Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 07 June 2018 21:58 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 394CE130DDB for <unbearable@ietfa.amsl.com>; Thu, 7 Jun 2018 14:58:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level:
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhhE6SbrcoOx for <unbearable@ietfa.amsl.com>; Thu, 7 Jun 2018 14:58:29 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0118.outbound.protection.outlook.com [104.47.32.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12F4C130DD7 for <unbearable@ietf.org>; Thu, 7 Jun 2018 14:58:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qKbSzkp0fFOuAI0FViOPM3eECNLn2McCT5wKvuWZt2U=; b=SVQIK717NZyEqT7thYuW9BkhrPryIhgpndAFKgjZ/MZQXUXHpoCXxJqb3GkgS6Ew6iwjYXMYbgLUYtOBkKbHkit7Lue6qdo7erfTmR8kt1YanJO1tbdoyFaDj7AHlA5aqWS2B0vGkgLCAUR6zQDy+aMGUegXJyzwXvv9uq7/NXo=
Received: from DM5PR21MB0507.namprd21.prod.outlook.com (10.172.91.141) by DM5PR21MB0138.namprd21.prod.outlook.com (10.173.173.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.2; Thu, 7 Jun 2018 21:58:27 +0000
Received: from DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::7cac:8247:7a46:1bfd]) by DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::7cac:8247:7a46:1bfd%16]) with mapi id 15.20.0863.004; Thu, 7 Jun 2018 21:58:27 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
CC: Leif Johansson <leifj@mnt.se>, IETF Tokbind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] tokbind - New Meeting Session Request for IETF 102
Thread-Index: AQHT+KcSOfkm5RG+C024j4aQmtNOyqRJXiAAgAETswCAAQehAIAAGkEAgAVCOXCABF61AIAAKsKg
Date: Thu, 7 Jun 2018 21:58:26 +0000
Message-ID: <DM5PR21MB0507D809A381912B03CDEB3C8C640@DM5PR21MB0507.namprd21.prod.outlook.com>
References: <152774743559.22620.13488651600482711493.idtracker@ietfa.amsl.com> <5ab325d2-4227-5ef0-747b-94a556f0acb5@mnt.se> <CA+k3eCSwmO=6gYKg=LBH5KxYgzwuobJRMrKiCiP4kuvVO3wJhQ@mail.gmail.com> <c8f83d1a-ca5a-a7b1-aefd-a86944bb58e5@mnt.se> <CA+k3eCQkwKbAgDB7Wd7Dt0ztdccnU6kkvEQkFcQzZr3+SGm37w@mail.gmail.com> <DM5PR21MB050756924C75D2A4CB31826C8C650@DM5PR21MB0507.namprd21.prod.outlook.com> <CA+k3eCS-vU_cCqgJ-fkoDyyvkqHgJp8yd_c7vLWJJa=Xw_hmOQ@mail.gmail.com>
In-Reply-To: <CA+k3eCS-vU_cCqgJ-fkoDyyvkqHgJp8yd_c7vLWJJa=Xw_hmOQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:9:28b4:a023:971b:e42c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR21MB0138; 7:JqfFq10SaZAMMGKvT0XX2wlvCzLMMJgXbfWvpMLcc9by3Xr9WP/+dMK2iUvXqhIJcdiOhco1zZcA8hXsBSQWAMNeMFw+xlM4gxc5+z453IIie2oojoiMaA1qI2e030EKKO/fmyJz98kG8oktXG6kIWiFmsFRPN/BkkNoMEyLUpFDXYCd2DdGrK7ZEzuvkVaZikBSG07dG8aSBjcZ2wfhTXgyjm4aA9EAMwV4evdcBh+ZF2qeyyXZe1O7BpugWu5u
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR21MB0138;
x-ms-traffictypediagnostic: DM5PR21MB0138:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-microsoft-antispam-prvs: <DM5PR21MB0138DAA399672E7BFFC90D598C640@DM5PR21MB0138.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(89211679590171)(192374486261705)(189930954265078)(100405760836317)(219752817060721)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(2018427008)(944501410)(52105095)(10201501046)(93006095)(93001095)(3002001)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DM5PR21MB0138; BCL:0; PCL:0; RULEID:; SRVR:DM5PR21MB0138;
x-forefront-prvs: 06968FD8C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(366004)(39380400002)(376002)(199004)(189003)(51914003)(8676002)(10290500003)(8936002)(476003)(54906003)(7736002)(606006)(99286004)(74316002)(1600100001)(6246003)(316002)(22452003)(97736004)(81156014)(2900100001)(790700001)(6116002)(93886005)(81166006)(9686003)(5250100002)(236005)(53936002)(6306002)(5660300001)(59450400001)(186003)(55016002)(6436002)(10090500001)(102836004)(54896002)(86612001)(53546011)(6506007)(7696005)(76176011)(33656002)(11346002)(446003)(3280700002)(229853002)(486006)(5890100001)(966005)(14454004)(4326008)(68736007)(106356001)(8990500004)(105586002)(2906002)(3660700001)(478600001)(46003)(86362001)(25786009)(72206003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR21MB0138; H:DM5PR21MB0507.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ry+kmTsZOb7ICebnq8OLfBlppA4s2hwWo2YuOt2uCkuXCWSZuIUjPbePOReDMDqVktI54owCxztsGETOuFIddshvo3tTxgdKUPIww6jzPJ5gW21sCoQCBoQBW4FjhkRV0GRykgb9qNw8AKsd/hZebXQfx/3I50zkfWxCQKgzwSijj4HLKZU9PAGGDNetq3Xy
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR21MB0507D809A381912B03CDEB3C8C640DM5PR21MB0507namp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 2194c627-77b9-4b17-a268-08d5ccc1cc55
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2194c627-77b9-4b17-a268-08d5ccc1cc55
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jun 2018 21:58:27.0230 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR21MB0138
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/_JVK_kTJgvyyXka0YD3ZWXsmCsc>
Subject: Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2018 21:58:38 -0000

  *   Gauging WG consensus isn't particularity easy in this WG at this stage but in my mind consensus is there.
Our awesome Chairs can probably help confirm one way or the other.


  *   Nothing is future proof.
  *   Saying TTRP will work only with a specific version may or may not prove true.
Sure. Just trying to understand what the thinking is: if TTRP is not supportable with TB X, we’ll just say “don’t use TTRP with TB X, use TTRPbis instead”?
And TTRPbis will probably define some new headers?

From: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Sent: Thursday, June 7, 2018 12:09 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: Leif Johansson <leifj@mnt.se>se>; IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102

Thanks for the review, Andrei.

I'll incorporate the editorial suggestions.

The design choice of having distinct Sec-Provided and Sec-Referred headers was intentional and aimed at making the most common cases simple at the application layer dealing with HTTP. The vast majority of the time there's going to be only the Provided and a single header that carries that value unadorned makes accessing that very straightforward.  Referred is the other defined type with defined usage in HTTPSTB so TTRP has Sec-Referred for that. Then there are 254 other undefined types and there was a request from the WG (or a portion thereof) to allow for them somehow. A separate header for every one of them seemed prohibitive to say the least. That's where the Sec-Other catch-all comes from. There are trade-offs any design choice and this is a bit of a hybrid but I feel it strikes a good balance of simplicity for the common defined cases while still accommodating others. Gauging WG consensus isn't particularity easy in this WG at this stage but in my mind consensus is there. This would, of course, be a good time for the WG to speak up to indicate otherwise, if that's not the case.

Nothing is future proof. TTRP is intended to facilitate deployments of HTTPSTB. HTTPSTB isn't future proof or versioned and would need to change to allow for more than one referred TB ID. Saying TTRP will work only with a specific version may or may not prove true. And passing along the negotiated TB protocol version may or may not accommodate future changes. Future TB protocol versions may or may not even happen.

The single HTTP header field-valued text was largely put in there with the hope/expectation that it would ease the registration process (after Jeff suggested something similar for the Sec-Token-Binding header, IIRC). But also because it was inline with the "exactly one" restriction in HTTPSTB. But that text could easily be removed, I think.



On Wed, Jun 6, 2018 at 12:51 PM, Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org<mailto:Andrei.Popov=40microsoft.com@dmarc.ietf.org>> wrote:
The document is well-written and clear, overall. I have a few editorial comments and some design comments:

  “Token Binding over HTTP [I-D.ietf-tokbind-https] provides a mechanism
   that enables HTTP servers to cryptographically bind cookies and other
   security tokens to a key held by the browser or other HTTP client,
   possession of which is proven on the TLS [RFC5246] connections over
   which the tokens are used.”

Editorial suggestion: “…to a key generated by the client.” Whether the browser, HTTP client, or underlying platform hold the TB key is implementation-specific and probably unnecessary detail here. Proof of possession is discussed in the next sentence.

  “The usage of the headers, both the reverse proxy adding _it_ and the
   application server using _them_ to bind cookies or other tokens, are to
   be configuration options of the respective systems as they will not
   always be applicable.”

Editorial: this sentence confuses me, esp. around “it” and “them”; perhaps it’s possible to simplify.

Section 2.2: Having three separate headers: Sec-Provided, Sec-Referred and Sec-Other catch-all would not be my design choice. I’d suggest either one header with a list of all TB IDs, or a separate header for each TB ID. Of course, if WG consensus exists on the current design, then that’s what it is.

   “Both "Sec-Provided-Token-Binding-ID" and "Sec-Referred-Token-Binding-
   ID" are single HTTP header field-valued…”

Somewhat related to the previous comment: this seems to be saying that there cannot be more than one referred TB ID, which is fine now, but not necessarily future proof.
TTRP seems to not be versioned; if, say, TB 2.0 uses multiple referred bindings per request, will we need TTRP 2.0 with all new headers?

It seems that TTRP needs to be either TB version-specific, i.e. explicitly say “this is for TB 1.0 only, and future TB versions will require new TTRP specs”, or be designed as a pipeline, passing whatever bindings the proxy was able to verify, possibly along with the negotiated TB protocol version.

Security and IANA considerations look good to me.

Cheers,

Andrei

From: Unbearable <unbearable-bounces@ietf.org<mailto:unbearable-bounces@ietf.org>> On Behalf Of Brian Campbell
Sent: Friday, June 1, 2018 9:07 AM
To: Leif Johansson <leifj@mnt.se<mailto:leifj@mnt.se>>
Cc: IETF Tokbind WG <unbearable@ietf.org<mailto:unbearable@ietf.org>>
Subject: Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102

It's pretty short! https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-03<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-tokbind-ttrp-03&data=02%7C01%7CAndrei.Popov%40microsoft.com%7Cbe9b45e5942241330d0908d5c7d9bbd2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636634660334123449&sdata=mfl4DReC846OoQSdyJvXQ0UjMYY9zeT8Hnp2jbXviis%3D&reserved=0>

On Fri, Jun 1, 2018 at 8:32 AM, Leif Johansson <leifj@mnt.se<mailto:leifj@mnt.se>> wrote:


On 2018-06-01 00:49, Brian Campbell wrote:
> I'd like to request some agenda time to cover the TTRP draft, which will
> likely consist of an overview and status update (with some gratuitous
> photos of recent IETF meeting locations) and a plea to move towards
> WGLC. Thanks!

In order to facilitate that... could we get some folks to review
the TTRP draft before 102?

Maybe... please... ??

        Cheers Leif


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.