Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102

Brian Campbell <bcampbell@pingidentity.com> Thu, 07 June 2018 19:09 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7FF131158 for <unbearable@ietfa.amsl.com>; Thu, 7 Jun 2018 12:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9tjSqyF_RCA for <unbearable@ietfa.amsl.com>; Thu, 7 Jun 2018 12:09:24 -0700 (PDT)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 995DD130FCB for <unbearable@ietf.org>; Thu, 7 Jun 2018 12:09:24 -0700 (PDT)
Received: by mail-it0-x230.google.com with SMTP id j186-v6so13997213ita.5 for <unbearable@ietf.org>; Thu, 07 Jun 2018 12:09:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IV3kopxHp3DunCf+br6osShF3LOg63udpSyaRx0Uds0=; b=L/Ubq6Pa1X6J+Fp5t7krj7R4MsnO2kfpV6G0AXuPFelyN3YbP2c41vJxyFK/kEo5eM moUF8TLK8/aQV2E17cwmwPUf4n8/Et90qrMfBDeB8gZBatuuEey+Y9Lxs4aU4C335mLP Wv8VkYoTtKh7MtkISqMD7YbQy0W1A0ZkQuZyI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IV3kopxHp3DunCf+br6osShF3LOg63udpSyaRx0Uds0=; b=SfxjCt3O8fm11kiqEHvrU9EGum9KlOzi2uCddr31grw1DRemrtlNeMbD2SohtNTO7S LRdsTiG43Y2nb2Ef1Z0a9PzhMAGXAj4hhtwVzjh0oSz3sVeeFgiSN+QKAQUbgwb4BJpc +946lws6AqbkmXcRp3QxRASJFAjJ9cA5c7n/OOZ3Bz1RG8Ld0Ad8jT6898HzevuJiSCX xfNu9j7yELsydh2LnhUttdFIRl7tFXlHg3Kc09X1txPn7hjwPrJgf1Lc+q/Se+iRyTQ4 HvQJMOg39M56eQm93lLs0O3WjRGNltnLvtk0cM1cFaPxY4Yqt1HldKzp2nETvrsb8OWW mM9g==
X-Gm-Message-State: APt69E1UGr7ZwcsDbNEbIBTNlFWbIsspZ97eCcipE2GXkCMAEenxamfh m9Ly+QGnjH91g5ZWHkeUqMVZzQIjga20AvQbeKvGuFjrd1H1/j0hjw8xFQ1tPIaLGKoDMSDNW8/ 02HtFJkiEchJObmkRXPYU
X-Google-Smtp-Source: ADUXVKJ6j1TXNuHu7M+Xv56dQFQVwyQ71zWaa+JjeEpae06Rg0mC6ZJA6HWKobV2h/v5x5yzaZsQPhV2UBHImzPep4c=
X-Received: by 2002:a24:641:: with SMTP id 62-v6mr2894206itv.89.1528398563583; Thu, 07 Jun 2018 12:09:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Thu, 7 Jun 2018 12:08:52 -0700 (PDT)
In-Reply-To: <DM5PR21MB050756924C75D2A4CB31826C8C650@DM5PR21MB0507.namprd21.prod.outlook.com>
References: <152774743559.22620.13488651600482711493.idtracker@ietfa.amsl.com> <5ab325d2-4227-5ef0-747b-94a556f0acb5@mnt.se> <CA+k3eCSwmO=6gYKg=LBH5KxYgzwuobJRMrKiCiP4kuvVO3wJhQ@mail.gmail.com> <c8f83d1a-ca5a-a7b1-aefd-a86944bb58e5@mnt.se> <CA+k3eCQkwKbAgDB7Wd7Dt0ztdccnU6kkvEQkFcQzZr3+SGm37w@mail.gmail.com> <DM5PR21MB050756924C75D2A4CB31826C8C650@DM5PR21MB0507.namprd21.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 7 Jun 2018 13:08:52 -0600
Message-ID: <CA+k3eCS-vU_cCqgJ-fkoDyyvkqHgJp8yd_c7vLWJJa=Xw_hmOQ@mail.gmail.com>
To: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
Cc: Leif Johansson <leifj@mnt.se>, IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007548cb056e1205a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/qi8pVq22TzQWv70rMXq77VTArII>
Subject: Re: [Unbearable] tokbind - New Meeting Session Request for IETF 102
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2018 19:09:32 -0000

Thanks for the review, Andrei.

I'll incorporate the editorial suggestions.

The design choice of having distinct Sec-Provided and Sec-Referred headers
was intentional and aimed at making the most common cases simple at the
application layer dealing with HTTP. The vast majority of the time there's
going to be only the Provided and a single header that carries that value
unadorned makes accessing that very straightforward.  Referred is the other
defined type with defined usage in HTTPSTB so TTRP has Sec-Referred for
that. Then there are 254 other undefined types and there was a request from
the WG (or a portion thereof) to allow for them somehow. A separate header
for every one of them seemed prohibitive to say the least. That's where the
Sec-Other catch-all comes from. There are trade-offs any design choice and
this is a bit of a hybrid but I feel it strikes a good balance of
simplicity for the common defined cases while still accommodating others.
Gauging WG consensus isn't particularity easy in this WG at this stage but
in my mind consensus is there. This would, of course, be a good time for
the WG to speak up to indicate otherwise, if that's not the case.

Nothing is future proof. TTRP is intended to facilitate deployments of
HTTPSTB. HTTPSTB isn't future proof or versioned and would need to change
to allow for more than one referred TB ID. Saying TTRP will work only with
a specific version may or may not prove true. And passing along the
negotiated TB protocol version may or may not accommodate future changes.
Future TB protocol versions may or may not even happen.

The single HTTP header field-valued text was largely put in there with the
hope/expectation that it would ease the registration process (after Jeff
suggested something similar for the Sec-Token-Binding header, IIRC). But
also because it was inline with the "exactly one" restriction in HTTPSTB.
But that text could easily be removed, I think.



On Wed, Jun 6, 2018 at 12:51 PM, Andrei Popov <
Andrei.Popov=40microsoft.com@dmarc.ietf.org> wrote:

> The document is well-written and clear, overall. I have a few editorial
> comments and some design comments:
>
>
>
>   “Token Binding over HTTP [I-D.ietf-tokbind-https] provides a mechanism
>
>    that enables HTTP servers to cryptographically bind cookies and other
>
>    security tokens to a key held by the browser or other HTTP client,
>
>    possession of which is proven on the TLS [RFC5246] connections over
>
>    which the tokens are used.”
>
>
>
> Editorial suggestion: “…to a key generated by the client.” Whether the
> browser, HTTP client, or underlying platform hold the TB key is
> implementation-specific and probably unnecessary detail here. Proof of
> possession is discussed in the next sentence.
>
>
>
>   “The usage of the headers, both the reverse proxy adding _*it*_ and the
>
>    application server using _*them*_ to bind cookies or other tokens, are
> to
>
>    be configuration options of the respective systems as they will not
>
>    always be applicable.”
>
>
>
> Editorial: this sentence confuses me, esp. around “it” and “them”; perhaps
> it’s possible to simplify.
>
>
>
> Section 2.2: Having three separate headers: Sec-Provided, Sec-Referred and
> Sec-Other catch-all would not be my design choice. I’d suggest either one
> header with a list of all TB IDs, or a separate header for each TB ID. Of
> course, if WG consensus exists on the current design, then that’s what it
> is.
>
>
>
>    “Both "Sec-Provided-Token-Binding-ID" and "Sec-Referred-Token-Binding-
>
>    ID" are single HTTP header field-valued…”
>
>
>
> Somewhat related to the previous comment: this seems to be saying that
> there cannot be more than one referred TB ID, which is fine now, but not
> necessarily future proof.
>
> TTRP seems to not be versioned; if, say, TB 2.0 uses multiple referred
> bindings per request, will we need TTRP 2.0 with all new headers?
>
>
>
> It seems that TTRP needs to be either TB version-specific, i.e. explicitly
> say “this is for TB 1.0 only, and future TB versions will require new TTRP
> specs”, or be designed as a pipeline, passing whatever bindings the proxy
> was able to verify, possibly along with the negotiated TB protocol version.
>
>
>
> Security and IANA considerations look good to me.
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* Unbearable <unbearable-bounces@ietf.org> *On Behalf Of *Brian
> Campbell
> *Sent:* Friday, June 1, 2018 9:07 AM
> *To:* Leif Johansson <leifj@mnt.se>
> *Cc:* IETF Tokbind WG <unbearable@ietf.org>
> *Subject:* Re: [Unbearable] tokbind - New Meeting Session Request for
> IETF 102
>
>
>
> It's pretty short! https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-03
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-tokbind-ttrp-03&data=02%7C01%7CAndrei.Popov%40microsoft.com%7Cbe9b45e5942241330d0908d5c7d9bbd2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636634660334123449&sdata=mfl4DReC846OoQSdyJvXQ0UjMYY9zeT8Hnp2jbXviis%3D&reserved=0>
>
>
>
> On Fri, Jun 1, 2018 at 8:32 AM, Leif Johansson <leifj@mnt.se> wrote:
>
>
>
> On 2018-06-01 00:49, Brian Campbell wrote:
> > I'd like to request some agenda time to cover the TTRP draft, which will
> > likely consist of an overview and status update (with some gratuitous
> > photos of recent IETF meeting locations) and a plea to move towards
> > WGLC. Thanks!
>
> In order to facilitate that... could we get some folks to review
> the TTRP draft before 102?
>
> Maybe... please... ??
>
>         Cheers Leif
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._