Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Andrei Popov <Andrei.Popov@microsoft.com> Thu, 09 February 2017 19:10 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 319B2129C57 for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 11:10:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxPiMBaKpbRS for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 11:10:15 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0100.outbound.protection.outlook.com [104.47.32.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403F612943C for <unbearable@ietf.org>; Thu, 9 Feb 2017 11:10:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AspeqM3bP/jclTOxeQYk78Yzrc1TfQvQorRzXq6I2Z0=; b=mmGymcMH8za+sSfWhxXPs6Lc6GLymWIHQ7rnhOckC/QCEJ+BS3xxo8W314Sl3r8EX1Wc2Xlr90U0bUak39AUhUeATuIw0lL7oSERGbBSaoPxCg1/NidB2LSXRv4qMvjM+tHEOpv9west1/AlqcQZVqOkcomn2iIhCsCg6ShfFn8=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0844.namprd03.prod.outlook.com (10.160.163.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Thu, 9 Feb 2017 19:10:10 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0888.026; Thu, 9 Feb 2017 19:10:10 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Thread-Index: AQHSguz8oAIXC6BWu0OMPbiyGCJ7xqFg384AgAAczHCAAAWOgIAAAH5ggAAEQwCAAAA/gA==
Date: Thu, 09 Feb 2017 19:10:10 +0000
Message-ID: <CY1PR0301MB0842BA623E540E885D2AD8D28C450@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <074faef6-b425-17f8-ac05-223834a2cc0b@KingsMountain.com> <CA+k3eCSwvcKyN6t+9cTLSAJu9+5Uz27Db5NW_zy9W7Bx71gG4Q@mail.gmail.com> <CY1PR0301MB084223E0274288D9B330D16D8C450@CY1PR0301MB0842.namprd03.prod.outlook.com> <C9D5F321-CA4F-4359-96E8-AC436E5B2A13@ve7jtb.com> <CY1PR0301MB08423422FB68F197584F31B98C450@CY1PR0301MB0842.namprd03.prod.outlook.com> <3248A381-14C7-48CC-A78B-B9649191A4BA@ve7jtb.com>
In-Reply-To: <3248A381-14C7-48CC-A78B-B9649191A4BA@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-ms-office365-filtering-correlation-id: 03ff973f-6cf6-4ac2-0a8b-08d4511f44c6
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB0844;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0844; 7:LqqGx8p1/eFWOYTkHIfjyaR7YFtuUhbWsslS0hwqjhEwv/GAUcP+d9coIAZHf2KVcrSrKP4qQRvNi1WQRWA5UhK5X+VI3h2xvIMqf1Q8Tc12v6WlvEWjTTKQYklaKjO6xFlDqlMHU0IiGlC48Pn9pJnmwk7GHvajnD7RPNRSzi6gZe5olFiJveJJSFJIREuzL02PLU88TpCw8ArEwe4zpVnwxCb493aNGHebeh3iC6eTo9WGH1jOwb+NdqDPvAkHE8Xi5/Jf4gMgZbLB9A+KQFS6WVxTG9x4/OkSjzpUY6ctTCduWdQq+yn9t6Ai+PRVbbc+AaOz3dTYgO98jLG33Ba4SGh5yztaW5xF+qPi3JgYIJSNIdvLIwW4OW+Lf4G6rJVpZPJ/mb60xT4NoZZH3mUIh5oLIdl1UfDHYa1NQcun2Frd4sETBkyrV+X/QT7G1g+WnCR74jJ0bu+lHeZyd2zFClEhSEMAZkc9GXvTvS08tkVQSKz4bsC8QeA/mDUCeZKAaRimfh+HnS1pVO1/dl9EkQSQpvF3hz4eNhqbe9M=
x-microsoft-antispam-prvs: <CY1PR0301MB08442C742BE630E7870F662A8C450@CY1PR0301MB0844.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123564025)(20161123560025)(20161123562025)(20161123555025)(6072148); SRVR:CY1PR0301MB0844; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0844;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39850400002)(39840400002)(39860400002)(39450400003)(189002)(199003)(2950100002)(6916009)(8936002)(106356001)(8990500004)(38730400002)(53936002)(81166006)(2900100001)(3280700002)(54906002)(50986999)(92566002)(76176999)(54356999)(8676002)(230783001)(81156014)(101416001)(7696004)(189998001)(5660300001)(10090500001)(110136004)(97736004)(33656002)(2906002)(10290500002)(7736002)(5005710100001)(122556002)(6246003)(4326007)(105586002)(106116001)(77096006)(3660700001)(6436002)(86612001)(93886004)(68736007)(55016002)(25786008)(6506006)(74316002)(86362001)(6306002)(54896002)(9686003)(102836003)(229853002)(99286003)(6116002)(790700001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0844; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB0842BA623E540E885D2AD8D28C450CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2017 19:10:10.3186 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0844
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/gCBcRFW7GXaKoYYpO4JdX-V8MZ8>
Cc: IETF TokBind WG <unbearable@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, =JeffH Hodges <Jeff.Hodges@kingsmountain.com>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 19:10:18 -0000
Ø If it is negotiating token binding with the server then it can’t pass along the original token binding in the same header without significant confusion I suspect. My argument is that a TB-aware proxy understands this and does the right thing, which may be validating the client’s TB and generating a new TB for the back-end server, or something else. Ø The bigger short term question is what should a proxy that doesn’t understand token binding do. If token binding is signalled from the user agent as hop by hop then it should drop the header. A proxy that does not understand TB, but terminates TLS, does not negotiate TB with the client and does not receive the TB header. Ø I think it is better for the server to get no token binding header than one from a client that thinks it has negotiated token binding but it cant validate. The client only sends the TB header if TB was negotiated. This means the proxy and/or back-end server are configured by the admin to handle TB. The client does not know whether the proxy or the back-end server handle TB, so can’t make a header forwarding decision for them.
- [Unbearable] on not listing 'Sec-Token-Binding' i… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Dirk Balfanz
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Brian Campbell
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH