[Unbearable] IETF-96 tokbind raw minutes
jeff.hodges@kingsmountain.com Tue, 19 July 2016 14:49 UTC
Return-Path: <jeff.hodges@kingsmountain.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 963B312D87F for <unbearable@ietfa.amsl.com>; Tue, 19 Jul 2016 07:49:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=kingsmountain.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xz3JzGCn6wFe for <unbearable@ietfa.amsl.com>; Tue, 19 Jul 2016 07:49:15 -0700 (PDT)
Received: from gproxy5-pub.mail.unifiedlayer.com (gproxy5-pub.mail.unifiedlayer.com [67.222.38.55]) by ietfa.amsl.com (Postfix) with SMTP id 3E1A912E055 for <unbearable@ietf.org>; Tue, 19 Jul 2016 07:24:11 -0700 (PDT)
Received: (qmail 11299 invoked by uid 0); 19 Jul 2016 14:24:08 -0000
Received: from unknown (HELO cmgw2) (10.0.90.83) by gproxy5.mail.unifiedlayer.com with SMTP; 19 Jul 2016 14:24:08 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by cmgw2 with id LeQ31t00k2UhLwi01eQ6FJ; Tue, 19 Jul 2016 08:24:06 -0600
X-Authority-Analysis: v=2.1 cv=KaJB72oD c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=XYUc-DgfXtMA:10 a=cAmyUtKerLwA:10 a=48vgC7mUAAAA:8 a=FQjh2a8AAAAA:8 a=NEAV23lmAAAA:8 a=KWay_7z4eITffF70wFcA:9 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=PuV6PcL1-KkOzm2SamYU:22 a=Bn2pgwyD2vrAyMmN8A2t:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=MIME-Version:Content-Type:Subject:To:From: Message-ID:Date; bh=ejZhcEN39KvFIKPk/r+B+vL3Hx1iqyU3hrDCGubAljM=; b=v5GtGvYln ED3UgvHfrKQ0NbjPmiii/Hxj171CIe46asWRJgTBcJX+GxNqxW7va0XAF23N6iwXzPKB5ccYoTKNF btru/ZTyo7mu90dHmzHaaI+JNL940wi/LO5ED6JeIq;
Received: from [127.0.0.1] (port=37388 helo=box514.bluehost.com) by box514.bluehost.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.86_2) (envelope-from <jeff.hodges@kingsmountain.com>) id 1bPVwL-0002BM-8d for unbearable@ietf.org; Tue, 19 Jul 2016 08:24:05 -0600
Received: from 31.133.180.173 ([31.133.180.173]) by box514.bluehost.com (Horde Framework) with HTTP; Tue, 19 Jul 2016 08:24:02 -0600
Date: Tue, 19 Jul 2016 08:24:02 -0600
Message-ID: <20160719082402.Horde.OTgOzEdC032jxwU0_oRUoC8@box514.bluehost.com>
From: jeff.hodges@kingsmountain.com
To: Tokbind WG <unbearable@ietf.org>
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset="utf-8"; format="flowed"; DelSp="Yes"
MIME-Version: 1.0
Content-Disposition: inline
X-Identified-User: {:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:program running on server}
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box514.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - kingsmountain.com
X-Source-IP: 127.0.0.1
X-Exim-ID: 1bPVwL-0002BM-8d
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (box514.bluehost.com) [127.0.0.1]:37388
X-Source-Auth: jeff.hodges@kingsmountain.com
X-Email-Count: 0
X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTE0LmJsdWVob3N0LmNvbQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/TrT_FI68lurDojWRYazCzUaOpRs>
Subject: [Unbearable] IETF-96 tokbind raw minutes
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2016 14:49:19 -0000
########## Token Binding WG - IETF96 Berlin ============= http://etherpad.tools.ietf.org:9000/p/notes-ietf-96-tokbind > * Note Well and Agenda Bashing (5 min) https://www.ietf.org/proceedings/96/slides/slides-96-tokbind-2.pdf let's jump straight to presos... > * Core Documents (55 min) > - draft-ietf-tokbind-protocol-08 -- Andrei Popov https://www.ietf.org/proceedings/96/slides/slides-96-tokbind-0.pdf > - draft-ietf-tokbind-negotiation-03 mostly all editorial changes since ietf-95 -- see slides > - draft-ietf-tokbind-https-05 -- dirk balfanz https://www.ietf.org/proceedings/96/slides/slides-96-tokbind-4.pdf dirk gives demo using canary chrome and google frontend (at a particular endpoint which is an alpha/canary TLS frontend... https://tokbindrptest.appspot.com echo -n <base 64 tokbind msg> | base64 -D | od -Ax -tx1 Update Fetch to support Token Binding -- vinod working on this https://github.com/whatwg/fetch/pull/325 william denis: what about the 302 redirect req -- is that the only way to do things? what about other patterns? dirk(db): we need diff triggers for diff patterns, for patterns that utilize redirects, the response header field in spec is the trigger -- for other patterns, need to write other profiles and define diff patterns -- that's somthing that'll happen in other WGs -- i imagine will work with XHR like: when create XHR obj, have a flag that's 'include-referred-tb' -- in saml world, have an auto-submit form, could have a boolean attr on the page that signals inclusion of the referred TB --- wrt whatwg/w3c, once stuff in fetch, the stuff passed down from higher layer ought to Just Work -- each of these have in comman that there's an origin from which the req is made and one to which the provided and referred TBIDs are sent subodh: what about priv implications of including this referred header field? db: browsers have notions of whether to send 3d party cookies or not, if bwsr is sending out a req in which it is not ok to send 3d party cookies, it will not send TB header wseltzer: when bring this up in webappsec WG ? db: onece Anne gives ok to the PR#325 <https://github.com/whatwg/fetch/pull/325> vinod: probably just weeks until done leif: can these 3 specs goto WGLC? mike jones(mj): maybe you shud ask that question again after my oauth preso, i'll raise an open issue with the core specs... john bradley(jb): hans has a version of mod_ssl that does TB -- any other impls? andrei (ap): have impl in IE & Edge (both use same http engine) subodh: have started working on impl > * Related work: Token Binding for OAUTH (30 min) > - draft-jones-oauth-token-binding-00 --- Mike JOnes https://www.ietf.org/proceedings/96/slides/slides-96-tokbind-3.pdf see slides wrt slide 3 tony nadalin(tn): notes that if connection had gone away might get a lot of reauthns db: notes that TBID lifetime can be long and span multiple tls sessions slide 4: TB ID Tokens defined in: openid-connect-token-bound-authentication-1_0 3-party use case, this seems to work out well given the present tbind specs slide 5: representation in openid connect ID Token they put hast of TBID in ID Token -- saves bytes. an open issue of how to have crypto agility for the hash function b campbell(bc): how bout just define names for hashes algs... slide 6: Tokenbound access tokens see slides... slide 7: issue for TB access tokens this is not using redirects, cross-domain comms is by expicit connection the prob: two channesl not crypto'y bound when using the explicit param method proposed soln: req TB impls to provide APIs for clients to explicitly provide TB info to be sent as referred TB Andrei(ap): pushes back on this notion: "don't need to write any api reqs in a protocol spec" JeffH: well, rfc5929 tls channel bindings does have a section "7. Required Application Programming Interfaces" <https://tools.ietf.org/html/rfc5929#section-7> that is along these lines and serves as a reasonable precedent torsten l.: can see need for such language in the spec, and without it, eg if such api isn't made availaBLE, then TB isn't useful [ tony nadalin, dirk and andrei push back] tn: you put your api reqs into the oauth TB profile spec... mjb: well, ought to be in tb-protocol spec because there's other apps than oauth who'll want to do this johnbradly(jb): thinks such broad language is fine subodh: what does it mean to be a token binding impl -- so does this apply to whom and where and in what context? dick hardt: agree with JeffH and Mike wrt general api guidance justin richer(jabber): This is all about non-browser-based HTTP communication. You *can* do it with the current spec, but there ought to be functional guidance so non-browser apps can all do this the same way. there's no reason for OAuth to be a special snowflake here. william d: either way there's apis to add to tls stack and such guidance makes sense tony(tn): stacks are going to look at their resources to writing api, they can make decisions on their own... jb: unclear whether app on top of stack will have access to the referredTBID, if we pass it as extra param, there's sec issues maybe; if we have an agreement TB will be available to native apps, it'll be easier to developers to have access to this martin thomson(mt): what is this api ? jb: its a native api mt: why is this not simply looking at this "we have simple api, enrich it a BIT" and mike's happy? william d(wd): paramater or header need tls stack cooperation... chair: leif: can someone provide actual text -- this is only a couple lines yes? can do this during WGLC? ?: notes that if we are writing app on top of tls stack and we can't rely on there being an API providing this then life is difficult.... leif: hum on whether we need such api guidance/reqs in the spec ? result: was roughly 50/50 on support and no support for the notion leif: who believes having non-norm guidance is ok? fair hum who believes it is evil? no hum MT: hm, there's possible sec issues here if an app can tell the tls stack to send the TB to some other arbitrary host....? mjb: we're trying to secure existing app comms patterns.... MT: <some example where there's privacy leakage and belives it is a problem> db: so whoever crafts this please include to not violate privacy... bc: MT is getting to convcerns wrt key scoping -- perhaps some guidance wrt scoping in APIs will be necessary... sf: not clear to me that you can craft the sec cons for the full generality of these such API guidance... leif: if we have text, we can actually dicuss more concretely leif: are these specs ready for last call? (various hands go up) lucy lynch(LL): advises that priv review occur before WGLC MT: has priv concerns with this stuff... leif: will you MT do a priv review? LL and WendyS ? u have a month approx before we go into WGLC > - draft-campbell-oauth-tbpkce-00 -- biran campbell https://www.ietf.org/proceedings/96/slides/slides-96-tokbind-1.pdf a TB method for OAuth proof key token exchange... pronounced pixy rfc7636 final slide "what are next steps?" -- questn is more for oauth WG db: one what to think about pkce is it is assym operation, having TB protects against MITM, so yes we should bother jb: it does improve sec, perhaps gets around some impl issues am playing around with TB client IDs... subodh: does this prevent against atks in android & ios where u can register req URLs? jb: pkce does that now Kaoru Maeda: PKCE is to differenciate two apps residing on one device. TBID is associated to TLS connection, that is device to server. Since HTTP/2 requests may coalsce on a single TLS connection, context separation may not be what is desired. end
- [Unbearable] IETF-96 tokbind raw minutes jeff.hodges