Re: [Unbearable] [art] Artart telechat review of draft-ietf-tokbind-negotiation-12

Adam Roach <adam@nostrum.com> Wed, 09 May 2018 01:04 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2502D12D810; Tue, 8 May 2018 18:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9i7NllycwfLp; Tue, 8 May 2018 18:04:10 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D95F212708C; Tue, 8 May 2018 18:04:10 -0700 (PDT)
Received: from Svantevit.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w49148M9002335 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 8 May 2018 20:04:08 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.local
To: Andrei Popov <Andrei.Popov@microsoft.com>, "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>, "art@ietf.org" <art@ietf.org>
Cc: "unbearable@ietf.org" <unbearable@ietf.org>, "draft-ietf-tokbind-negotiation.all@ietf.org" <draft-ietf-tokbind-negotiation.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <152581170538.16247.326421324193541615@ietfa.amsl.com> <DM5PR21MB05073538E86E74EE3373B6268C9A0@DM5PR21MB0507.namprd21.prod.outlook.com> <e76c1d2a-6d90-e62b-341e-5af12c493a0f@outer-planes.net> <DM5PR21MB050751117AF4365D48EC88A28C990@DM5PR21MB0507.namprd21.prod.outlook.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <c0a6b4d2-4833-9da3-dced-7afafd9dfe68@nostrum.com>
Date: Tue, 8 May 2018 20:04:02 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <DM5PR21MB050751117AF4365D48EC88A28C990@DM5PR21MB0507.namprd21.prod.outlook.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/nZV1Ao-f-5n_svr2seWoU1B4GNE>
Subject: Re: [Unbearable] [art] Artart telechat review of draft-ietf-tokbind-negotiation-12
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 01:04:12 -0000

On 5/8/18 7:17 PM, Andrei Popov wrote:
> Application-specific clients and servers (custom apps) can reject connections without TB, or they can implement a variety of other measures when TB is not negotiated (e.g., issue shorter-lived tokens, require stronger authentication, ...)


If I read Matthew's request correctly, all he is asking is that you add 
words to the document that say exactly what you say above. Right now, 
the implication in the document is that the client is required to 
continue to use the connection as if nothing is wrong.

/a