IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Martin Thomson <martin.thomson@gmail.com> Tue, 21 March 2017 02:23 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD20712943E for <unbearable@ietfa.amsl.com>; Mon, 20 Mar 2017 19:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgaGTvXVWsjk for <unbearable@ietfa.amsl.com>; Mon, 20 Mar 2017 19:23:11 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C0C61243F6 for <unbearable@ietf.org>; Mon, 20 Mar 2017 19:23:11 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id v127so125482003qkb.2 for <unbearable@ietf.org>; Mon, 20 Mar 2017 19:23:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kLsknwb5ciDruNiPgT7zyG9uKpE4CjdLWF5sosBua7E=; b=Va+wfRfoeMXCT0w8YCVVzL4nPCPhlzE4NVKCU3NrmLxZwMjK/Pv8ti3BxuFXQXrRw6 XYEABZyU6FtkO8wIa1W+khsFGjVINZDHYjD9KE4zR+5J8Ihk82xIafK3NNIuosPCha6s 3DVxHRrvd3EjddNxsTRSOCcF7/uSPU4OIS0hMXWfGGh3uqDim6UMEjQEmbc8m4g4Mps3 vSBRjffujbwz+FYYcLdrBYaIU9IkJA3JQd7/hrNS+Wv1FP7pMF/GYR8a2KXuAG61k6LP S2PI01dLC4PaZCPkgviesUMG4FvQB5HZ6tUOiz99Q2YuC4cQddjB3KhmpK64t1qi6RfE 5UQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kLsknwb5ciDruNiPgT7zyG9uKpE4CjdLWF5sosBua7E=; b=GQZBNUQS/CbbVUOWRv2iLfQY+6sj08W5xVK0hmviVi57O7HG5t3OVyZoCGpfKLtPPd /6+WCAjESlqw3JGOdODy/xHPcVULZNcaUYPSrLX366Nfs+D0vZ+89zk4XE1U0lMqe3TP xVzqRECHUjVQFNOmX4mPXhwzmoUbtq0BPd8Cir2xRI13QOjBIBKoYFvbsTrNY4uXAdii XAtRmMjK9xeuMHFecZEr9Mlzgsaa2lrVOcdFk8KmZm43ZLSwSXw8IRc8es8zy72OP9sd s+WdCSqA3UpbfaN5MMRN1H2nmmTYsm6dd8QsN/AtkQ4a15cS4T2nnKvcyGoGFfLQKDqW x1mg==
X-Gm-Message-State: AFeK/H16+Nr64n7J2O0SA5EZ94Qmq3eZBLTlp3281//gxPdT5MZ/ps23Iy36eO92eLn+rAAsjBZ2+57CnMtnTg==
X-Received: by 10.55.136.2 with SMTP id k2mr26013981qkd.316.1490062990334; Mon, 20 Mar 2017 19:23:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.27.194 with HTTP; Mon, 20 Mar 2017 19:23:09 -0700 (PDT)
In-Reply-To: <CACdeXi+rbsKf7zbpe4n49BUmj1ay0GSg_A48ZrAztKPY9+Fm2A@mail.gmail.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com> <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com> <SN1PR21MB0096D7426A4E230E284F0D058C560@SN1PR21MB0096.namprd21.prod.outlook.com> <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com> <DM2PR21MB00914BA07BA984E931B88FEB8C290@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKQjaoAArLBcjRj+kUJUqH+f1bA5yeCCiQ6GMXzWJURBw@mail.gmail.com> <CABkgnnV0+vumfkZAMRZ_8q5pTkwf_CqhZ+deeVWdbF9SFaHoJw@mail.gmail.com> <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKweRaZEKi4kqmPfUc2JLyZLGbp8tFRpkTfmJisPCMWRg@mail.gmail.com> <CACdeXiL6riBRb1-UDhVK-R5CvopzisJnYTRjWsvpimWA2G3DhQ@mail.gmail.com> <CABcZeBN2RhBsyj8_1F6bBnw9j10qdABwdZVdgwVcUr4Tf6sLtA@mail.gmail.com> <CACdeXiLZQSMxSqTPSHVqUwZomUpaMadUNYEEzF2to9Rx6nLMWQ@mail.gmail.com> <CABcZeBPvxX-8PuoV1oV-k5BnH3sjbWuuHfeAfh7FRhgtuVPkCQ@mail.gmail.com> <CACdeXi+rbsKf7zbpe4n49BUmj1ay0GSg_A48ZrAztKPY9+Fm2A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 21 Mar 2017 13:23:09 +1100
Message-ID: <CABkgnnXBQEV4w7Zb=C9GE25-wp3oMVauKRZ21mCa+Qoby9XAPg@mail.gmail.com>
To: Nick Harper <nharper@google.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Andrei Popov <Andrei.Popov@microsoft.com>, IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/WwGAKih7QGoX18r0-Vt5FfEf6bM>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 02:23:13 -0000

On 21 March 2017 at 10:32, Nick Harper <nharper@google.com> wrote:
> All HTTP requests which the client starts processing to send after the
> client sends its Finished message MUST use the exporter_secret for
> their token bindings.

How would a server verify this?

v2.23.0 | Report a Bug | By Email