[Unbearable] SECDIR early review of draft-ietf-tokbind-tls13-00

Stephen Kent <stkent@verizon.net> Thu, 22 March 2018 15:01 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6113012D88D for <unbearable@ietfa.amsl.com>; Thu, 22 Mar 2018 08:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id s2wyFQyW8fS9 for <unbearable@ietfa.amsl.com>; Thu, 22 Mar 2018 08:00:58 -0700 (PDT)
Received: from omr-m001e.mx.aol.com (omr-m001e.mx.aol.com []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEDB712D88A for <unbearable@ietf.org>; Thu, 22 Mar 2018 08:00:57 -0700 (PDT)
Received: from mtaout-maa01.mx.aol.com (mtaout-maa01.mx.aol.com []) by omr-m001e.mx.aol.com (Outbound Mail Relay) with ESMTP id 9FCA338000B9; Thu, 22 Mar 2018 11:00:56 -0400 (EDT)
Received: from iMac-Study.fios-router.home (0x694d61632d53747564792e66696f732d726f757465722e686f6d65 []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mtaout-maa01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 21D1A38000086; Thu, 22 Mar 2018 11:00:56 -0400 (EDT)
To: secdir@ietf.org, nharper@google.com, leifj@sunet.se, uta@ietf.org, unbearable@ietf.org, Eric Rescorla <ekr@rtfm.com>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <7e489950-5f18-9ea8-5c49-d8e175a5606f@verizon.net>
Date: Thu, 22 Mar 2018 11:00:55 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------68289448CC69AA43AF0D7243"
Content-Language: en-US
x-aol-global-disposition: G
x-aol-sid: 3039ac1ade8d5ab3c5283f81
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/smeH2hb8zaFfBa6IoBDX5Jss5tg>
Subject: [Unbearable] SECDIR early review of draft-ietf-tokbind-tls13-00
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 15:01:00 -0000

SECDIR *early* review of draft-ietf-tokbind-tls13-00

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.These comments were written with the intent of improving security 
requirements and considerations in IETF drafts.Comments not addressed in 
last call may be included in AD reviews during the IESG review.Document 
editors and WG chairs should treat these comments just like any other 
last call comments.

This (very brief) document defines how to negotiate Token Binding for 
TLS v1.3. Existing IETF documents (IDs) define this protocol and how to 
negotiate it capability only for earlier versions of TLS.

The first question that comes to mind is why there is a need for a new 
ID, instead of adding text to draft-ietf-tokbind-negotiation-10. I 
realize that draft-ietf-tokbind-negotiation-10 is in last call, but the 
text here is so small that it seems overkill to create a separate RFC. 
I’m guessing that the argument is that this document references TLS 1.3, 
which is not yet an RFC, and thus the author is trying to avoid creating 
a down reference problem with draft-ietf-tokbind-negotiation-10. Right?

Section 2 notes that the format of the extension is the same as defined 
in draft-ietf-tokbind-negotiation-10, so nothing new there. The section 
cites two differences from the behavior in 
draft-ietf-tokbind-negotiation-10, which are described in just two 
sentences. Section 3 adds one paragraph to deal with 0-RTT, a TLS 1.3 
feature not present in earlier versions.Section 4 is non-normative, but, 
presumably useful. The security concerns are asserted to be the same as 
for draft-ietf-tokbind-negotiation-10, plus a sentence discussing why 
the 0-RTT exclusion avoids other potential security concerns.

So, if folks don’t want to delay publication of 
draft-ietf-tokbind-negotiation-10, I guess this is OK as a separate 
document, updating that RFC.