Re: [Unbearable] draft-ietf-tokbind-negotiation feedback

Leif Johansson <leifj@sunet.se> Wed, 29 March 2017 22:17 UTC

Return-Path: <leifj@sunet.se>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21765129416 for <unbearable@ietfa.amsl.com>; Wed, 29 Mar 2017 15:17:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sunet-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PqxjLdbTeAgC for <unbearable@ietfa.amsl.com>; Wed, 29 Mar 2017 15:17:56 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 577C6126C23 for <unbearable@ietf.org>; Wed, 29 Mar 2017 15:17:56 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id l7so8238573ioe.3 for <unbearable@ietf.org>; Wed, 29 Mar 2017 15:17:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sunet-se.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=F/eWDO5eIwRoXK+yH/ILA+qdYLII2H4VWBJ/VPlHV+w=; b=ZdxcDmTqEVJEx6MQLuzqQ8ZXPZTE+sZpCT3BsLuR3cKKrkvdrzG/D45NhrXNrTWEEb obP7uDv6dhd2VuA33pRcRxpCj2uJ/WvZYlmyPbb+8jQyVmCfKig3y3wyjfg2vRpKPO3w jmE8yK+LOT/gE2DbyjjCEGueSF+6PdFqJ6YQBF8TQZj5UpYzXgCLVr27XMno6btjexZY eV28GHhOCzhukQ5Xu7ESbOonnheFF2KHSTVSHs+79u9Y3lexOlwPzrus0F6YkmaXsKIw gzDSEvfY1h282n6vSk15KlKiBylK+ons9cw/PUYtzbsX1eCbDGLiUquURbUjPAVZUxPH W+Rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=F/eWDO5eIwRoXK+yH/ILA+qdYLII2H4VWBJ/VPlHV+w=; b=d5oFsfJ02cSOtt2U+aihbSIqw3C7yy+rjRIurA02+3N8IeDv6iLw8/GsqbtxU5v9RG DjGjqjNVfyzIXl6O7rs1H3EM/RexR6OcB5ehSjczCfTBkDpM4d8NTdI4BRmDPtE8UP0x jEFXsC/TfBnUuoymySwZsnTMuOs2HVufOXoWhpv481hsmVdDrlYgYJlbEyQzvZrA27Ra jZGPF/BR6/yRgmOiVYDFcC85QQaf/X4GSYld9wslBvCyawtXmxSMrcl4D2p4mG5puA9s 6MoUB6C+PPcCTcnNO+qmD7K0SPsX4/K5113WNtl2NHJn3s/Ez0Bqf+XZl9oMbPSE18VW j6aA==
X-Gm-Message-State: AFeK/H2j5N5fHjujcQljfpqe73oNLxkIko9i0hmyyM9edeJP6VOg870c/fu1HLDBL6AYGg==
X-Received: by 10.107.136.93 with SMTP id k90mr3294872iod.224.1490825875494; Wed, 29 Mar 2017 15:17:55 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:d177:c895:abeb:6fa7? (t2001067c03700128d177c895abeb6fa7.v6.meeting.ietf.org. [2001:67c:370:128:d177:c895:abeb:6fa7]) by smtp.gmail.com with ESMTPSA id f130sm355960iof.2.2017.03.29.15.17.54 for <unbearable@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Mar 2017 15:17:55 -0700 (PDT)
To: unbearable@ietf.org
References: <CACdeXiKy_CEorSMRBLquY6kV39bzvoyhcR-3Ncm1i+Jsht5sXg@mail.gmail.com>
From: Leif Johansson <leifj@sunet.se>
Message-ID: <302ddafb-6922-9d17-8792-09f617ffe6b5@sunet.se>
Date: Thu, 30 Mar 2017 00:17:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CACdeXiKy_CEorSMRBLquY6kV39bzvoyhcR-3Ncm1i+Jsht5sXg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/X146gw9Ft_SoRpM4eqt9b02yKRg>
Subject: Re: [Unbearable] draft-ietf-tokbind-negotiation feedback
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 22:17:58 -0000


On 2017-03-30 00:03, Nick Harper wrote:
> As far as I can tell, draft-ietf-tokbind-negotiation (TBNEGO) does not
> limit which versions of TLS that the extension can be used with. I'm
> assuming that draft-ietf-tls-tls13 (TLS 1.3) will get published before
> draft-ietf-tokbind-negotiation. Section 4.2.7 (Early Data Indication)
> of TLS 1.3 (draft 19) specifies that "Future extensions MUST define
> their interaction with 0-RTT.".

Since we're post WGLC its increasingly critical keep very careful track
of issues that crop up. Can you open an issue for this on github?

Please continue discussion here as usual.

	Cheers Leif

> 
> I see two potential options to reconcile this disagreement:
> 
> 1) Have TBNEGO specify something like "Token Binding and 0-RTT MUST
> NOT both be negotiated on the same connection" and let
> draft-ietf-tokbind-tls13-0rtt update TBNEGO later.
> 2) Specify in TBNEGO a max TLS version of 1.2, and have
> draft-ietf-tokbind-tls13-0rtt or another draft specify the behavior of
> the extension in TLS 1.3 and higher.
> 
> Does this WG think this is something that needs to be addressed? Are
> there other options to consider?
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable
>