[Unbearable] Alissa Cooper's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)
Alissa Cooper <alissa@cooperw.in> Wed, 09 May 2018 17:54 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: unbearable@ietf.org
Delivered-To: unbearable@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 85273126E64; Wed, 9 May 2018 10:54:03 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alissa Cooper <alissa@cooperw.in>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tokbind-https@ietf.org, John Bradley <ve7jtb@ve7jtb.com>, tokbind-chairs@ietf.org, ve7jtb@ve7jtb.com, unbearable@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.80.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152588844353.3985.1790443621473802523.idtracker@ietfa.amsl.com>
Date: Wed, 09 May 2018 10:54:03 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/RjVM940nl1Av1ZwJLAqyGKf9t6E>
Subject: [Unbearable] Alissa Cooper's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 17:54:03 -0000
Alissa Cooper has entered the following ballot position for draft-ietf-tokbind-https-14: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Section 2.1 says: "The scoping of Token Binding key pairs generated by Web browsers for use in first-party and federation use cases defined in this specification (Section 5), and intended for binding HTTP cookies, MUST be no wider than the granularity of "effective top-level domain (public suffix) + 1" (eTLD+1). I.e., the scope of Token Binding key pairs is no wider than the scope at which cookies can be set (see [RFC6265]), but MAY be more narrow if cookies are scoped more narrowly." My reading of RFC 6265 is that it does not actually forbid cookie setting at a scope wider than eTLD+1, although I could be reading Section 5.3 of that document wrong. That section says that if the user agent is configured to reject public suffixes, then there is a case where a set-cookie request should be ignored. If the intent here is to normatively restrict the scope of Token Binding key pairs to eTLD+1 regardless of whether the user agent restricts cookies to that scope, that needs to be stated clearly. I kind of hate to say this but with the way this is phrased I also think you need a normative reference for the concept of "effective top-level domain." (I suspect this would be considered a downref and may not already be in the downref registry, but I'm not one to make a fuss about that.) ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I would also suggest s/but/and/ in the last sentence quoted from 2.1 above.
- Re: [Unbearable] Alissa Cooper's Discuss on draft… Eric Rescorla
- [Unbearable] Alissa Cooper's Discuss on draft-iet… Alissa Cooper