Re: [Unbearable] Ben Campbell's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)
Dirk Balfanz <balfanz@google.com> Mon, 04 June 2018 20:27 UTC
Return-Path: <balfanz@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE11130DE6 for <unbearable@ietfa.amsl.com>; Mon, 4 Jun 2018 13:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WLNT9VgiLQ9F for <unbearable@ietfa.amsl.com>; Mon, 4 Jun 2018 13:27:10 -0700 (PDT)
Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF51D130DC0 for <unbearable@ietf.org>; Mon, 4 Jun 2018 13:27:05 -0700 (PDT)
Received: by mail-wr0-x236.google.com with SMTP id w7-v6so33576902wrn.6 for <unbearable@ietf.org>; Mon, 04 Jun 2018 13:27:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zdO3RtFASYHyQ7Q+HSD7IGZQlUAPjkkd7RorJfSGULE=; b=JLCpy1sHdF0MQ2Nury2sVW2gENI6b2qXW844YJ4AvJRWY2RukbB7NVu4vhb9oItADL pJwdMvAfV1B2OG2oqjafMu2232v397xKXQ4ST5E+J8Wnz77OZC6h2SMwI/3GQVj3/lTc Jl3ZFHLF4U3cIJNjcgEqrN3CouLXRpUfJnh6euUjr0paXjH7nYHaGmBWupNA6vwf7hzH +PQft6ydTvGbbKlwXCHbDRHfrYiWcIJHI3VEvqbZu2BevB+klgTYzpVJy59+pvQ2UhPK Y0Q+yh4ThIHbiRBkOfqBgBwovap5/O70davCDT/yfAOcYe8k1ur26RBQsXPe25DJGQRS Lk+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zdO3RtFASYHyQ7Q+HSD7IGZQlUAPjkkd7RorJfSGULE=; b=ANwSbx2sikzYYU3U+q8Xes82hgqLcDuF8y4ON5Kj9l17AHYLqMNLqaOLP4Bj6rRKEY zCs5Rzt3KnKYpAuWl+chwWCEDTrlYSqm2DzN6VcQy2UAr19MARvWs+PYmkaPArP5CeiD tr5AkUVp1hvMiTbdPBDRWGiyr9KkRatJgW9hE3zkXTFOTmAYQxZ2H6UclqbanU4AHX73 0FX6AjzP+vd3CSa0fR3XFNu3SOlygPbbeyH47M2zWCayxlcUM90Ullh7i5N8ORbujUDB N+R9OBu0sEmT3khiSIaTf3ArfaYCFpCvobgVjCPhhNTztc2KV8qKMh8ji5fThCsICnx1 //iA==
X-Gm-Message-State: ALKqPwdZdutYENilOMmYiYyn6WoaPsTQm5u17vhu1shqRd2A/oKpQcnY FKPie4TVwBQ2CYTlBWpQ7/6nu8bEv9SqD1mxJ2CgxA==
X-Google-Smtp-Source: ADUXVKK+0mVsVr2FSPTD1yKIEuM/gyrALzIk/3wue7dUCtZHh++BGosDuUH2YNiu5lFceJ8Kjes0AZfezxWETh/BIzM=
X-Received: by 2002:adf:8e30:: with SMTP id n45-v6mr16316821wrb.27.1528144023518; Mon, 04 Jun 2018 13:27:03 -0700 (PDT)
MIME-Version: 1.0
References: <152589833077.4037.7403393365772291429.idtracker@ietfa.amsl.com>
In-Reply-To: <152589833077.4037.7403393365772291429.idtracker@ietfa.amsl.com>
From: Dirk Balfanz <balfanz@google.com>
Date: Mon, 04 Jun 2018 13:26:51 -0700
Message-ID: <CADHfa2Aj9_-X-rtPR7OU-_cEXC=MnHpv88O_HTmB0-Yd-X_LLA@mail.gmail.com>
To: ben@nostrum.com
Cc: The IESG <iesg@ietf.org>, draft-ietf-tokbind-https@ietf.org, John Bradley <ve7jtb@ve7jtb.com>, tokbind-chairs@ietf.org, Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b08927056dd6c161"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/qUqlJ_vLuJqlGhXNgOdAKhQr6xQ>
Subject: Re: [Unbearable] Ben Campbell's Discuss on draft-ietf-tokbind-https-14: (with DISCUSS and COMMENT)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2018 20:27:13 -0000
Hi Ben, thanks for the feedback. Most of it is addressed in the new draft ( https://tools.ietf.org/html/draft-ietf-tokbind-https-16). See below (inline) for details. On Wed, May 9, 2018 at 1:38 PM Ben Campbell <ben@nostrum.com> wrote: > Ben Campbell has entered the following ballot position for > draft-ietf-tokbind-https-14: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I plan to ballot "YES", but I want to clear up once concern first: > > After reading section 6 several times, I don't know what it means. I think > it's [...] > Addressed in new draft. > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Substantive Comments: > > §1.1: Please consider using the boilerplate from 8174 across the cluster. > Both > this and the protocol draft have lower case keyword instances. > Addressed in new draft. > > §8.2: > - Does it really make sense to wait for a user to request the keys be > expired? > I suspect the average user does this about never. Did the working group > discuss > possibly making the keys default to expiring after some period of time? Yes, we did discuss it. This was chosen consciously to be in sync with cookies and their expirations / manual user-initiated purges. - Why > is the SHOULD in paragraph 2 not a MUST? > Addressed in new draft. > > Editorial Comments: > > §2: > - Paragraph 1: "The ABNF of the Sec-Token-Binding header field is (in > [RFC7230] > style, see also Section 8.3 of [RFC7231]):" The open parenthesis before > "in" > seems misplaced. Also, as written the comma after "style" creates a comma > splice. (Note that this pattern occurs elsewhere in the document.) > > - Paragraph 3: The paragraph is a single hard-to-parse sentence. Please > consider breaking into simpler sentences. > Addressed in new draft. > > - example: Am I correct to assume the backslashes are just for print > purposes > and are not in the actual message? If so, please mention that. > Addressed in new draft. > > § 2.1: > - first paragraph, "Within the latter context...": There was no former > context. > I suggest "Within that context..." Addressed in new draft. > - 2nd paragraph: The first sentence is hard > to parse. I suggest breaking it into separate paragraphs, or restructure > without the center-imbedding. Addressed in new draft. > - 2nd to last paragraph: Does "SHOULD generally" > mean the same as just "SHOULD"? > Addressed in new draft. > > §5.1: 2nd paragraph: Unneeded comma in "... itself, to another server..." > Addressed in new draft. > > §5.2, > - last bullet: " (between client and Token Consumer)" seems more than > parenthetical. Please consider removing the parentheses. Addressed in new draft. > - paragraph after last > bullet: The parenthetical phrase starting with "(proving possession...) is > quite long and makes the sentence hard to parse. Given that the concept is > covered in the immediately preceding paragraph, can it be removed? > Addressed in new draft. > > §7.1 and §7.2: These sections seem to be copied from (or restate > requirements > in) the protocol and negotiation drafts. Can they be included by reference > instead, or at least attributed? > Addressed in new draft. > > §7.2, 2nd paragraph: This seams like a restatement of §7.1. > Addressed in new draft. > §8.3: Unneeded comma in first sentence. > Addressed in new draft. Thanks again for the thoughtful comments! Dirk.
- Re: [Unbearable] Ben Campbell's Discuss on draft-… Eric Rescorla
- Re: [Unbearable] Ben Campbell's Discuss on draft-… Andrei Popov
- Re: [Unbearable] Ben Campbell's Discuss on draft-… John Bradley
- Re: [Unbearable] Ben Campbell's Discuss on draft-… John Bradley
- Re: [Unbearable] Ben Campbell's Discuss on draft-… Ben Campbell
- Re: [Unbearable] Ben Campbell's Discuss on draft-… Andrei Popov
- Re: [Unbearable] Ben Campbell's Discuss on draft-… Ben Campbell
- Re: [Unbearable] Ben Campbell's Discuss on draft-… Eric Rescorla
- [Unbearable] Ben Campbell's Discuss on draft-ietf… Ben Campbell
- Re: [Unbearable] Ben Campbell's Discuss on draft-… Dirk Balfanz