Re: [Unbearable] Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)

Ben Campbell <ben@nostrum.com> Thu, 10 May 2018 22:23 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEFB012D574; Thu, 10 May 2018 15:23:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgingRzzD3_S; Thu, 10 May 2018 15:23:27 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7ACE126DED; Thu, 10 May 2018 15:23:27 -0700 (PDT)
Received: from [10.0.1.94] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w4AMNPve059070 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 10 May 2018 17:23:26 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.94]
From: Ben Campbell <ben@nostrum.com>
Message-Id: <C7D7D119-1ABF-4132-B12C-484F7153504E@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_16A2351F-C1FA-490E-A6B4-A0069937BB58"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Thu, 10 May 2018 17:23:24 -0500
In-Reply-To: <DM5PR21MB0507C0DA6D4B8624B935FFEF8C980@DM5PR21MB0507.namprd21.prod.outlook.com>
Cc: Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, "draft-ietf-tokbind-negotiation@ietf.org" <draft-ietf-tokbind-negotiation@ietf.org>, IETF Tokbind WG <unbearable@ietf.org>, "tokbind-chairs@ietf.org" <tokbind-chairs@ietf.org>
To: Andrei Popov <Andrei.Popov@microsoft.com>
References: <152589634849.4060.1233669853296271255.idtracker@ietfa.amsl.com> <CABcZeBM+u7xCCTrhnua8+SRZM6ruEBMgiew42FdiiN-=8tZryQ@mail.gmail.com> <B593B23C-435E-4563-ACAC-8FDC4FCBA431@nostrum.com> <DM5PR21MB0507C0DA6D4B8624B935FFEF8C980@DM5PR21MB0507.namprd21.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/owcponRM5reVZA5k99vlOQGVIzk>
Subject: Re: [Unbearable] Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 22:23:30 -0000

> On May 10, 2018, at 12:21 AM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> 
>> Just to make sure I understand: If the client selects version N (ignoring the (major, minor) format for a minute) , the server might respond with N-1. If the client doesn’t like N-1, it aborts and optionally tries again with the highest version it supports that is lower than N-1? Or should it just give up on TB?
> 
> Nothing in the document prevents the client from re-trying in this fashion, but the prototype clients I've seen (Web browsers) proceed without TB in this situation.
> 
> Here's what the spec says about handling TB negotiation failures:
>   "Client and server applications can choose to handle failure to
>   negotiate Token Binding in a variety of ways, e.g.: continue using
>   the connection as usual, shorten the lifetime of tokens issued during
>   this connection, require stronger authentication, terminate the
>   connection, etc.”
> 

I note that text does _not_ include “retry the negotiation with a different version number”. I guess if you plan to do that, you haven’t actually failed yet?


> -----Original Message-----
> From: Ben Campbell <ben@nostrum.com>
> Sent: Wednesday, May 9, 2018 9:40 PM
> To: Eric Rescorla <ekr@rtfm.com>
> Cc: The IESG <iesg@ietf.org>rg>; John Bradley <ve7jtb@ve7jtb.com>om>; draft-ietf-tokbind-negotiation@ietf.org; IETF Tokbind WG <unbearable@ietf.org>rg>; tokbind-chairs@ietf.org
> Subject: Re: Ben Campbell's Yes on draft-ietf-tokbind-negotiation-12: (with COMMENT)
> 
> 
> 
>> On May 9, 2018, at 4:05 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>> 
>> 
>> 
>> On Wed, May 9, 2018 at 1:05 PM, Ben Campbell <ben@nostrum.com> wrote:
>> Ben Campbell has entered the following ballot position for
>> draft-ietf-tokbind-negotiation-12: Yes
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut
>> this introductory paragraph, however.)
>> 
>> 
>> Please refer to
>> https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-tokbind-negotiation/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> Thanks for this document. I am balloting "yes", but have a few comments:
>> 
>> - I support Alexey's DISCUSS. Additionally, do I understand the
>> version negotiation to require the client to support all previous
>> version from the one it initially advertises? If so, how would you
>> deprecate a version at some time in the future?
>> 
>> You can't do it in the CH. The assumption is that the server will pick
>> the highest common version in the SH and if you don't support that, you abort.
> 
> Just to make sure I understand: If the client selects version N (ignoring the (major, minor) format for a minute) , the server might respond with N-1. If the client doesn’t like N-1, it aborts and optionally tries again with the highest version it supports that is lower than N-1? Or should it just give up on TB?
> 
> Thanks,
> 
> Ben.
>