IETF Logo Mail Archive

Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

John Bradley <ve7jtb@ve7jtb.com> Thu, 09 February 2017 19:25 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 047A6129C59 for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 11:25:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ERpyzq7zP8rA for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 11:25:27 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57598129C5A for <unbearable@ietf.org>; Thu, 9 Feb 2017 11:25:27 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id v23so13976688qtb.0 for <unbearable@ietf.org>; Thu, 09 Feb 2017 11:25:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=KziFjXTsuhJDs+uxYuPnLNZXkBW5ZtlG4S5vU/s4cds=; b=sxnc+lWj+lbsRa/RMc7X0mQG/mRPUzfIauAAE4mjDMzAjqVSOdW8diaV0FQS7yzmWD onqUnx5t2KSyxpdnHTff7cHGmVfen6ZDMLi+3Xk7iJN55Jqf6DsTFVD37dbzxGy3hg/O sAKERH+iTdHDAU2wrfvHeEUbQHGcnENGe4G3UjHHYH3YlRgdmNWD+Pt3+uO7L9Rmf6fA /uuByN1bj+F5cAgBpsDPviiW55e9yscKCSuE0hMCsHpZ4fJ6RfDkuXM5kwutilAU4z0R dq/rB4AD4O+n8/x73TxqLjJpAgFTJFCKWp+asakVbtNSIlQAGxcZi7POaU8bjrRnh/tw MZ7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=KziFjXTsuhJDs+uxYuPnLNZXkBW5ZtlG4S5vU/s4cds=; b=FWe9DUQhDjKeWgbx2yBO2pEFn6GB95j1/1r0/d542FOQld/xXwxPtLsI0V8sKPI3zp 5zW9qgX1NnpRnJueGjt6Vgm9kM1pd85nyhDZgEdWX9Kiqtiwv53N6hmrK3GBPKVnjwsN ScRF4SMO/P625n+PU4as3F8iwjSZrHRq4B8DaTyIeTC2+q08x3qR0T3mWfcBMGvZFfX7 Cn0ee+zhk8u/LFSn7rS/hfKZ4bgDMYxetUPayRuHSPrhYrDuZm5bi9Tpfps73I2mcZmv hzKnuPcLET8PUHh/2NnQ+EzZyy9zjwopAGdMv2S6hiVdAv6KClivhn9Y68gz2u8w02+G VvoA==
X-Gm-Message-State: AMke39nKMM8UD0Gshn7LiRJBBSGaMmYtoV2rQU+u8KwMvwcvfCmS/4ZSFLXk5sMySsPYC4vi
X-Received: by 10.237.34.250 with SMTP id q55mr4851784qtc.127.1486668326246; Thu, 09 Feb 2017 11:25:26 -0800 (PST)
Received: from [192.168.86.130] ([191.115.108.51]) by smtp.gmail.com with ESMTPSA id t2sm9981614qte.14.2017.02.09.11.25.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2017 11:25:25 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <AB2B80EF-2726-4C61-837B-17F668064D66@ve7jtb.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_0E06F584-1AC6-417E-BA71-A5993185B08D"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Thu, 09 Feb 2017 16:24:42 -0300
In-Reply-To: <d975388a-7a09-4842-89dc-7a2bd94ba0ff@treenet.co.nz>
To: Amos Jeffries <squid3@treenet.co.nz>
References: <e56976df-c7e7-6dde-8f27-9aeb152f66ab@KingsMountain.com> <CY1PR0301MB084254BDDD2E72104D20BE9A8C430@CY1PR0301MB0842.namprd03.prod.outlook.com> <C97FF7A1-5EAB-4117-A9D2-65C9A9993A8F@ve7jtb.com> <CADHfa2A-kpD_swEzMue33eeKj=Xd6_au2KL=XD+AmYq=m6hrdw@mail.gmail.com> <43DD0CF0-4043-448D-BE38-FAFFDE779B57@ve7jtb.com> <CY1PR0301MB08423324E89771A0EEDD72068C420@CY1PR0301MB0842.namprd03.prod.outlook.com> <d975388a-7a09-4842-89dc-7a2bd94ba0ff@treenet.co.nz>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/PanJO3Bv9K_Dvhafm5eYolENSRw>
Cc: unbearable@ietf.org
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 19:25:29 -0000
X-List-Received-Date: Thu, 09 Feb 2017 19:25:29 -0000

So it is valid in hop by hop for the proxy to pass on the original header information as its own for the next hop if that is the correct thing to do?

I suppose that is largely what happens with keep-alive.

To Andre’s point I understand that existing proxies wouldn't negotiate token binding but we need to cover creative future development.  
If we lever it open for a proxy to negotiate token binding on one side and pall along the header someone will do it and blame the spec as being unclear.

We would clearly never recommend that but won’t have direct control over developers.

John B.

> On Feb 9, 2017, at 4:14 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> 
> On 9/02/2017 6:20 a.m., Andrei Popov wrote:
>> Ø  The Connect header is for the client to tell a proxy "this header
>> really doesn't make sense to forward, please drop it on the next
>> hop". …but in the case of the Sec-Token-Binding header, the client
>> does not know whether it makes sense to forward or not. The client,
>> generally, does not know whether the proxy or TLS terminator
>> validates bindings, passes them along for the application server to
>> validate, or strips them altogether.
>> 
> 
> The Connection header is not particularly about proxies. It is simply
> about distinguishing hop-by-hop things from end-to-end so any naive/old
> HTTP recipient can keep the relevant data secure in a fail-closed way.
> 
> Since the TLS is hop-by-hop the preferred behaviour ought to be a
> MUST/SHOULD for listing in Connection header to meet the RFC 7230
> conditions.
> 
> If the recipient happens to be TB-aware and non-validating (for any
> reason, not just TTRPs). Then RFC 7230 grants the ability to forward on
> both the Sec-Token-Binding and Connection:Sec-Token-Binding headers as
> being relevant to the next-hop it is using.
> 
> ie. the "(or replace it with the intermediary's own connection options
> for the forwarded message)" clause is what applies to non-validating
> recipients.
> 
> However the non-validating case should be an exception rather than the
> norm. Specifically called out as such for TTRPs etc.
> 
> 
> HTH
> Amos
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable

v2.30.2 | Report a Bug | By Email | System Status