Re: [Unbearable] Suggestions for TTRP

Brian Campbell <> Fri, 20 July 2018 17:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 61ACB1311FA for <>; Fri, 20 Jul 2018 10:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nye56erZ8YPm for <>; Fri, 20 Jul 2018 10:32:35 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E5110131116 for <>; Fri, 20 Jul 2018 10:32:34 -0700 (PDT)
Received: by with SMTP id p4-v6so15687886itf.2 for <>; Fri, 20 Jul 2018 10:32:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6+TjsvvmMf9hZ7MIn3SrTge4Us3M7qf2mEKHi9WO8IA=; b=RZtc8vH9DtgoOqFPq6yG+Cl0Ujw6VqkYKSu3ph17QzDMXh5+m/VQCiM63QBaRHH9UR RARXHSCSQPuN8vudzTuegYhut7bnDx0kzcgbM6jXvBM60PGbt8fkBsBFAOcv85yLYqUD zSydagWJQycTlIRUnHqFQ19OEblpTKYygMqpw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6+TjsvvmMf9hZ7MIn3SrTge4Us3M7qf2mEKHi9WO8IA=; b=KD/dYYvZ2c9QT2bBreS5t/qIM9ZCvb1o2Ti0oXH+R8b806TWF2o3aUhsYGc3TMahb6 V3+p4OrPb57O7VBZOmQpbJKhHPNcKIERRacKU46vroaxOVeEvm9tX864sWph8usAihgB hkNtKMKHWga2I4CSQ2aobu3uqs5ABfbbT0gSTG84TVMTBOtJRnahBxe4Pxp3UJfgH1Qh iSusLIJR1NsOLlshu7vQTJ7ScRcY7AMZ+wdJKC2yZytE354NMuAtCPaORUlQnJIsdhEs cFrUlhCoaqWzYa8O4Cej3roFbVmYnp3+3lbfp+Py/CrUJn8nKG7E9sAnqeiqMfgXl202 Ucqw==
X-Gm-Message-State: AOUpUlE2pHy7Ag0qDy2OrWjEezGafFUQRHPBZpxTNxmcKDdMVfaN4T5s kbXp5sUsOxwiAbPvSPzEBwyyMx3VrFEgPsF55IXHI+eO3hcUqndLV9V0tkn4IT8G22eI8K0F6w0 95Y/5UUZekK22i5fWdse/
X-Google-Smtp-Source: AAOMgpdiyeHG8ZsVkhkPZEzWMx38VWzJet9C4LBfUZv/B2anjItfsSIZhbgLmEQVSM76AKfiHBgYCuc8SOfzs75xH8U=
X-Received: by 2002:a24:67d5:: with SMTP id u204-v6mr2668072itc.37.1532107954165; Fri, 20 Jul 2018 10:32:34 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Fri, 20 Jul 2018 13:32:22 -0400
Message-ID: <>
To: Martin Thomson <>
Cc: IETF Tokbind WG <>
Content-Type: multipart/alternative; boundary="0000000000005dd8be057171ae8a"
Archived-At: <>
Subject: Re: [Unbearable] Suggestions for TTRP
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Jul 2018 17:32:43 -0000

Thanks for the suggestion, Martin, I'll make that change in the next

On Fri, Jul 20, 2018, 1:21 PM Martin Thomson <>

> My comments about authentication were misguided because I somehow
> missed that the section entitled "HTTP Headers" was in fact about
> authentication.
> My suggestion: move the TLS versions section to a new top-level
> section and make the contents of the HTTP Headers section the entirety
> of the security considerations.  The TLS versions text isn't really a
> security consideration and having a more targetted security
> considerations section would be clearer.  (Also, it avoids having an
> empty top-level section).
> _______________________________________________
> Unbearable mailing list

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._