is efficient against external attackers, but, in case a legitimate client collaborates with another client,
the mechanism can be defeated since the legitimate client, using the private key which proves possession of the security token, can perform
all the cryptographic computations that the other client needs to demonstrate the possession of that security token.

This message marks the start of a 2 week WGLC on

draft-ietf-tokbind-ttrp-06 as agreed in Montreal but only now effected

by your chair.

Please provide your final comments, voices of support or objections

by COB Fri 28 Sept in any TZ.

 Best R



Unbearable mailing list<><>

Unbearable mailing list<><>

ZmartZone IAM -<>