[Unbearable] Alissa Cooper's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)

Alissa Cooper <alissa@cooperw.in> Wed, 09 May 2018 17:54 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: unbearable@ietf.org
Delivered-To: unbearable@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 85273126E64; Wed, 9 May 2018 10:54:03 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alissa Cooper <alissa@cooperw.in>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-tokbind-https@ietf.org, John Bradley <ve7jtb@ve7jtb.com>, tokbind-chairs@ietf.org, ve7jtb@ve7jtb.com, unbearable@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.80.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152588844353.3985.1790443621473802523.idtracker@ietfa.amsl.com>
Date: Wed, 09 May 2018 10:54:03 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/RjVM940nl1Av1ZwJLAqyGKf9t6E>
Subject: [Unbearable] Alissa Cooper's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 17:54:03 -0000

Alissa Cooper has entered the following ballot position for
draft-ietf-tokbind-https-14: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Section 2.1 says:

"The scoping of Token Binding key pairs generated by Web browsers for
   use in first-party and federation use cases defined in this
   specification (Section 5), and intended for binding HTTP cookies,
   MUST be no wider than the granularity of "effective top-level domain
   (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
   pairs is no wider than the scope at which cookies can be set (see
   [RFC6265]), but MAY be more narrow if cookies are scoped more
   narrowly."

My reading of RFC 6265 is that it does not actually forbid cookie setting at a
scope wider than eTLD+1, although I could be reading Section 5.3 of that
document wrong. That section says that if the user agent is configured to
reject public suffixes, then there is a case where a set-cookie request should
be ignored. If the intent here is to normatively restrict the scope of Token
Binding key pairs to eTLD+1 regardless of whether the user agent restricts
cookies to that scope, that needs to be stated clearly.

I kind of hate to say this but with the way this is phrased I also think you
need a normative reference for the concept of "effective top-level domain." (I
suspect this would be considered a downref and may not already be in the
downref registry, but I'm not one to make a fuss about that.)


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I would also suggest s/but/and/ in the last sentence quoted from 2.1 above.