IETF Logo Mail Archive

Re: [Unbearable] WGLC 3 on core documents

Denis <denis.ietf@free.fr> Mon, 27 February 2017 20:40 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51E871293F8 for <unbearable@ietfa.amsl.com>; Mon, 27 Feb 2017 12:40:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZQwkwW_Q5yp for <unbearable@ietfa.amsl.com>; Mon, 27 Feb 2017 12:39:59 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2F19124281 for <unbearable@ietf.org>; Mon, 27 Feb 2017 12:39:58 -0800 (PST)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id DC42978039B; Mon, 27 Feb 2017 21:39:55 +0100 (CET)
To: Nick Harper <nharper@google.com>
References: <90198679-4549-2893-6d91-f4415df217ad@sunet.se> <705b00ac-d7dc-6d9d-9c5f-e895f22f300d@free.fr> <CACdeXi+8jrQkSi3iXNE1cu0JMSHc5Kyakc5YXABkuogUijywqg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <59f884f8-02a9-1076-6479-87415bfdd8e0@free.fr>
Date: Mon, 27 Feb 2017 21:39:55 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <CACdeXi+8jrQkSi3iXNE1cu0JMSHc5Kyakc5YXABkuogUijywqg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------1E0CD1C94B32F1D952F4EB1D"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/NXvxSpdxZ1hpDxZczZ3kloyTYyE>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] WGLC 3 on core documents
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2017 20:40:01 -0000

Nick,

For being able to speak of a "replay", there should first be a "play of 
the token".
But in this case, there is a single"play" of it, and hence no replay.

Denis


> The client collusion scenario is about one client exporting a bound 
> token for another client to use. This bound token is a security token, 
> and reusing the token (whether it is on the same client or another 
> client) is replaying it. Hence, "Security Token Replay" is a perfectly 
> appropriate section for those sentences. They don't need their own 
> section.
>
> On Mon, Feb 27, 2017 at 1:19 AM, Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Comments on draft-ietf-tokbind-protocol-13 (The Token Binding
>     Protocol Version 1.0)
>
>     On page 14 within the Security Considerations section, I
>     appreciate the fact that the following sentences have been added:
>
>
>     *The Token Binding protocol does not prevent cooperating clients from*
>     *sharing a bound token.A client could intentionally export a bound*
>     *token with the corresponding Token Binding private key, or perform*
>     *signatures using this key on behalf of another client.*
>
>     However, these sentences have been placed inside section 7.1.
>     which is called "Security Token Replay".
>
>     This security consideration has nothing to do with "Security Token
>     Replay" but with "Client collusion".
>
>     Therefore, these sentences should be placed under a new section
>     called: "7.2. Client collusion".
>
>     ======================================================================================
>
>     Comments on draft-ietf-tokbind-https-08 (Token Binding over HTTP)
>
>     On page 14 within the Security Considerations section, the same
>     kind of change as the one requested
>     for draft-ietf-tokbind-protocol-13 (The Token Binding Protocol
>     Version 1.0) should be done, i.e. add a new section
>     called: "7.2. Client collusion" with the following text :
>
>     *Token Binding over HTTP does not prevent cooperating clients from
>     sharing a bound token.A client could intentionally export a bound
>     token with the corresponding Token Binding private key, or perform
>     signatures using this key on behalf of another client.*
>
>
>     Denis
>
>
>     _______________________________________________
>     Unbearable mailing list
>     Unbearable@ietf.org <mailto:Unbearable@ietf.org>
>     https://www.ietf.org/mailman/listinfo/unbearable
>     <https://www.ietf.org/mailman/listinfo/unbearable>
>
>

v2.30.2 | Report a Bug | By Email | System Status