Re: [Unbearable] FWD: Status of draft-ietf-tokbind-https
=JeffH <Jeff.Hodges@KingsMountain.com> Thu, 16 November 2017 02:52 UTC
Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA3512940E for <unbearable@ietfa.amsl.com>; Wed, 15 Nov 2017 18:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.701
X-Spam-Level:
X-Spam-Status: No, score=-4.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTkxbxp16Qd1 for <unbearable@ietfa.amsl.com>; Wed, 15 Nov 2017 18:52:12 -0800 (PST)
Received: from qproxy1-pub.mail.unifiedlayer.com (qproxy1-pub.mail.unifiedlayer.com [173.254.64.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2F33128954 for <unbearable@ietf.org>; Wed, 15 Nov 2017 18:52:11 -0800 (PST)
Received: from CMOut01 (unknown [10.0.90.82]) by qproxy1.mail.unifiedlayer.com (Postfix) with ESMTP id 3A48D120475 for <unbearable@ietf.org>; Wed, 15 Nov 2017 19:51:27 -0700 (MST)
Received: from box514.bluehost.com ([74.220.219.114]) by CMOut01 with id aSrQ1w0042UhLwi01SrTF8; Wed, 15 Nov 2017 19:51:27 -0700
X-Authority-Analysis: v=2.2 cv=K4VSJ2eI c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=IkcTkHD0fZMA:10 a=sC3jslCIGhcA:10 a=yMhMjlubAAAA:8 a=5IsXbjgYAAAA:8 a=1XWaLZrsAAAA:8 a=48vgC7mUAAAA:8 a=qI-sqkvjAAAA:8 a=so3EvALKwebfFulFyOwA:9 a=QEXdDO2ut3YA:10 a=RR2nPHISKLg-FD_FhCoU:22 a=w1C3t2QeGrPiZgrLijVG:22
Received: from dhcp-8b7b.meeting.ietf.org ([31.133.139.123]:57208) by box514.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1eFAGx-0013tb-R9 for unbearable@ietf.org; Wed, 15 Nov 2017 19:51:24 -0700
To: IETF TokBind WG <unbearable@ietf.org>
From: =JeffH <Jeff.Hodges@KingsMountain.com>
Message-ID: <15f89604-8327-b43e-e788-00d18180b234@KingsMountain.com>
Date: Thu, 16 Nov 2017 10:51:21 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box514.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - KingsMountain.com
X-BWhitelist: no
X-Source-IP: 31.133.139.123
X-Exim-ID: 1eFAGx-0013tb-R9
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: dhcp-8b7b.meeting.ietf.org [31.133.139.123]:57208
X-Source-Auth: jeff.hodges+kingsmountain.com
X-Email-Count: 4
X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTE0LmJsdWVob3N0LmNvbQ==
X-Local-Domain: no
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/XMuAumDhLOn2w2_0JF_IBPYuPyc>
Subject: Re: [Unbearable] FWD: Status of draft-ietf-tokbind-https
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 02:52:14 -0000
From: Andrei Popov <Andrei.Popov@microsoft.com> Date: Monday, November 13, 2017 at 10:50 PM To: Eric Rescorla <ekr@rtfm.com>, Leif Johansson <leifj@sunet.se>, Vinod Anupam <vanupam@google.com> Cc: "draft-ietf-tokbind-https@tools.ietf.org" <draft-ietf-tokbind-https@tools.ietf.org>, "tokbind-chairs@ietf.org" <tokbind-chairs@ietf.org> Subject: RE: Status of draft-ietf-tokbind-https Resent-From: <alias-bounces@ietf.org>, Andrei Popov <Andrei.Popov@microsoft.com> Resent-To: <andreipo@microsoft.com>, <mnystrom@microsoft.com>, Dirk Balfanz <balfanz@google.com>, Adam Langley <agl@google.com>, <nharper@google.com>, Jeff Hodges <Jeff.Hodges@PayPal.com>, <draft-ietf-tokbind-https@ietf.org> Resent-Date: Tuesday, November 14, 2017 at 12:23 AM I’m available in the morning; unfortunately, Dirk is not here, but Anupam can represent him. Regarding the attack, it is not quite clear to me: Even assuming the TP is willing to issue a token for Alice to connect to the Attacker (which probably means the Attacker is a server known to the TP), this token will be bound to the TB key Alice has created for use with the attacker. So the attacker cannot use this token to impersonate Alice to another server (without also stealing the corresponding private key). Or am I missing something? What time should we meet tomorrow? Cheers, Andrei
- Re: [Unbearable] FWD: Status of draft-ietf-tokbin… =JeffH
- [Unbearable] FWD: Status of draft-ietf-tokbind-ht… =JeffH
- Re: [Unbearable] FWD: Status of draft-ietf-tokbin… =JeffH
- Re: [Unbearable] FWD: Status of draft-ietf-tokbin… =JeffH
- Re: [Unbearable] FWD: Status of draft-ietf-tokbin… =JeffH
- Re: [Unbearable] FWD: Status of draft-ietf-tokbin… =JeffH
- Re: [Unbearable] FWD: Status of draft-ietf-tokbin… =JeffH