Re: [Unbearable] question about draft-mandyam-tokbin-attest-01
Giridhar Mandyam <mandyam@qti.qualcomm.com> Tue, 04 April 2017 22:55 UTC
Return-Path: <mandyam@qti.qualcomm.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B37E01293FF for <unbearable@ietfa.amsl.com>; Tue, 4 Apr 2017 15:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.021
X-Spam-Level:
X-Spam-Status: No, score=-7.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=qti.qualcomm.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SGDNmCNmzahX for <unbearable@ietfa.amsl.com>; Tue, 4 Apr 2017 15:55:39 -0700 (PDT)
Received: from wolverine02.qualcomm.com (wolverine02.qualcomm.com [199.106.114.251]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1200D1294F0 for <unbearable@ietf.org>; Tue, 4 Apr 2017 15:55:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1491346533; x=1522882533; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=w1gBTOEtgzUwDEFYtbZgWNmPgOEXoL5epsFdCTKBRsE=; b=BGUbZ2ovAEA4dFc+c+/2ExZjRGfndt19W3MZ5Pig8aUbidR6uAzipvCt cUhenIq0kWOM0cCaE768mNTx0Gal34KfnVr5DOnrAFPoqna/u0eecWNRI K12UJW7jPsC2vMWPT9S1qLz01wHiaq94rvp0H6mmDhGKQz44EO8iHNero g=;
X-IronPort-AV: E=Sophos;i="5.36,276,1486454400"; d="scan'208";a="371381073"
Received: from unknown (HELO ironmsg02-R.qualcomm.com) ([10.53.140.106]) by wolverine02.qualcomm.com with ESMTP; 04 Apr 2017 15:55:32 -0700
X-IronPort-AV: E=McAfee;i="5800,7501,8488"; a="932848981"
X-MGA-submission: MDGG+A1cZaidaxg5PehyZ9DhkXKRNyeo1LkckdKZ+G+m98uaj79yoMckgeOjRPVipPr9+QKcErvYNGeJk+pt3m2oYDeRZh05XEUHbkcfsKo1YCf1PbYpblLHevLC1g6S0xUodqueSCr4WFM8cy4PePnp
Received: from nasanexm01e.na.qualcomm.com ([10.85.0.31]) by ironmsg02-R.qualcomm.com with ESMTP/TLS/RC4-SHA; 04 Apr 2017 15:55:31 -0700
Received: from NASANEXM01C.na.qualcomm.com (10.85.0.83) by NASANEXM01E.na.qualcomm.com (10.85.0.31) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 4 Apr 2017 15:55:31 -0700
Received: from NASANEXM01C.na.qualcomm.com ([10.85.0.83]) by NASANEXM01C.na.qualcomm.com ([10.85.0.83]) with mapi id 15.00.1178.000; Tue, 4 Apr 2017 15:55:31 -0700
From: Giridhar Mandyam <mandyam@qti.qualcomm.com>
To: "unbearable@ietf.org" <unbearable@ietf.org>
Thread-Topic: [Unbearable] question about draft-mandyam-tokbin-attest-01
Thread-Index: AQHSqDd8tx2aELMl9EyolbenQZRkMKG11icg
Date: Tue, 04 Apr 2017 22:55:30 +0000
Message-ID: <a30a85a5923d46d5b66d2a4c5212742e@NASANEXM01C.na.qualcomm.com>
References: <20170329025208.GT30306@kduck.kaduk.org>
In-Reply-To: <20170329025208.GT30306@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.80.80.8]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/dlN3q-jKnt7KIq4EXzLGUqw-6vo>
Subject: Re: [Unbearable] question about draft-mandyam-tokbin-attest-01
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Apr 2017 22:55:42 -0000
Thank you for your feedback. This document was not really meant to provide justification for the usefulness of TLS Token binding with respect to MITM - I believe that has already been done in Sec. 7.4 of [1]. Moreover in [2] the author describes TLS vulnerability to MITM due to attacks such as DROWN [3], and how TLS token binding can be used to address the effects of such an attack (e.g. reuse of auth tokens). I'll also ask for a clarification from you regarding what you mean by "(modern) TLS". For instance, do you mean TLS 1.3? Could this include TLS 1.2 (which allows for NULL cipher suite among other cipher suites with known vulnerabilities)? -Giri Mandyam [1] A. Popov et al. "Token Binding over HTTP." draft-ietf-tokbind-https-08. February 16, 2017. https://tools.ietf.org/html/draft-ietf-tokbind-https-08#section-7.4. [2] Balfanz, D. "FIDO Tech Notes: Channel Binding and FIDO." https://fidoalliance.org/fido-technotes-channel-binding-and-fido/. May 23, 2016. [3] Aviram, N. et al. "DROWN: Breaking TLS using SSLv2." Proceedings of the 25th USENIX Security Symposium. August 2016. Available at https://drownattack.com/drown-attack-paper.pdf. -----Original Message----- From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Benjamin Kaduk Sent: Tuesday, March 28, 2017 7:52 PM To: unbearable@ietf.org Subject: [Unbearable] question about draft-mandyam-tokbin-attest-01 I only quickly looked at this document before the meeting, but had a question about this line in the introduction that "this is useful for prevention of man-in-the-middle attacks on TLS sessions"; (modern) TLS is supposed to prevent man in the middle attacks all on its own, so I don't understand what this is attempting to say. -Ben _______________________________________________ Unbearable mailing list Unbearable@ietf.org https://www.ietf.org/mailman/listinfo/unbearable
- [Unbearable] question about draft-mandyam-tokbin-… Benjamin Kaduk
- Re: [Unbearable] question about draft-mandyam-tok… Giridhar Mandyam