Re: [Unbearable] Artart telechat review of draft-ietf-tokbind-negotiation-12
"Matthew A. Miller" <linuxwolf+ietf@outer-planes.net> Tue, 08 May 2018 23:13 UTC
Return-Path: <linuxwolf+ietf@outer-planes.net>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3937A12DA27
for <unbearable@ietfa.amsl.com>; Tue, 8 May 2018 16:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01,
URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PSF1fT4iwqk7 for <unbearable@ietfa.amsl.com>;
Tue, 8 May 2018 16:13:07 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com
[IPv6:2607:f8b0:4003:c06::232])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id B386E12D7EF
for <unbearable@ietf.org>; Tue, 8 May 2018 16:13:05 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id v2-v6so29903689oif.3
for <unbearable@ietf.org>; Tue, 08 May 2018 16:13:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=outer-planes-net.20150623.gappssmtp.com; s=20150623;
h=sender:subject:to:cc:references:from:openpgp:autocrypt:message-id
:date:user-agent:mime-version:in-reply-to;
bh=XhkWomSFqUnkor+mWZuEe7G1MSk7eEjOe1Jc5DfRU6M=;
b=BCufcJaqWHw6zjehClowvpE2CSbLTD0GBDjZUBf7JcfpvpYQc2+5i1DEzsHyZbWl9e
wAvbhd0phQBYc44mh72KV56jZ1Amgbu4N7I/tGjyK7DbPDPn59UcEJi6keVP6B/8BFH7
FsbUj2zappR65kLWz+mtRdb+pXCFHE1g6raXegpOoxHC4AYmcTDCMAFgTjYEDJSwZyqa
uiQnYyfKoWLwrP62EqJyTipVrOoJ5P4/VsdHnjgev5gET20nfNu/gm3bUCpursq/0A4h
V7Ll8wbxncDzoAUZRou71eGagvk3d4yF9UW43V7PazCP51DUc9Kf8Gyp0K9/nhlhFp1B
3Tfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:sender:subject:to:cc:references:from:openpgp
:autocrypt:message-id:date:user-agent:mime-version:in-reply-to;
bh=XhkWomSFqUnkor+mWZuEe7G1MSk7eEjOe1Jc5DfRU6M=;
b=lcK758iDRPFAUB8jpWSf29vTZsWYUhJ8vo+ei3dIpr5P1/v13cv/jjq/A2pNMw57zF
m4/P/SDFRYUfSWBtq2tpa5aLNqYrv4kSMAijpKTEJjDsfa9gfKNxZGc0mRixKjJZLpgy
ARW6RpGrS347DvDAiupiGbgLfn1UXJ34DVInSt9iHTS3fdZLlHmKi2qx86PBlCWEZDzr
6ECQGcQoQ4pfwWcHQcW3tubQkz246IPveVzzusVIXSqJIJjExbIi9Og6tVW5GlJsbsUn
yPVFxaZ6gRR+WRmEwdrK8WXIfr741Vo/5TwVL98rU+Hizxo/qFGa+aj+GwN2XYCjWRKw
mYmA==
X-Gm-Message-State: ALQs6tARFxCYdegS/ftsUFNeC+Ywx1c6Ezk5A7W3Um/EmhhJh7dQPJqW
J5B4jZvFjFJYR3FsXz8B/eUysA==
X-Google-Smtp-Source: AB8JxZqvH90R3nvhl331CiEHtt6HV0phfXoDWpJMEsukryVjad3bkYLDAw48a3wAwa7CfEPRG9Fskg==
X-Received: by 2002:aca:cc89:: with SMTP id
c131-v6mr28379407oig.75.1525821184912;
Tue, 08 May 2018 16:13:04 -0700 (PDT)
Received: from [10.6.21.160] ([128.177.113.102])
by smtp.gmail.com with ESMTPSA id n196-v6sm13939946oig.3.2018.05.08.16.13.03
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 08 May 2018 16:13:04 -0700 (PDT)
Sender: Matthew Miller <linuxwolf@outer-planes.net>
To: Andrei Popov <Andrei.Popov@microsoft.com>, "art@ietf.org" <art@ietf.org>
Cc: "unbearable@ietf.org" <unbearable@ietf.org>,
"draft-ietf-tokbind-negotiation.all@ietf.org"
<draft-ietf-tokbind-negotiation.all@ietf.org>, "ietf@ietf.org"
<ietf@ietf.org>
References: <152581170538.16247.326421324193541615@ietfa.amsl.com>
<DM5PR21MB05073538E86E74EE3373B6268C9A0@DM5PR21MB0507.namprd21.prod.outlook.com>
From: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Openpgp: preference=signencrypt
Autocrypt: addr=linuxwolf+ietf@outer-planes.net; prefer-encrypt=mutual;
keydata=
xsBNBFJoAooBCADQmEtpbpY/4wTeKgZIuyG7HkxIFgiUeqOvtiBKj/pCA73d7Q5hCvQdGcKJ
6uZsYz3Il9oKoKFxVt90iEXspbE39g6ek19e6RsB4j0Q10l4QvH+EqeD760gs0H2yf/eYj9i
uk9/VY6axdQlPsmid1zoQgCNjSM7X4/K26WGMs03sbXJpKdoonelzIlJSNfzi0q546iplo72
D2cCm9BriMkQvcGnsm4B9eBIBn3GKmVx1tsmPNeNTyun2DvaLnrYxbA0Ivo1DzZReds9NZ25
uROI/+b+lcg9/kmHzhK+q8NMQCFWmqpS/lZRKxVBSijKGpGr5h8VLVf5iURHtwG+B/QxABEB
AAHNLk1hdHRoZXcgQS4gTWlsbGVyIDxsaW51eHdvbGZAb3V0ZXItcGxhbmVzLm5ldD7CwIAE
EwEKACoCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFCQvHJDEFAlirCeQCGQEACgkQ7PRy
ThCeBbt+sAgAzUQokr+f+ArieIrv2JkiQLqiBaZX29Aph9YwG3OPLWSdESEKkFOSJT0LWbsC
cAKHLrVfgl2+6iPhf4OOacTdqK7wS6vruPZC1ChdO7NZTgbVa0hP/Q/QKEoaMGNdfc1/lgxY
5kwh+bvGIF1+HyadytgCBBHxdVEhYI7G3ejKqA8iVwri1VW0Wjp8iWdjpF74swIHhid5GcAu
6VJgVNJw3P+WkTkNrkd2tx5yUfNXQuGyFhxwlpiuaOpIk3p74P6e8h/riMpkJ5mIH/ryGTH7
qxpEIuep2bLQZmGwBen8kf3MO/VbiA/NMY6OHdc93EBKr0g7n2BA5uFLdy79FqAA3M7ATQRS
aAKKAQgAwP67h8GJUO6XYyWOrcJGXDJnnZEDS+q+bTQXkJMFa74rVIx0yioqY8QdpBJFGaMT
4DCNYe/3pw61ZTDDKqukSCfOh/ssdd8zSGTQZSX5lR4B4+00/LKWugP6iHHHYiETbBVb5bxc
aR/LE41Wx3z2HsW3TkeZB6WVk82MTclS1zCuY3p9AeCvr424BSQL7KC38y2eQc95G+nabsVD
c6oQ8oZOf1D2giBb2VgbYkSppKj8BKvBtmjCauWeEq/AkZKaDAdua8Qj0vEfgcoh8aavlPJi
rqj1YNSyc3AO4R5prPGgTepcUpW8ip8xIPAFoJXfuvsZSV7uVP36gwApU4+ZnwARAQABwsB8
BBgBCgAmAhsMFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAlpvpIsFCQvLWoEACgkQ7PRyThCe
BbuNHAf/cchJ7kHoIr5i+jgVRuR71AGlxlMbVolnS5tza3bi9Ie63LRdOtMUE3pDUQo25cWd
cP7pzwwRBCDD2GxfIuyMCWaES0xtQdTIyNOAFFOtBtCFOrsNEk+iLAu6GBr4QzSQKW1QW4/b
vcfpM2pLQn7Zd6naUioEYfTHCMmYHr7hQXaPNEQ7V/J4pLVAN8bHyVgQ9ciQN91DUs6jnueM
BUW7DNvuHq0RDzA+ufYdpQAjwl4z1v+rnJ79P3HTxfFdiTTAk9MjyVQklHxS067cmLYkSOku
dnCOHhDmSFwkKd9EwOBNuztpjCzmM5SgOT+U/iHH+IM/Hv6bjVCiAQ5WOihe6Q==
Message-ID: <e76c1d2a-6d90-e62b-341e-5af12c493a0f@outer-planes.net>
Date: Tue, 8 May 2018 17:13:03 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0)
Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <DM5PR21MB05073538E86E74EE3373B6268C9A0@DM5PR21MB0507.namprd21.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="1o43nxD04MThH6a1Kgd22RlTNCSaQWdox"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/zDUvtGbLVQ8bwDZCoODm11szdtI>
Subject: Re: [Unbearable] Artart telechat review of
draft-ietf-tokbind-negotiation-12
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than
bearer tokens \(e.g. HTTP cookies,
OAuth tokens etc.\) for web applications. The specific goal is chartering a WG
focused on preventing security token export and replay attacks.\""
<unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>,
<mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>,
<mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 23:13:09 -0000
On 18/05/08 15:49, Andrei Popov wrote: > Hi Matthew, > > Thanks for the review and feedback. > > The idea is that: > - It is an error for the server to respond with a TB protocol version higher than the one advertised by the client. Since the client advertises its highest supported version, it makes no sense for the server to offer a higher version. If this happens, the client MUST terminate the TLS handshake. > - On the other hand, the server is allowed to offer a lower TB protocol version; if the client happens to support this lower TB version, the connection proceeds with TB. Otherwise, the connection proceeds without TB. > Does that mean clients can never require TB, or that such a requirement is enforced somehow at the application layer, or something else? From my experience, clients will do what clients will do -- with no guidance on what to do when the client really needs TB but the negotiated support leads to "no TB", there will be several ways clients will implement TB enforcement, which can lead to interoperability problems. I think we'd rather have some up-front guidance if at all possible. I'm happy to suggest some text, but it may take me a bit. - m&m Matthew A. Miller > > -----Original Message----- > From: Matthew Miller <linuxwolf+ietf@outer-planes.net> > Sent: Tuesday, May 8, 2018 1:35 PM > To: art@ietf.org > Cc: unbearable@ietf.org; draft-ietf-tokbind-negotiation.all@ietf.org; ietf@ietf.org > Subject: Artart telechat review of draft-ietf-tokbind-negotiation-12 > > Reviewer: Matthew Miller > Review result: Ready with Issues > > IETF LC End Date: N/A > IESG Telechat date: 2018-05-10 > > Summary: Ready with a potential issue. > > > Major issues: N/A > > Minor issues: > > In reading the client's processing of the server's "token_binding" > extension, there seems to be the potential for falling through the cracks with regards to version: > > * client MUST terminate the TLS handshake if the server's > TB_version is greater than the client's highest supported > * client (MUST? SHOULD? MAY?) continue the TLS handshake **without > Token Binding** if the server's TB_version is not one the client > is willing to use (e.g., lower than the client's minimum > acceptable version) > > As written, it seems that a client that requires token binding has to finish TLS negotiation, then reject further interactions at the application level, but it's not clear this is the expected or best approach. I think it's worth adding at least some language about this scenario. > > Nits/editorial comments: N/A > >
- [Unbearable] Artart telechat review of draft-ietf… Matthew Miller
- Re: [Unbearable] Artart telechat review of draft-… Andrei Popov
- Re: [Unbearable] Artart telechat review of draft-… Matthew A. Miller
- Re: [Unbearable] Artart telechat review of draft-… Andrei Popov
- Re: [Unbearable] [art] Artart telechat review of … Adam Roach
- Re: [Unbearable] [art] Artart telechat review of … Andrei Popov