[Unbearable] Protocol Action: 'Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation' to Proposed Standard (draft-ietf-tokbind-negotiation-14.txt)

The IESG <iesg-secretary@ietf.org> Fri, 20 July 2018 12:52 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: unbearable@ietf.org
Delivered-To: unbearable@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D6452130E90; Fri, 20 Jul 2018 05:52:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.82.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: The IESG <iesg@ietf.org>, ekr@rtfm.com, John Bradley <ve7jtb@ve7jtb.com>, unbearable@ietf.org, tokbind-chairs@ietf.org, ve7jtb@ve7jtb.com, draft-ietf-tokbind-negotiation@ietf.org, rfc-editor@rfc-editor.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <153209114386.4387.8718891452946186976.idtracker@ietfa.amsl.com>
Date: Fri, 20 Jul 2018 05:52:23 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/dO0cMlQtIjvQSxyKDzIgoP3ByfM>
Subject: [Unbearable] Protocol Action: 'Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation' to Proposed Standard (draft-ietf-tokbind-negotiation-14.txt)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.27
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 12:52:24 -0000

The IESG has approved the following document:
- 'Transport Layer Security (TLS) Extension for Token Binding Protocol
  (draft-ietf-tokbind-negotiation-14.txt) as Proposed Standard

This document is the product of the Token Binding Working Group.

The IESG contact persons are Benjamin Kaduk and Eric Rescorla.

A URL of this Internet Draft is:

Technical Summary

In order to use the Token Binding protocol [I-D.ietf-tokbind-protocol], the client and server need to agree on the Token Binding protocol version and the parameters (signature algorithm, length) of the Token Binding key.  This document specifies a new TLS [RFC5246] extension to accomplish this negotiation without introducing additional network round-trips in TLS 1.2 and earlier versions.  The negotiation of the Token Binding protocol and key parameters in combination with TLS 1.3 and later versions is beyond the scope of this document.

Working Group Summary

 This document achieved WG consensus and had no objections.

Document Quality

Multiple Implementations of Token Binding exist and have undergone informal interoperability testing.
Google has token binding behind a feature flag in Chrome that is currently defaulted off.  They have also implemented it in their reverse proxy infrastructure. They have also added support to the Boringssl open source project.
Microsoft added support in Windows 10 RS2 at the beginning of 2017 (later back ported to RS1) .  Edge and IE use that platform support.  It is also available to other applications via system API.  There is also support in ADFS. https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding
NGINX has an open source module https://github.com/google/ngx_token_binding
Token Binding support for Apache https://github.com/google/ngx_token_binding
Openssl patches in opensource https://github.com/google/token_bind
Ping Identity has tested patches to Java and set up a test environment. https://www.ietf.org/mail-archive/web/unbearable/current/msg01332.html
A useful slide share overview https://www.slideshare.net/Identiverse/beyond-bearer-token-binding-as-the-foundation-for-a-more-secure-web-cis-2017
Drafts using token binding exist in the OAuth work group and for OpenID Connect.


John Bradley is the document shepherd and the responsible area director is Eric Rescorla.