Re: [Unbearable] (late, sorry) WGLC question on establishing the binding or not
Andrei Popov <Andrei.Popov@microsoft.com> Wed, 21 December 2016 02:02 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42E9612948D for <unbearable@ietfa.amsl.com>; Tue, 20 Dec 2016 18:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKfVPjMbKdns for <unbearable@ietfa.amsl.com>; Tue, 20 Dec 2016 18:02:18 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0133.outbound.protection.outlook.com [104.47.37.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D73812948B for <unbearable@ietf.org>; Tue, 20 Dec 2016 18:02:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OkBEqV5aCWvk2b7ILzkWqwa289ZEPX/sF7HgtKG+Hf8=; b=cIJIyewYYm4hHdZL+IUdfM5pPkbNcDVHOuWkJyN7lk5QPySR0yqtMQwbpXPhB37Jolbywq8M01HgAR7IGN7dM7Kui1TsKKrcg+KVh6vKJa32uo3cjag6/nmSXhcRA7dOHB7QK5dTBb+Cbx8FMo6g1IekeClw+TlPPjCOOdh9Uho=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0844.namprd03.prod.outlook.com (10.160.163.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.789.14; Wed, 21 Dec 2016 02:02:16 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0789.018; Wed, 21 Dec 2016 02:02:16 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper@google.com>
Thread-Topic: [Unbearable] (late, sorry) WGLC question on establishing the binding or not
Thread-Index: AQHSWvrivRNalV6Ld0i/cnyaQrT2PaERQomAgAABJTCAACXGgIAAJbGggAAS14CAAACIAA==
Date: Wed, 21 Dec 2016 02:02:16 +0000
Message-ID: <CY1PR0301MB0842F91C321A8F402529A26B8C930@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CA+k3eCTDfFzVZ-oDVd5JohfoCMAprq_4q5gUs5QjfRQHb2Q+FA@mail.gmail.com> <CY1PR0301MB08427626BD31DB029C1754D98C900@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQjJUWjNSJ_WKz6bB5yhx8qV+fEZHz_KRpj7-ofs-MBsQ@mail.gmail.com> <CACdeXiJVtUhZbv8vY2Zx9dG9Ze7Kgb-S_QQ+7CkAL6dvH980Rw@mail.gmail.com> <CY1PR0301MB084208DBC92146CE08CCB4668C900@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCTYgmFmEPgYEdobAuXgQac2ySOywWkEN-d1ixAy9H=O_w@mail.gmail.com> <CY1PR0301MB0842D8B16A4EBCC099E6DC8E8C930@CY1PR0301MB0842.namprd03.prod.outlook.com> <CACdeXiL73MkZsVUrFogrko+=mYLsC-A4xPsZmUer_eRjYpm+Fw@mail.gmail.com>
In-Reply-To: <CACdeXiL73MkZsVUrFogrko+=mYLsC-A4xPsZmUer_eRjYpm+Fw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:7::1d2]
x-ms-office365-filtering-correlation-id: 893966f8-da4d-467d-636a-08d429456388
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:CY1PR0301MB0844;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0844; 7:IGy2fhD6j1z3pzDWlfophSuDOYcUHfFF59kjaMJ659N91hFVmp64fnc5CE5xR1g1tStS1wQqvF/DF27bf0vqtt7J300VNCI7qsHsN4SmKtUz2wvk0ysCppECBjGWlI384cOHYZpctBYxIWD/YWPnRnzAU/N9lf05UP281G7kld9ESO8qplpG1AIhqyNn7QjGH2ZLPNGPWzwZyoHGptq89uauJyD81xh4hvuaSEecJda0/vypqlYeBXLvf1YvwCOFxmX0bnME9EZYYtjdOye97GGNl8f0RG6zfLSmHVtVbrJbbvTEavjcGpRAKQsNGNRQ75Q0o5vyWGVMm7o8CWZPJmB2gmQaI9yQwCr3pg0TjW39UmNi0pViSWxvKj9OEXtCop97WuRVQf7TUp0WVh0NGL8Qrqgy1a5M3JQsLreEcIhE9MjFssdEVWtLEw8IqAf2q5ITtGYiq4VtEs4hxI4jfJ7sxv/HwmGx8F2oGaQkZZI=
x-microsoft-antispam-prvs: <CY1PR0301MB08441473C5ADE719493021668C930@CY1PR0301MB0844.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123555025)(20161123562025)(6042181)(6072148)(6047074); SRVR:CY1PR0301MB0844; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0844;
x-forefront-prvs: 01630974C0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(199003)(189002)(99286002)(106116001)(106356001)(105586002)(5660300001)(2950100002)(6916009)(9686002)(2900100001)(8990500004)(97736004)(5005710100001)(10290500002)(76576001)(10090500001)(92566002)(93886004)(2906002)(189998001)(101416001)(229853002)(3660700001)(3280700002)(25786008)(102836003)(6116002)(8936002)(790700001)(122556002)(4326007)(68736007)(74316002)(33656002)(76176999)(7736002)(54356999)(8676002)(50986999)(86612001)(81156014)(86362001)(7696004)(6436002)(81166006)(6506006)(77096006)(38730400001)(110136003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0844; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB0842F91C321A8F402529A26B8C930CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2016 02:02:16.3796 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0844
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/fyirnnpCx6n_e_oqOtjOVpU98Wo>
Cc: IETF Tokbind WG <unbearable@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
Subject: Re: [Unbearable] (late, sorry) WGLC question on establishing the binding or not
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 02:02:20 -0000
Ø In TBPROTO section 3, there currently is language describing when a client MUST and MUST NOT send a TB message. I'd add a sentence/paragraph after the first paragraph in that section to say something like "A server SHOULD reject an application protocol message that does not contain a Token Binding message if the client and server successfully negotiated the use of the Token Binding protocol.". This does not work, because TBPROTO does not require that the TB message be included in every application protocol message. TBPROTO only requires the TB message in the client’s first application protocol message (in the connection where TB is negotiated). The requirement that each HTTP request has a TB message in it is specific to HTTPS. While this is wasteful, we have to do it because HTTP headers are per request, rather than affecting the entire connection (HTTP/2 reduces this waste by compressing headers).
- [Unbearable] (late, sorry) WGLC question on estab… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… =JeffH