Re: [Unbearable] Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 10 May 2018 22:33 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B949C12EBAC; Thu, 10 May 2018 15:33:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ABuQ7EjzJoNh; Thu, 10 May 2018 15:33:20 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0095.outbound.protection.outlook.com [104.47.34.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE8712EB97; Thu, 10 May 2018 15:33:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zO9Nkoj4FdVrzuEgSnEnTjpvoqEvixgXCYDBiKWxjWk=; b=LtE4gdl5GDHtJ3Z6Z9pjt4DhuR2Tv2/EF+A1DFQO0/ktY9/A0Lldb58ILWQIr/q8oDfUmCzdKmLHteL+gDRDP20W2zRbVokX8menvUOIftaWtIP6EbPU4H2I2Mddj6hNJozJ0vsULjT1CIMfnJP4ACLcEoC9bjyAeZIwLI3FWQ8=
Received: from DM5PR21MB0507.namprd21.prod.outlook.com (10.172.91.141) by DM5PR21MB0763.namprd21.prod.outlook.com (10.173.172.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.776.2; Thu, 10 May 2018 22:33:19 +0000
Received: from DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::49e8:420f:baa2:a62f]) by DM5PR21MB0507.namprd21.prod.outlook.com ([fe80::49e8:420f:baa2:a62f%6]) with mapi id 15.20.0776.004; Thu, 10 May 2018 22:33:19 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Ben Campbell <ben@nostrum.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-tokbind-negotiation@ietf.org" <draft-ietf-tokbind-negotiation@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, "tokbind-chairs@ietf.org" <tokbind-chairs@ietf.org>, "unbearable@ietf.org" <unbearable@ietf.org>
Thread-Topic: Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)
Thread-Index: AQHT59EiwpQ8z5zuzESbJ1S4FE6uo6Qn7rSQgAGdfgCAAAGmkA==
Date: Thu, 10 May 2018 22:33:18 +0000
Message-ID: <DM5PR21MB0507F3DB1D08D4806D050B3F8C980@DM5PR21MB0507.namprd21.prod.outlook.com>
References: <152589634849.4060.1233669853296271255.idtracker@ietfa.amsl.com> <DM5PR21MB0507D89084BCFF1A8BCC19C48C990@DM5PR21MB0507.namprd21.prod.outlook.com> <72871FC9-7CEF-4749-96A3-3CD46E8A6F6F@nostrum.com>
In-Reply-To: <72871FC9-7CEF-4749-96A3-3CD46E8A6F6F@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:c::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR21MB0763; 7:GqCn2tx4slCqGtKQXcpbE3dRuLwq27T0JZE62Xfifkz5OuUp+JkThhM93Oe2WlQidygElj9AdpyJ9A5YV/OwQT2B8CWEfvIbmWUP2x6FcIctrOAu0c9Cw/ycYwbBeJpcC+HrGugnpI6ByFd6ubbgMLQEOD8RglsxtNdOLxXmmh6HAozb6uYgdRszxAXLhZ7fbB4TXACH98XRzJwmb4uqWfL9If76tqiuv9ZVD813mSa1TuJj6Z2fQ1kzwKkKwUMY; 20:OeWEFVlHr1GLJwZMVa7w6QXUCBbTOZmiJxSx+rl8tCymvOI8qrhuYHrLpbXxId8dneGh4LdfiyJfsSusasSA2fRAfHEE/rbn2bOORywURwnxQhIWbJxcbBjmyUY+XQuppQoSA1WJOBHWrwDeMPAQOKzWX9ktmmeT5OfhJzOyQ8o=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(2017052603328)(7193020); SRVR:DM5PR21MB0763;
x-ms-traffictypediagnostic: DM5PR21MB0763:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-microsoft-antispam-prvs: <DM5PR21MB0763D0C92E742B9058C058598C980@DM5PR21MB0763.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(89211679590171)(189930954265078)(219752817060721);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231254)(2018427008)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR21MB0763; BCL:0; PCL:0; RULEID:; SRVR:DM5PR21MB0763;
x-forefront-prvs: 066898046A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(376002)(346002)(39860400002)(39380400002)(199004)(189003)(13464003)(51914003)(102836004)(10290500003)(186003)(22452003)(316002)(54906003)(72206003)(6916009)(966005)(53936002)(97736004)(10090500001)(6306002)(81166006)(14454004)(25786009)(86362001)(229853002)(76176011)(478600001)(99286004)(8990500004)(81156014)(86612001)(6116002)(7696005)(9686003)(8936002)(8676002)(2900100001)(74316002)(305945005)(6436002)(68736007)(7736002)(55016002)(6246003)(476003)(53546011)(6506007)(105586002)(2906002)(33656002)(5660300001)(46003)(486006)(3280700002)(446003)(11346002)(4326008)(3660700001)(106356001)(5250100002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR21MB0763; H:DM5PR21MB0507.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: mrWB8iN0qO93QkVD6vzW2keAHLvK8NE8HHl+UKD34rJeRhF89PuaxzdmDKLufvbunwZxIfdvsJ4zgWCJiK9zXlkuIClRKWVB5beKddIQA6n+ci2uP42DA6j9Oke1y8zr/7+dUzGnh1792O7kJH6WozGQBmlQOMgXLBDtdj7Ub3wecQGHEAZmnoEZ07mZplbc
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 7f279330-06eb-4111-e0de-08d5b6c6079c
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f279330-06eb-4111-e0de-08d5b6c6079c
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2018 22:33:18.9003 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR21MB0763
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/mveDgo4QJNjW158GwDTiyupAQa8>
Subject: Re: [Unbearable] Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 22:33:23 -0000

Yep, both boilerplate and {1,0} are addressed in the latest uploaded TBPROTO and TBNEGO.

-----Original Message-----
From: Ben Campbell <ben@nostrum.com> 
Sent: Thursday, May 10, 2018 3:26 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: The IESG <iesg@ietf.org>rg>; draft-ietf-tokbind-negotiation@ietf.org; John Bradley <ve7jtb@ve7jtb.com>om>; tokbind-chairs@ietf.org; unbearable@ietf.org
Subject: Re: Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)



> On May 9, 2018, at 4:50 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> 
> Hi Ben,
> 
> Thanks for the review; some answers below.
>> Additionally, do I understand the version negotiation to require the client to support all previous version from the one it initially advertises?
> No, the draft says specifically:
> " There is no requirement for the client to support any Token
>   Binding versions other than the one advertised in the client's
>   "token_binding" extension.”
> 

We have a separate thread on this point now, so I will respond there.


>> §1.1: Please consider using the 8174 boilerplate across the cluster. While I did not find lower case keywords in this draft, I did in the other two and it would be best to be consistent across all three.
> Will make this change in the next revision.

Thanks!

> 
>> §2: "[I-D.ietf-tokbind-protocol] describes version {1, 0} of the protocol.":
>> While one might infer that version to be {1,0} give the name "Token Binding 1.0", I never saw it explicitly mentioned.
> Sorry, I did not understand the concern. Can you elaborate?

Ths probably should have been a comment on the protocol draft, not the negotiation draft. That is, the protocol draft never explicitly claims to be {1,0}. But it’s not a big deal because I think most implementers would infer that from the title “Token Binding 1.0"

> 
> Thanks,
> 
> Andrei
> 
> -----Original Message-----
> From: Ben Campbell <ben@nostrum.com>
> Sent: Wednesday, May 9, 2018 1:06 PM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-tokbind-negotiation@ietf.org; John Bradley <ve7jtb@ve7jtb.com>om>; tokbind-chairs@ietf.org; ve7jtb@ve7jtb.com; unbearable@ietf.org
> Subject: Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)
> 
> Ben Campbell has entered the following ballot position for
> draft-ietf-tokbind-negotiation-12: Yes
> 
> When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
> 
> 
> Please refer to https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fiesg%2Fstatement%2Fdiscuss-criteria.html&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C3a1591db5ceb4c9f9e3508d5b5e842b3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636614931539696277&sdata=tz5MtEsJwqlG7QHQWgLVy6HMgX1xyLTqzmnFA7U9Gmc%3D&reserved=0
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-tokbind-negotiation%2F&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C3a1591db5ceb4c9f9e3508d5b5e842b3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636614931539696277&sdata=JMexEpyWjrBwY5V2PvFVHCqaXtPlw7PaBRJK4Qk%2F5lc%3D&reserved=0
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for this document. I am balloting "yes", but have a few comments:
> 
> - I support Alexey's DISCUSS. Additionally, do I understand the version negotiation to require the client to support all previous version from the one it initially advertises? If so, how would you deprecate a version at some time in the future?
> 
> - I shared some of the confusion about this being limited to TLS 1.2 and earlier. In particular, there is repeating language that to the effect of "For TLS 1.2 and earlier...", which seems strange for a draft that only supports 1.2 in the first place.
> 
> §1.1: Please consider using the 8174 boilerplate across the cluster. While I did not find lower case keywords in this draft, I did in the other two and it would be best to be consistent across all three.
> 
> §2: "[I-D.ietf-tokbind-protocol] describes version {1, 0} of the protocol.":
> While one might infer that version to be {1,0} give the name "Token Binding 1.0", I never saw it explicitly mentioned.
> 
> Editorial Comments:
> 
> §2: "Please note that the server MAY select any lower protocol version, see Section 3": comma splice
> 
>