Re: [Unbearable] Suggestions for TTRP

Brian Campbell <bcampbell@pingidentity.com> Fri, 27 July 2018 15:56 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D414130EA8 for <unbearable@ietfa.amsl.com>; Fri, 27 Jul 2018 08:56:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zR2WFi7uccpA for <unbearable@ietfa.amsl.com>; Fri, 27 Jul 2018 08:56:45 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3BD4130DE9 for <unbearable@ietf.org>; Fri, 27 Jul 2018 08:56:44 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id q20-v6so8025607ith.0 for <unbearable@ietf.org>; Fri, 27 Jul 2018 08:56:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hJ9zS2gqrK8QbCeVXt1lsRwKA4hqLc2yGSbejYPqShQ=; b=CDXCIIeMHWV+v+lIbwLnu4/fr68vHjXtYtr1AQSYyqwQtkhhGvq0By2u/R0cAx479z AzwSVtj4lnBpBexEJNJQH2Gbxuv0z+lIpem1CfJYORYj5HEzMWK8cK/KXDRzEP7MQNXi ScgGGMYIV51THN6THrAFxM4lEllob2waDVaSw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hJ9zS2gqrK8QbCeVXt1lsRwKA4hqLc2yGSbejYPqShQ=; b=WOas7ToOihwc04CyzQqrqIn8WW3jHJTUpJHdeCFBrnpcAppUb4SmVqsUzXNdV0w2dM nIbmrqGiPNUdfQsh0q5AE2GxzeYnlw2mVrZT9MzcNFCIuVkTLvi5g6TVL0vQurKZKlEv LMrZEvcjtogzxVfIhK7HsD6vFGnMJt7WzjgycGXF9zJzV3fJbNlctAfKcA/03uyLypm0 HmCeNHxm2V2ohaO/odAWqNxxUcQPSCAnCmeBTJRrYtw9l5Uvg6mopLoo6XWDNey/BfGH sEKkuExDUGhxcp61ZvcGseBJj2mdsusKRGMhJQkaeHhuEcfxo4FQAc0Vyb+KTerUdCqY H9hg==
X-Gm-Message-State: AOUpUlFs+IZR+ViE1gDCqEa+7ry5iBLTX1wS+rXs/invqo/3FBLMLcdo DOVeiZArj3kvOVNnx0toQLetetAz8RkIrBIu1XOwvVQx2hgNweTUjV/Vag7EC29ay5xEjxoE95O sV4/XbWRHi6w5I3IfvO486Zv0ew==
X-Google-Smtp-Source: AAOMgpcmDNGy5+xMmh5nhFgyBhqa4g9y3K3hqz2w8na2Fv5WrLSiFS41lerfIpbHdeWOnz/Tsq3/hrCuJP7a2TzS9GM=
X-Received: by 2002:a24:67d5:: with SMTP id u204-v6mr6074162itc.37.1532707004110; Fri, 27 Jul 2018 08:56:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:6d18:0:0:0:0:0 with HTTP; Fri, 27 Jul 2018 08:56:13 -0700 (PDT)
In-Reply-To: <CA+k3eCQ3RU-cBxMFzNxiHQ6Pyez8StwPSNj_=wUvO6B_dm957g@mail.gmail.com>
References: <CABkgnnUtEk0C155tK4br3sL2a2QTqM7jpnuqO2+K-GgCjgfWFg@mail.gmail.com> <CA+k3eCQ3RU-cBxMFzNxiHQ6Pyez8StwPSNj_=wUvO6B_dm957g@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 27 Jul 2018 09:56:13 -0600
Message-ID: <CA+k3eCTEtra2N2ZytdgJCAyYQsvz07sJGtB6cst5tZhJNY-p+g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008675820571fd288a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/jfFlKJsCf14Etz1X9YwDkuXmw5k>
Subject: Re: [Unbearable] Suggestions for TTRP
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 15:56:47 -0000

Done in the just published -06

On Fri, Jul 20, 2018 at 11:32 AM, Brian Campbell <bcampbell@pingidentity.com
> wrote:

> Thanks for the suggestion, Martin, I'll make that change in the next
> revision.
>
> On Fri, Jul 20, 2018, 1:21 PM Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
>> My comments about authentication were misguided because I somehow
>> missed that the section entitled "HTTP Headers" was in fact about
>> authentication.
>>
>> My suggestion: move the TLS versions section to a new top-level
>> section and make the contents of the HTTP Headers section the entirety
>> of the security considerations.  The TLS versions text isn't really a
>> security consideration and having a more targetted security
>> considerations section would be clearer.  (Also, it avoids having an
>> empty top-level section).
>>
>> _______________________________________________
>> Unbearable mailing list
>> Unbearable@ietf.org
>> https://www.ietf.org/mailman/listinfo/unbearable
>>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._