Re: [Unbearable] [art] Artart telechat review of draft-ietf-tokbind-negotiation-12

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 09 May 2018 01:29 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC5AE12D86B; Tue, 8 May 2018 18:29:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUCeUNZoc0ym; Tue, 8 May 2018 18:29:44 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0105.outbound.protection.outlook.com [104.47.33.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46C0812708C; Tue, 8 May 2018 18:29:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lty1XfsUgKrimvWs+NB2vHlGroHeF9Tm7RgQq0kYOH4=; b=TCPqq6L8NB3NL/zy5XVjtUOIbYuGuYi87c1kpXIq+VXiTWk1/5U+JJPLuFPGPima2mEABi+Oz9IlWUS0ddQcSxnxAU0LMULgemo44RLl6m2TCmf0PB2GSIZ9irH8f5alrc4oYpxl/jJIClO6M7h+VBG4t8qzWQksi+/Iv/hRblU=
Received: from DM5PR21MB0507.namprd21.prod.outlook.com (10.172.91.141) by DM5PR21MB0761.namprd21.prod.outlook.com (10.173.172.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.776.1; Wed, 9 May 2018 01:29:41 +0000
Received: from DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::49e8:420f:baa2:a62f]) by DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::49e8:420f:baa2:a62f%6]) with mapi id 15.20.0776.004; Wed, 9 May 2018 01:29:40 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Adam Roach <adam@nostrum.com>, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>, "art@ietf.org" <art@ietf.org>
CC: "unbearable@ietf.org" <unbearable@ietf.org>, "draft-ietf-tokbind-negotiation.all@ietf.org" <draft-ietf-tokbind-negotiation.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [art] Artart telechat review of draft-ietf-tokbind-negotiation-12
Thread-Index: AQHT5wwOxO+s6Ar+80uyR+J4oo2PoKQmW7iggAAaaoCAAAsWsIAAE+wAgAAHBUA=
Date: Wed, 9 May 2018 01:29:40 +0000
Message-ID: <DM5PR21MB0507772D17B03D5C9F9D02E78C990@DM5PR21MB0507.namprd21.prod.outlook.com>
References: <152581170538.16247.326421324193541615@ietfa.amsl.com> <DM5PR21MB05073538E86E74EE3373B6268C9A0@DM5PR21MB0507.namprd21.prod.outlook.com> <e76c1d2a-6d90-e62b-341e-5af12c493a0f@outer-planes.net> <DM5PR21MB050751117AF4365D48EC88A28C990@DM5PR21MB0507.namprd21.prod.outlook.com> <c0a6b4d2-4833-9da3-dced-7afafd9dfe68@nostrum.com>
In-Reply-To: <c0a6b4d2-4833-9da3-dced-7afafd9dfe68@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:c::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR21MB0761; 7:n/Tnq4F83EfuRo6QeGK7djk878KItD3xWCk4EWXLLLb+6tGwjOZfs8FqQqrtY+gu5mUf1HGLysiez+uJf70M12V+rs0+BGxw8O/r/dLfXvkjxuD+4sUvNhaP61f8wpKz0ZcStcLWNPpBeYolleQ6eLC0OChQxzJ8NJVH20zvYnOpGyH7CKWxMbSb0hfqxAH7ackd52VLgPdLTmVEcTJKNzCISxfD3PgcwbXk3rluCChJ00i24E+VlsVIyowKXpa2; 20:nhT2YC/Wh+6498Cp9yc87m9Ps9BQl2V5AmZVE7Zsrkp4E8N0hE6WObtbh9/sHQPkQ3KOdFVhUswr+6+C+ylx5zSUloJFo6XqEe6K0EeXMQtq+VD1aFKyaRXUa1MdSjKlKDqK1SY5GhTU+N8o85EAKIwxjgQRAtEHISinqOobGSw=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR21MB0761;
x-ms-traffictypediagnostic: DM5PR21MB0761:
x-microsoft-antispam-prvs: <DM5PR21MB0761679CA13CF468FC23400A8C990@DM5PR21MB0761.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231254)(2018427008)(944501410)(52105095)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123560045)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:DM5PR21MB0761; BCL:0; PCL:0; RULEID:; SRVR:DM5PR21MB0761;
x-forefront-prvs: 0667289FF8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(39380400002)(376002)(366004)(396003)(199004)(189003)(13464003)(76176011)(9686003)(7696005)(186003)(74316002)(2900100001)(46003)(53546011)(8990500004)(55016002)(53936002)(14454004)(99286004)(11346002)(446003)(68736007)(5660300001)(6246003)(97736004)(6506007)(486006)(4326008)(476003)(8936002)(305945005)(6346003)(102836004)(59450400001)(81156014)(7736002)(8676002)(81166006)(10090500001)(33656002)(3660700001)(25786009)(478600001)(10290500003)(106356001)(72206003)(3280700002)(6116002)(229853002)(2906002)(105586002)(86612001)(86362001)(54906003)(93886005)(22452003)(316002)(2501003)(5250100002)(110136005)(6436002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR21MB0761; H:DM5PR21MB0507.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-microsoft-antispam-message-info: ib2IRdWFvt+SrNhOfmTJ+PEN6CEFs01TbO8xCjdFLGJGPknLlBMsRanSlzs4fPJBEO6RkeGO3AXW4Yc3OddmMputXFRFYFwUwQRIpgu42tTsF0E1a9HFfoSBKxoiBEhrAWHh+bbemmn0W0ZxNlfpm7ksxbGiyOouyKK3YE/Kfqhy8b7uSwJGB/UoXysamXhh
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 523fd8a9-1005-46a7-76a3-08d5b54c561e
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 523fd8a9-1005-46a7-76a3-08d5b54c561e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2018 01:29:40.9371 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR21MB0761
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/LwyxQVMXTsj3ADGWNvWO4OB4z3g>
Subject: Re: [Unbearable] [art] Artart telechat review of draft-ietf-tokbind-negotiation-12
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 01:29:46 -0000

Sure, will add this clarification in the next revision.

Cheers,

Andrei

-----Original Message-----
From: Adam Roach <adam@nostrum.com> 
Sent: Tuesday, May 8, 2018 6:04 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>om>; Matthew A. Miller <linuxwolf+ietf@outer-planes.net>et>; art@ietf.org
Cc: unbearable@ietf.org; draft-ietf-tokbind-negotiation.all@ietf.org; ietf@ietf.org
Subject: Re: [art] Artart telechat review of draft-ietf-tokbind-negotiation-12

On 5/8/18 7:17 PM, Andrei Popov wrote:
> Application-specific clients and servers (custom apps) can reject 
> connections without TB, or they can implement a variety of other 
> measures when TB is not negotiated (e.g., issue shorter-lived tokens, 
> require stronger authentication, ...)


If I read Matthew's request correctly, all he is asking is that you add words to the document that say exactly what you say above. Right now, the implication in the document is that the client is required to continue to use the connection as if nothing is wrong.

/a