IETF Logo Mail Archive

Re: [Unbearable] I-D Action: draft-ietf-tokbind-https-10.txt

Leif Johansson <leifj@mnt.se> Fri, 21 July 2017 11:26 UTC

Return-Path: <leifj@mnt.se>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D94C81317BB for <unbearable@ietfa.amsl.com>; Fri, 21 Jul 2017 04:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnt-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvM5rmYUmV68 for <unbearable@ietfa.amsl.com>; Fri, 21 Jul 2017 04:26:15 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B562131935 for <unbearable@ietf.org>; Fri, 21 Jul 2017 04:26:13 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id w191so11374587wmw.1 for <unbearable@ietf.org>; Fri, 21 Jul 2017 04:26:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnt-se.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xUw/vdzQTzporWiV5sIgZwRHgJXEFeMSeK+LN6LJ+xQ=; b=rgx3896UjyxvOq4auJdhKxT+WyQS2I6ivA5yc+zrfhAwKX7InHqy0rFTMaE0MzoSnn CLUPos5htaf27fyAKZudrWtXpCm1jm42Zz3/58169XwDmw7XxkrktuML19bSgwwYIcEh n/pmVyFy070jQdziW3f+GeUhxfQ7FNXU96ZaqKi6jGZALwfUwF2+rpDxxiskshwm1I+m sv8m5wZtNfLMWsF1aTa/SxZoYvMvKViN865uj469zr7s+WpQhjjkc1ki8Dmo38N3oB9y gnBpuN3VmO5Z3IfNt75e1xdMVFAv06I/clL4XaKxAlqeWL0jSxFeALiA8I1kdWO5b4SE f8Gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xUw/vdzQTzporWiV5sIgZwRHgJXEFeMSeK+LN6LJ+xQ=; b=GfBVYT6n/ILozwEtL+HtTEehpqJP8Ok1/Pz6fXKcUVAJKKduM2H6IAzAABV6cBl8ra T9DSIzQXU+kr/4rkm5VK6qhLd4iOgxz+imr8z3hHRmKz7FW0Uzo9wpysmTIOtXpAMAP3 bn/E//49nU81Rs8dJe+z7sq73fj1zc2SPuQf8iWuPQKE4gKW9aT1CMkacwUFwkDeiHy0 qTQ6j9NCJsX5bKMJOo9uIoAQVlc0kUkminFudelx+WOlKuiUAi3YFixe/N/FuZbn+Hc4 j2MfKmU0fRiJ9e4nit3WrrbIDp/BMsZEB47fXVj2fDhPbiEvLAT5Q2aZ2E/WdxSx1BG+ mN2Q==
X-Gm-Message-State: AIVw113lnOblKvvXcForJ4wNENquDP1UHRHW8LyhKzV0sMIoPEBTqOGf k4hDdBhpYVbBwMxekzac+g==
X-Received: by 10.28.13.138 with SMTP id 132mr4614519wmn.23.1500636369994; Fri, 21 Jul 2017 04:26:09 -0700 (PDT)
Received: from ?IPv6:2001:67c:1232:144:d8dd:5a18:f264:f33f? ([2001:67c:1232:144:d8dd:5a18:f264:f33f]) by smtp.gmail.com with ESMTPSA id 39sm7449458wrc.84.2017.07.21.04.26.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jul 2017 04:26:09 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-D4D7D733-C8D3-4BFC-83E7-0681C962A28F"
Mime-Version: 1.0 (1.0)
From: Leif Johansson <leifj@mnt.se>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <727870d8-4bb0-b465-9fe5-005073d6c4f1@free.fr>
Date: Fri, 21 Jul 2017 13:26:08 +0200
Cc: unbearable@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <EF742323-686D-47FD-A6B2-735DCBF97798@mnt.se>
References: <150062800542.11311.4823917490193775849@ietfa.amsl.com> <6029f39a-ea91-a5ae-60cf-d52d0aeeb718@free.fr> <CACdeXi+gPpAvRuPsTgQte8ugmePUra5QLO2N0gHzkE9MKLjy2A@mail.gmail.com> <733401bb-4204-ebfb-1e4d-49c70eec2604@free.fr> <c132c588-3e5e-9004-8ba3-ebed325c08a5@mnt.se> <727870d8-4bb0-b465-9fe5-005073d6c4f1@free.fr>
To: Denis <denis.ietf@free.fr>
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/_KXEaCpff1NwOk9DFhAwRCUTuKY>
Subject: Re: [Unbearable] I-D Action: draft-ietf-tokbind-https-10.txt
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 11:26:18 -0000


Skickat från min iPhone

> 21 juli 2017 kl. 13:03 skrev Denis <denis.ietf@free.fr>:
> 
> Leif,
> 
> The text that was quoted is in the Security Considerations section under section "7.1.  Security Token Replay" 
> from draft-ietf-tokbind-protocol.

I was not responding to that but to your claim that it is not reasonable to expect implementors to read the full set of specs. It is.

> 
> I already said on the list that the text does not fit under section 7.1 since it is not a security token replay in any sense, 
> since the legitimate client is not playing anything, so it cant' be a replay.
> 
> It should be under a specific section called, e.g.: Client collusion.
>  
> It is particularly important that readers realize that this protection is not effective under some circumstances.
> 
> Is there any harm to warn the user in both documents  ?
> 
> Denis
> 
>>> On 2017-07-21 11:40, Denis wrote:
>>> Nick,
>>> 
>>> A person reading draft-ietf-tokbind-https will not necessarily also read
>>> draft-ietf-tokbind-protocol.
>> Since there is text in draft-ietf-tokbind-https with normative
>> references to draft-ietf-tokbind-protocol I don't believe that
>> is a reasonable assumption.
>> 
>> 	Cheers Leif
>> 
>> _______________________________________________
>> Unbearable mailing list
>> Unbearable@ietf.org
>> https://www.ietf.org/mailman/listinfo/unbearable
>

v2.23.0 | Report a Bug | By Email