[Unbearable] Benjamin Kaduk's Yes on draft-ietf-tokbind-negotiation-13: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 10 May 2018 12:45 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: unbearable@ietf.org
Delivered-To: unbearable@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AED8C120454; Thu, 10 May 2018 05:45:19 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk <kaduk@mit.edu>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tokbind-negotiation@ietf.org, John Bradley <ve7jtb@ve7jtb.com>, tokbind-chairs@ietf.org, ve7jtb@ve7jtb.com, unbearable@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.80.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152595631970.10267.10188172038443610412.idtracker@ietfa.amsl.com>
Date: Thu, 10 May 2018 05:45:19 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/QTFMOaAxHNZ4BUbFEixJwUS4fbg>
Subject: [Unbearable] Benjamin Kaduk's Yes on draft-ietf-tokbind-negotiation-13: (with COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 12:45:20 -0000

Benjamin Kaduk has entered the following ballot position for
draft-ietf-tokbind-negotiation-13: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


I agree with Adam and Warren's comments.

The point already made about version negotiation has a corollary
that if the client sends a dense list of versions, then the server
will know decisively that a specific version has (or has not) been
negotiated, and can rely on that at the application layer.  When the
client can receive an unsupported version back from the server, the
client will not use token binding and the server has to infer from
the client's application-layer traffic whether token binding is
expected to be in use.  (Whether or not this is a desired or useful
property to have is not necessarily clear.)

Section 4

   the client advertises, then the server MUST NOT include
   "token_binding" extension in the server hello.

Nit: """the "token_binding" extension"""

Section 6.1

   The Token Binding protocol version and key parameters are negotiated
   via "token_binding" extension within the TLS handshake. [...]

Nit: """the "token_binding" extension".  (Also at the end of this

   [...] TLS prevents
   active attackers from modifying the messages of the TLS handshake,
   therefore it is not possible for the attacker to remove or modify the
   "token_binding" extension.

I wonder if we want to explicitly say *successful* TLS handshakes,
but given the context in the main protocol document it's probably
not necessary.