Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Andrei Popov <Andrei.Popov@microsoft.com> Thu, 09 February 2017 18:25 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8B5129444 for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 10:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBD9LM2Uq4es for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 10:25:44 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0104.outbound.protection.outlook.com [104.47.38.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3107129412 for <unbearable@ietf.org>; Thu, 9 Feb 2017 10:25:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Fc8mCdR3MlkHBJOL5VwhXMbaupo1HArcfQR0XjM8G8c=; b=FhHw/CLihnMhar76iMrJwchvnA2b7tJgukhQ1ialU0epSb2vcXAWWd8X6gmJ6svLRpHiczxQfbQ20lsiM6k6F1B8IvAPCXt9Skb1dEwNxZ3KgKxKSvuLj0WZsFFHPqz7jax1v6OEOd17QrkMrfvdqIQ9IDH602X5z3lzQCI96fk=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0844.namprd03.prod.outlook.com (10.160.163.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Thu, 9 Feb 2017 18:25:40 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0888.026; Thu, 9 Feb 2017 18:25:40 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, =JeffH <Jeff.Hodges@kingsmountain.com>
Thread-Topic: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Thread-Index: AQHSguz8oAIXC6BWu0OMPbiyGCJ7xqFg384AgAAczHA=
Date: Thu, 09 Feb 2017 18:25:40 +0000
Message-ID: <CY1PR0301MB084223E0274288D9B330D16D8C450@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <074faef6-b425-17f8-ac05-223834a2cc0b@KingsMountain.com> <CA+k3eCSwvcKyN6t+9cTLSAJu9+5Uz27Db5NW_zy9W7Bx71gG4Q@mail.gmail.com>
In-Reply-To: <CA+k3eCSwvcKyN6t+9cTLSAJu9+5Uz27Db5NW_zy9W7Bx71gG4Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-ms-office365-filtering-correlation-id: b4899b2e-5de9-4e4c-3a4b-08d451190d76
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB0844;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0844; 7:D1P2xRvovJQ4gwRMjxiTBnr3zfSktK6CE4t8VwjY6WbG8k3lpY4YPb2cl0sBXQZH6FiTOtcF0hnBGmnP96zH5kBLpABK8vAPST+AO8uD+AHlieDE6ox9PcvktBr0FppnBBBcZb8wjUHUfLjOmHUYcydGfShoqmEPcJsNa00/PrHuuko5SZMRZGTwO1CMrl7lOpHRurLQRkw7W59hExPnEJozV/ipNxAkZtKle6BOux+R7sE4kdZ+mNbjDOvIpOQgYsonIA7xQQyfmNxn1Cp2i3za+S03pENQN//55NVDRT4UCKBOw6GA7sDwXkr9eqhQKIBzGUf394EcU+E6gQsS89gYUpjcOQKCXx+zPzG2IxZdN2Hols3ln15Z9er9nZ8xyrpvcE4NQGCj5gUyjTTocXnOKfzmI9VRrGODDC+XIw9RNV4IHmp3unqG3ry3ounJG92BkzurGvWYwNJhgBEyr5JO1x0Hf/KlzC5wQBN9Lfw8Zwr20se5aILU2/E5Y06GF8MhNsVmr7vQcPzdgfYC76WXyduv6BebV3HdQmNuD/w=
x-microsoft-antispam-prvs: <CY1PR0301MB08447D127A2E56D5018B38978C450@CY1PR0301MB0844.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123558025)(20161123560025)(20161123555025)(20161123562025)(6072148)(6042181); SRVR:CY1PR0301MB0844; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0844;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(377454003)(24454002)(189002)(199003)(106116001)(4326007)(105586002)(3660700001)(77096006)(5005710100001)(7736002)(10290500002)(122556002)(6246003)(102836003)(6116002)(99286003)(229853002)(19609705001)(9686003)(790700001)(55016002)(74316002)(25786008)(6506006)(6436002)(68736007)(86612001)(54896002)(6306002)(86362001)(50986999)(76176999)(54356999)(92566002)(53936002)(81166006)(3280700002)(2900100001)(81156014)(101416001)(7696004)(230783001)(236005)(8676002)(8936002)(106356001)(2950100002)(8990500004)(38730400002)(97736004)(33656002)(2906002)(5660300001)(189998001)(10090500001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0844; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB084223E0274288D9B330D16D8C450CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2017 18:25:40.5184 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0844
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/xeybTz1dzUEtZ7nfg2_3c3qHDRg>
Cc: IETF TokBind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 18:25:46 -0000
Exactly, I agree with Brian. The proxy/terminator is better positioned to know how/where TB headers are handled in a particular datacenter. And a proxy/terminator that knows nothing about TB headers should forward them on. From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, February 9, 2017 8:38 AM To: =JeffH <Jeff.Hodges@kingsmountain.com> Cc: IETF TokBind WG <unbearable@ietf.org> Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field? On Thu, Feb 9, 2017 at 9:55 AM, =JeffH <Jeff.Hodges@kingsmountain.com<mailto:Jeff.Hodges@kingsmountain.com>> wrote: I agree with this for security considerations reasons -- we want the Sec-Token-Binding header to be hop-by-hop in sync with the underlying TLS connection and not be "leaked" downstream unless it is a conscious decision, e.g., in the tls terminating reverse proxy (TTRP) case. But the client is only making a connection to a server and client does not know whether it makes sense for that server to forward or not. And it shouldn't know that. Sec-Token-Binding shouldn't be listed in Connection header field by a client.
- [Unbearable] on not listing 'Sec-Token-Binding' i… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Dirk Balfanz
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Brian Campbell
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… John Bradley
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Amos Jeffries
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… Andrei Popov
- Re: [Unbearable] on not listing 'Sec-Token-Bindin… =JeffH