[Unbearable] Fwd: I-D Action: draft-ietf-tokbind-ttrp-03.txt

Brian Campbell <bcampbell@pingidentity.com> Mon, 26 February 2018 19:08 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E870B1270AB for <unbearable@ietfa.amsl.com>; Mon, 26 Feb 2018 11:08:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.44
X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id yD6nXRAn6AJY for <unbearable@ietfa.amsl.com>; Mon, 26 Feb 2018 11:08:39 -0800 (PST)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EC94124239 for <unbearable@ietf.org>; Mon, 26 Feb 2018 11:08:39 -0800 (PST)
Received: by mail-it0-x235.google.com with SMTP id w63so12058057ita.3 for <unbearable@ietf.org>; Mon, 26 Feb 2018 11:08:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=h0N/RBUxJthrWhjjXaV/WT12vQyJSQQVLaxHvm8j1Ak=; b=A+zzW06B6i2eYB86rnWj4aZmsXZcahaTAUdjs/CmyQWvGRy0lPudqjgPnJDIoKBuX7 pbyosobYaXHL2QLX01l6z/Dccc8cjjz9gvzEAA6MrqOTdnr9NM/90whuR9fJud7GEJJJ rcvwLchxzOYki8X5ZruZCu9gIVMiocNz+XnVE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=h0N/RBUxJthrWhjjXaV/WT12vQyJSQQVLaxHvm8j1Ak=; b=l6VYSfLRQAX72W3ln0hX8Ja9ZCpvP6x2Wo1xfpFL5lAZX+oVjoBlTQdx0Bd0fQVPqQ OVDa8Eo/zwx9HhqpwMqSkkNKrDs4vgAhGGQ9g95S8O8g1us/fwc4Y9Nly5MKhGTXJ9W1 enbDbHz73sC63ocVaY/Iq2XNmkt70Lsgze4KfIQR40OKlUm7kxw7t61u39262ZCh3a4/ lFWgu16O0ODApnozNhwZbTUisV3UAXsWk0ptezAE1AwyHjyYqgfOsjHrvbT76nmVQr3V yZbpr11bb2eEjwz9F6e5aXPmFqlQ3TNHKeD/toRJfq0vlqX7MJ5OdZEPyPHeEjt2QTG9 /y6A==
X-Gm-Message-State: APf1xPAtX6RvNNBnVT0G5tvfUcoq1XizkprriVCVZvSG/S/2Iz17FfWZ XB1Is1+0nxrch+j+jAdSV2pOWI2RNCzPsvuwnOz1/6g17IMbEHWWgRCaw1NjmpQhibnPzqEOfjD vCGB+I5MqrV6EaygKTLbm
X-Google-Smtp-Source: AG47ELteyEq47do47m62V03/ridZxVnP4++OXpgJulFZZ8AGJQzinPnP22K3WptKYtfJ7w7Ngsw8sJPQYgCKQVjUptY=
X-Received: by with SMTP id v10mr13533904iti.25.1519672118629; Mon, 26 Feb 2018 11:08:38 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 26 Feb 2018 11:08:08 -0800 (PST)
In-Reply-To: <151966384454.31386.1177711202602130184@ietfa.amsl.com>
References: <151966384454.31386.1177711202602130184@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 26 Feb 2018 12:08:08 -0700
Message-ID: <CA+k3eCQRX37hoRpQWJmWpF9Fu3JbmfygX5oz3DVY5NFy_DQMMw@mail.gmail.com>
To: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fba74ce90890566223cc0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/YcelF2g0X613lD34uepMmqyU5N0>
Subject: [Unbearable] Fwd: I-D Action: draft-ietf-tokbind-ttrp-03.txt
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2018 19:08:42 -0000

A new draft of "HTTPS Token Binding with TLS Terminating Reverse Proxies"
has been published. The only substantive change is the addition of a header
and encoding/formatting to allow for additional token binding types (other
than provided and referred) to be conveyed from the TTRP to the backend
application(s). That is functionality that had been requested during both
the Singapore and Prague meetings. I'd balked at adding it for a while
because of some skepticism about its usefulness in practice, not wanting to
bloat the document, and lack of clarity around whether or not there is
(rough) consensus for it. I'm still somewhat skeptical but, after making
the addition, I don't think the document bloat is particularly bad. So at
this point I'm looking to better gauge the consensus or lack thereof for
supporting additional token binding types in the TTRP draft.

---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Mon, Feb 26, 2018 at 9:50 AM
Subject: [Unbearable] I-D Action: draft-ietf-tokbind-ttrp-03.txt
To: i-d-announce@ietf.org
Cc: unbearable@ietf.org

A New Internet-Draft is available from the on-line Internet-Drafts
This draft is a work item of the Token Binding WG of the IETF.

        Title           : HTTPS Token Binding with TLS Terminating Reverse
        Author          : Brian Campbell
        Filename        : draft-ietf-tokbind-ttrp-03.txt
        Pages           : 12
        Date            : 2018-02-26

   This document defines HTTP header fields that enable a TLS
   terminating reverse proxy to convey information to a backend server
   about the validated Token Binding Message received from a client,
   which enables that backend server to bind, or verify the binding of,
   cookies and other security tokens to the client's Token Binding key.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:

Unbearable mailing list

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*