Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102

"Manger, James" <James.H.Manger@team.telstra.com> Tue, 05 June 2018 00:34 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CFC1130E3B for <unbearable@ietfa.amsl.com>; Mon, 4 Jun 2018 17:34:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=teamtelstra.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FwBf2EZOdDQJ for <unbearable@ietfa.amsl.com>; Mon, 4 Jun 2018 17:34:17 -0700 (PDT)
Received: from ipxcno.tcif.telstra.com.au (ipxcno.tcif.telstra.com.au [203.35.82.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EEBD130E31 for <unbearable@ietf.org>; Mon, 4 Jun 2018 17:34:16 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.49,477,1520859600"; d="scan'208,217";a="113339065"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipocni.tcif.telstra.com.au with ESMTP; 05 Jun 2018 10:34:13 +1000
X-IronPort-AV: E=McAfee;i="5900,7806,8914"; a="662109312"
Received: from tiesinternetgatewaypri.smart-rr.in.telstra.com.au (HELO WSMSG3705.srv.dir.telstra.com) ([172.49.40.203]) by ipcani.tcif.telstra.com.au with ESMTP; 05 Jun 2018 10:34:13 +1000
Received: from wsapp6784.srv.dir.telstra.com (10.75.3.133) by WSMSG3705.srv.dir.telstra.com (172.49.40.203) with Microsoft SMTP Server (TLS) id 8.3.485.1; Tue, 5 Jun 2018 10:34:12 +1000
Received: from wsapp5584.srv.dir.telstra.com (10.75.131.20) by wsapp6784.srv.dir.telstra.com (10.75.3.133) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 5 Jun 2018 10:34:10 +1000
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (10.172.229.126) by wsapp5584.srv.dir.telstra.com (10.75.131.20) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend Transport; Tue, 5 Jun 2018 10:34:10 +1000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=teamtelstra.onmicrosoft.com; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/8r4WyqQjFwRHR+KpNBIUqr5ntWyzIgKfDrVuRAd1qk=; b=YHHhvKijYeU6K3gaDQHpjhDTz7RQx3M2yrE3k0VkdzNaItYyF3q8CP1m5/pOrq3KGFPvUJLz/Otz3hyMBQt+8I6+SWKyoBJNMbshdqROpC0ZXU1DEGZFx/uRd3FrAYNKA3z9Y1MdJoNQbYAo1++Y3i3HyQo+U2NRoQWE8vuTNsI=
Received: from SYBPR01MB3546.ausprd01.prod.outlook.com (20.177.137.22) by SYBPR01MB3770.ausprd01.prod.outlook.com (20.177.138.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.820.14; Tue, 5 Jun 2018 00:34:09 +0000
Received: from SYBPR01MB3546.ausprd01.prod.outlook.com ([fe80::c131:332d:4b01:743b]) by SYBPR01MB3546.ausprd01.prod.outlook.com ([fe80::c131:332d:4b01:743b%2]) with mapi id 15.20.0820.015; Tue, 5 Jun 2018 00:34:09 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, "Leif Johansson" <leifj@mnt.se>
CC: IETF Tokbind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] tokbind - New Meeting Session Request for IETF 102
Thread-Index: AQHT+Kcl8BrfbyTG4EGtXC35UEkRuqRJXiAAgAETswCAAQehAIAAGkEAgAU50CA=
Date: Tue, 5 Jun 2018 00:34:09 +0000
Message-ID: <SYBPR01MB3546DA27767E7E13FBC28FEAE5660@SYBPR01MB3546.ausprd01.prod.outlook.com>
References: <152774743559.22620.13488651600482711493.idtracker@ietfa.amsl.com> <5ab325d2-4227-5ef0-747b-94a556f0acb5@mnt.se> <CA+k3eCSwmO=6gYKg=LBH5KxYgzwuobJRMrKiCiP4kuvVO3wJhQ@mail.gmail.com> <c8f83d1a-ca5a-a7b1-aefd-a86944bb58e5@mnt.se> <CA+k3eCQkwKbAgDB7Wd7Dt0ztdccnU6kkvEQkFcQzZr3+SGm37w@mail.gmail.com>
In-Reply-To: <CA+k3eCQkwKbAgDB7Wd7Dt0ztdccnU6kkvEQkFcQzZr3+SGm37w@mail.gmail.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [203.35.9.18]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SYBPR01MB3770; 7:uQa1BOJp6iOkmuUDn/totj32ZqH0EKxoKCsyioF5rYwVmE5yE0pa3GO3lYfzzIPW6Xh+2HxxqhBDks14434fFpH+qtISmMRHVQcHMwEszx2ot6POPO7SYD3Etx6ELB2M1OXmWre9QCT53aIKetc62yVIu9EjpQM2EKxkSsHrkEteogw6hgproMiT16WGYX+vHZ9VjO8aVfvXE6M2C1JvgIfMamjlgHg7+c84d03cFB8zpSVOahDD3YWVOfFvCbhS
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:SYBPR01MB3770;
x-ms-traffictypediagnostic: SYBPR01MB3770:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-microsoft-antispam-prvs: <SYBPR01MB3770279D0F85A18B332570ADE5660@SYBPR01MB3770.ausprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:SYBPR01MB3770; BCL:0; PCL:0; RULEID:; SRVR:SYBPR01MB3770;
x-forefront-prvs: 0694C54398
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(39380400002)(396003)(346002)(376002)(366004)(189003)(199004)(14454004)(486006)(59450400001)(53546011)(6506007)(99286004)(72206003)(11346002)(446003)(81166006)(76176011)(33656002)(476003)(7696005)(8676002)(2906002)(53936002)(66066001)(102836004)(478600001)(229853002)(3660700001)(81156014)(5890100001)(6436002)(316002)(55016002)(8936002)(606006)(97736004)(7736002)(2900100001)(5660300001)(6116002)(790700001)(106356001)(3846002)(4326008)(26005)(186003)(25786009)(3280700002)(74316002)(1600100001)(54896002)(68736007)(105586002)(93886005)(9686003)(966005)(5250100002)(6306002)(110136005)(236005)(6246003)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:SYBPR01MB3770; H:SYBPR01MB3546.ausprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: tUn2CCdhj8AcZrHoAEW8aa99FZljd8t3zFFWIKLxfnnZ2tdyADTMLfeRxhGgGbmmVn1qZ3NbuhiVqewHhSLprZlfzn+HAhwNL+BEqgPzU5hVoTEi35R64pIwrK7KBolaoml2zq3H6fhoRUISfXVEQJf7eicoqy8FQnGWQtpDsPruOwpm+dTHEM6UiJ87d4VG
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SYBPR01MB3546DA27767E7E13FBC28FEAE5660SYBPR01MB3546ausp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 4ab6b917-a308-4f6f-8c9b-08d5ca7c0d9c
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ab6b917-a308-4f6f-8c9b-08d5ca7c0d9c
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jun 2018 00:34:09.5443 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB3770
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/_H8yRgTpk7jbHfcwaPW1DlM6Bb8>
Subject: Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2018 00:34:21 -0000

draft-ietf-tokbind-ttrp-03 looks ok.

There is nothing to distinguish between Token Binding being offered by the TTRP but not accepted by the client vs not being offered at all. I’m not sure if that matters. Perhaps it only makes sense for a server to look for these headers if it is sure all the reverse proxies that serve it support Token Binding and are configured to insert these headers.


Minor typos:
There is no example of Sec-Other-Token-Binding.

2.1.2 ABNF for EncodedTokenBindingType doesn’t strictly need "A" / "a" as “ABNF strings are case insensitive” [RFC5234 section 2.3<https://tools.ietf.org/html/rfc5234#section-2.3>] so just "A" would do. Having both does reinforce that upper and lower case can be used. Re-using the HEXDIG core ABNF rule would be slightly better, with a case-insensitive mention in the text.

   A Token Binding type value (a single byte) can be represented as an
   "EncodedTokenBindingType", which is a case-insensitive hex encoding.

     EncodedTokenBindingType = 1*2HEXDIG

                 Figure 2: Encoded Token Binding Type ABNF

Typo: section 3: “… they are *a* single logical server”


--
James Manger

From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Saturday, 2 June 2018 2:07 AM
To: Leif Johansson <leifj@mnt.se>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102

It's pretty short! https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-03

On Fri, Jun 1, 2018 at 8:32 AM, Leif Johansson <leifj@mnt.se<mailto:leifj@mnt.se>> wrote:


On 2018-06-01 00:49, Brian Campbell wrote:
> I'd like to request some agenda time to cover the TTRP draft, which will
> likely consist of an overview and status update (with some gratuitous
> photos of recent IETF meeting locations) and a plea to move towards
> WGLC. Thanks!

In order to facilitate that... could we get some folks to review
the TTRP draft before 102?

Maybe... please... ??

        Cheers Leif


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.