Re: [Unbearable] I-D Action: draft-ietf-tokbind-tls13-0rtt-02.txt

Leif Johansson <> Thu, 29 June 2017 09:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E17BF12ECCB for <>; Thu, 29 Jun 2017 02:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1rGmrh-d7W8f for <>; Thu, 29 Jun 2017 02:05:41 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7956412ECEF for <>; Thu, 29 Jun 2017 02:05:34 -0700 (PDT)
Received: by with SMTP id l13so48951120lfl.1 for <>; Thu, 29 Jun 2017 02:05:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=XJwQiYKnatnzzxkBQV+9HxeK/obAFQp76i9wJOcisO8=; b=wOsz2VPdrdhlONpC9mFnuJkezQ+F57yGNFhdpsa1hmb1zsJgjU/bL1deqAC0HrF+5k RmDqI5/t1QIEJkvnlfiwDsxQ5jRqq8clMzTxE4fD1HMCqNqqgZ6Buf++9v2BpRjVzPq8 AlRwU38JA/ZxIaczboowHpbIpC73n95vWOTtFreyWr1TBYSFQrihhmS52jFQCTgmLWo6 WveRhQQdO81U2UbkFgfo2p3N4JalWKFV7BPNji427qWl9BX4aNbkHv950d6j9mepKzx/ pCl+09ap8q33nmWLiCNnSoviIKGcsQALyx9CgGQBNQiMa6KCds2B6fIjhtmRbUJbIZzh E4Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=XJwQiYKnatnzzxkBQV+9HxeK/obAFQp76i9wJOcisO8=; b=KLUjcrTMf44HKbL4daG/z3QPovw5gRA9M7OkxykgM2r059UmhO0KXlcj1YPgy4TLTZ O2UDbWfdsPCNZWvFZ/H1c/0gzjBtv3QLsoPCjXBW6prNGEg8QFtYFkBcOHHI35haYTPC SInNKXpeLKTrQt46puQWYTpq+wXecKyNAHVKDqN+Sf1rm+uay3JrxjMCYoBfN4nQwYsQ HGIPramULSnA+LOQFdi6YqhsoWtnC+rv6FNuYJf91e1E+Qu68WGKYLiOL2aZwXRbQiHN XLqypA/1h3GiVl7ZrZcduGNsR8W1dHW0o1U16BxPRDaL+jZrqY6vCaTLZGziVbO9pGdw 0TYQ==
X-Gm-Message-State: AKS2vOxc2tzXDtjffTjDFXq1360UpEmeG/0xoX4JQJvupA/fc0EAFgUe 3y+6g9rJP7oi/IEh
X-Received: by with SMTP id 93mr5336349lfq.118.1498727132975; Thu, 29 Jun 2017 02:05:32 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id r203sm1135626lff.67.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Jun 2017 02:05:32 -0700 (PDT)
To: Benjamin Kaduk <>, Nick Harper <>
Cc: IETF Tokbind WG <>,
References: <> <> <>
From: Leif Johansson <>
Message-ID: <>
Date: Thu, 29 Jun 2017 11:05:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Unbearable] I-D Action: draft-ietf-tokbind-tls13-0rtt-02.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Jun 2017 09:05:43 -0000

On 2017-06-29 04:48, Benjamin Kaduk wrote:
> On Wed, Jun 28, 2017 at 03:25:13PM -0700, Nick Harper wrote:
>> Here's a summary of the changes since the last draft:
>> - If TB is accepted in 0-RTT data, keep using the early exporter for
>> the whole connection. There was some discussion on this in Chicago,
>> with more on the mailing list. Chairs, can you confirm whether we
>> reached consensus on the mailing list or whether we should take a hum
>> in Prague?
> I am a WG chair, but not a tokbind chair, but that question does not
> seem to make sense.  Consensus must be reached (or confirmed) on the
> mailing list, so deciding there wasn't enough feedback on the list and
> going to an in-room hum seems backwards, procedurally.

Judging consensus is sometimes tricky. I think what Nick meant was that
we may want to do a hum in Prague /in addition to/ seeking confirmation
on the list.

>> - 0-RTT TB cannot be used with externally provisioned PSKs or with a
>> PSK-only key exchange mode
>> - A new TLS extension is used for negotiating and indicating use of 0-RTT TB
>> - The replay indication TLS extension has been removed
> Some discussion on the httpbis list brought up that this document should
> mandate that 0-RTT token binding is only used in conjunction with
> a TLS stack that provides strong anti-replay protections (i.e., zero
> additional replays possible and one retransmission via DKG attack).  In other
> words, the time-based scheme of (draft-02) section 6.4 should be removed,
> and perhaps 6.3.1 reworded somewhat.
> (It also brought up multiple peoples' sentiments that 0-RTT token binding
> is a bad idea in general, but this may not be procedurally the right time
> to have that discussion.)
> -Ben