Re: [Unbearable] Fwd: I-D Action: draft-ietf-tokbind-ttrp-01.txt

John Bradley <> Thu, 03 August 2017 15:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 070101320D3 for <>; Thu, 3 Aug 2017 08:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ahirIC9pXTT7 for <>; Thu, 3 Aug 2017 08:50:05 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AED761320D6 for <>; Thu, 3 Aug 2017 08:50:04 -0700 (PDT)
Received: by with SMTP id y15so7788184lfd.5 for <>; Thu, 03 Aug 2017 08:50:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=pEbubMC4wL7A6dK8dkYDfrTechrTo4k86vcaYqWRIBU=; b=VoJDOTsbQkdwQq4mNabacteT9VrhXFWHnyZaxTYQHwIcPYwt4SEoOwEOLv2nqJ7Whj L+2E4o4vDsr5abCzLGMc9czyDX82Ec5IzZB0UWEKu4BSjGbao3/rikS/uM6Bwq8YPNTK 8bZx9FCeroMq7XKyVz+CMKHlim1zDLxeo0JJmO3wR/iMYlmWf7e86U8ifokcPBY+drHb B/dIoHw9LglrPzgWK3TqHvw3N5t28X8CQS2oL/vqJjTMr5TkIKhAEtt2ZGLeWM7tq2Uv QYe9wOuKXXLMjfUqL8BcRVlLvcEESAW0ugOIINFAIgkauQFzTHIrwB6e5gj1kqlbRp9W OwoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=pEbubMC4wL7A6dK8dkYDfrTechrTo4k86vcaYqWRIBU=; b=pf0CszzOenEfaSQKRh3mPFdkwbEXTazDYEHsx2XfTqHzf3F6DeFzMZ8HDIdeQfaR1B be6+1bBDKYfPDb1LClTeXLugsUBcbtmjVubzE3+bOvaVh6SihGz2nCz6k+UGpOJHEY0t UJ5jBfQSATFCiAyDCUlmlYgXtMjrhIYLk1haBXVlE/+n3GAgQ8dOVSQ5syfJhYHxuWyG EoJG3NK+Ym4HeYys39/Hbr9NjUcWqXP1+vlAeYqyUpE8ICNgc11WfDZe8xZianfoR+Nk mC1oWA2KLMDALKXAjeyiuui6XBqRmNlkk+ZnMCKp7sEsRr8LXQHF1te2SCRYFSFJclEP 6JkA==
X-Gm-Message-State: AHYfb5iFGJZmxqvY3kXd6khTesJHDEXd7JsVg4WFF7pPuZlGTaYB/izp UHl3GbgluYY6IG27at1AlQ==
X-Received: by with SMTP id k200mr827970lfe.132.1501775402759; Thu, 03 Aug 2017 08:50:02 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id h11sm458122ljb.55.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Aug 2017 08:50:02 -0700 (PDT)
From: John Bradley <>
Message-Id: <>
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 3 Aug 2017 11:49:52 -0400
In-Reply-To: <>
Cc: Vladimir Dzhuvinov <>, Tokbind WG <>
To: Bill Cox <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="001a11403c44701a520555db5517"
Archived-At: <>
Subject: Re: [Unbearable] Fwd: I-D Action: draft-ietf-tokbind-ttrp-01.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Aug 2017 15:50:07 -0000

I think the main concern is sanitizing the Referred-Token-Binding-ID and Sec-Provided-Token-Binding-ID headers rather than the original Sec-Token-Binding header.

The concern is if the TTP is not properly configured an attacker could send the 
Referred-Token-Binding-ID and Sec-Provided-Token-Binding-ID headers directly to bypass security.

At the F2F a number of suggestions were made around how to prevent/detect misconfiguration of one of a set of TTP that is not configured to sanitize those headders.

John B

> On Aug 3, 2017, at 11:31 AM, Bill Cox <> wrote:
> On Thu, Aug 3, 2017 at 6:32 AM, Vladimir Dzhuvinov < <>> wrote:
> The downside of having set header names is that attacks on badly configured TLS proxies become much easier to carry out. This is my concern about the TTRP spec in this form.
> Thanks,
> Vladimir
> I think most coders adding the standard header will the RFC, and will be more likely to remember to scrub the header.
> One question about the spec: Why must the "sec-token-binding" header be removed?  I did that originally in an implementation, and was asked to stop "molesting the headers".
> Bill
> _______________________________________________
> Unbearable mailing list