IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 01 March 2017 01:31 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A997F129559 for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 17:31:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RLck-iq1JO6c for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 17:31:36 -0800 (PST)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0091.outbound.protection.outlook.com [104.47.36.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E2F212950F for <unbearable@ietf.org>; Tue, 28 Feb 2017 17:31:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rfqyys+aRB3kT31G1uD2j5PnWVbYwrmF5JGqgzfj+vo=; b=aQrrmX7d9bSpwBwZZfKw8C9PdTObMq8GICPkeBXFItOSWFNTlMZCm3CpzH4kRpeKtRosjdXq6x/2cGvqZPb+R8UTuYsMOMzKbdopWQsNOPYr03W/nKCDvLTeWSBtqEp8VyE8zLkHAXNc6VhOzt5VxU6x9vTe7T1LBMLyj20T7qs=
Received: from DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) by DM2PR21MB0089.namprd21.prod.outlook.com (10.161.141.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.3; Wed, 1 Mar 2017 01:31:34 +0000
Received: from DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) by DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) with mapi id 15.01.0961.004; Wed, 1 Mar 2017 01:31:34 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper@google.com>
Thread-Topic: [Unbearable] 0-RTT Token Binding: When to switch exporters?
Thread-Index: AQHSbdvurWwJUrGAZkyxVvys5avGZKE28kcggCd4oACAH07+gIABRECQgAAemICAAAhjEIAAGSoAgAAPAQCAAAUIUIAAII2AgAACEkA=
Date: Wed, 01 Mar 2017 01:31:34 +0000
Message-ID: <DM2PR21MB00914BA07BA984E931B88FEB8C290@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com> <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com> <SN1PR21MB0096D7426A4E230E284F0D058C560@SN1PR21MB0096.namprd21.prod.outlook.com> <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com>
In-Reply-To: <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0089; 7:synWooOF9ZdnsNt1K6PHkXV8lEapW6F+RJXCGZTlEXqT33ze5rusUdrSS03qLtLvsZ+FtAX1+Y8KGeQIOue2zWd6mP5ZOYn1QpNsl9umbWOxKnMMKxq1uQWgo4pzKMm/CKlPAqS2ZU3igLLGGTWPM1zddoj3tHbzo2G+gnEHdFOLkbnEMMlEaJDyWWdHzhfTodaeLFOQG4dUlxL06DA8Eh9sn3TJ2nGVkZ0X0vNTxzt8ia5iOGBJTmiWj/kB+Ay+EloQODZxD6AT+JiYd5gz4y189hMsx3nJmCAxORkixS+Yyl3d280WeL12spGNo4aaoTRaSu6++Ka1RFABs1bta5mzmaCgB1HBjgmX4xn9g14=
x-ms-office365-filtering-correlation-id: f632daa5-d957-4025-3253-08d46042b294
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:DM2PR21MB0089;
x-microsoft-antispam-prvs: <DM2PR21MB00898173D6BCB76DCA421A6F8C290@DM2PR21MB0089.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(20161123558025)(6072148); SRVR:DM2PR21MB0089; BCL:0; PCL:0; RULEID:; SRVR:DM2PR21MB0089;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(39840400002)(39860400002)(39850400002)(39410400002)(199003)(189002)(101416001)(3280700002)(33656002)(77096006)(10290500002)(229853002)(5005710100001)(2900100001)(53936002)(55016002)(10090500001)(76176999)(54356999)(50986999)(9686003)(102836003)(6116002)(2906002)(8936002)(97736004)(92566002)(105586002)(106116001)(106356001)(93886004)(68736007)(8676002)(6246003)(25786008)(86362001)(8990500004)(7696004)(99286003)(81156014)(81166006)(6436002)(74316002)(38730400002)(2950100002)(110136004)(6506006)(7736002)(122556002)(189998001)(4326008)(305945005)(6916009)(5660300001)(86612001)(3660700001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0089; H:DM2PR21MB0091.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 01:31:34.3747 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0089
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/tXzNx-smLRzi_p-bqTsAg9hA_zA>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 01:31:42 -0000

> For HTTP, that option would mean a client resuming a connection and sending 0-RTT data can only send in 0-RTT data requests that have no cookies (or other potentially bound tokens), which is a very limited use case.
Agreed, this is indeed a limited use-case. But so is 0-RTT application data, if one attempts to use it securely.

v2.23.0 | Report a Bug | By Email