IETF Logo Mail Archive

Re: [Unbearable] HTTPSTB: distinct header for the referred Token Binding (issue #35)

Brian Campbell <bcampbell@pingidentity.com> Wed, 18 May 2016 18:30 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 967E412D630 for <unbearable@ietfa.amsl.com>; Wed, 18 May 2016 11:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id doXR3tYIxesc for <unbearable@ietfa.amsl.com>; Wed, 18 May 2016 11:30:24 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C28A012D607 for <unbearable@ietf.org>; Wed, 18 May 2016 11:30:23 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id i75so76716396ioa.3 for <unbearable@ietf.org>; Wed, 18 May 2016 11:30:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cNtip8s4F480tawqrUmf5mKujcfxXxYYKuTg4kxF4zo=; b=VvWmQNtcYlgktLEiNkrNYvB6kzu6Y7uQzkAJJdH3ywQy7bES8r+jKYX68mmGe9wjek E8r4T1BuXLtSsnMTA7va/Gv4BMqzOedD+58WiB3pj3EDzLoi5Fm3uUMUdYi89o9uxJfp ogO5SN3L+rXjqw/oxpKScDbclZPiQ/rZGva1Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cNtip8s4F480tawqrUmf5mKujcfxXxYYKuTg4kxF4zo=; b=OI384xPf6b72EWAY6gP8xzQQLbiMIpjoKURNRCnM78RqhA1TGn8+C2wDE0hKihaz05 5uRSkdQmIkFZJMT6ivT3YhEn0uGP6K929WrbvkL06yPrksGDFTIz70TbRu78gkssNM96 YcjRQYqaGP6cERsZ6wcpiGZ6ei7IP8h6NaNuxc25KHTK+crnXfr3+tOTJEHGStms3Q5P oOmVxhJUYd7dKAMvuAevmDYgaeIxHPLyfk5laIjPmeZoOGwcZj9ykRf8OBl7N6JghYu6 TXpkR3MZDcA8yT9FY3EbNXx576AalNJNn6eTUPLaeIzRo4AM1Hw58NchciERAmXfodeC ks1Q==
X-Gm-Message-State: AOPr4FU6zr+n7/zT+zMXwEEXd0SEROcFFTVfoDXdHiKNKQzefJwxVfRY7hN/WOcYmTa4AhMUfPNVMLoecOu3dM13
X-Received: by 10.107.8.141 with SMTP id h13mr6632118ioi.95.1463596223002; Wed, 18 May 2016 11:30:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.105.129 with HTTP; Wed, 18 May 2016 11:29:53 -0700 (PDT)
In-Reply-To: <BN3PR03MB1445B30EF30B69B5F51564078C480@BN3PR03MB1445.namprd03.prod.outlook.com>
References: <CA+k3eCSwTXMwSiLbggaPZx33B9atkvN6VD5Q7H9j67MANufZ-Q@mail.gmail.com> <BN3PR03MB144522E21E8685A853DAB17E8C480@BN3PR03MB1445.namprd03.prod.outlook.com> <CA+k3eCSNqu4DMxwcZuuRg_CayrZKEgoK_y205gM3D2SYBfwQ0A@mail.gmail.com> <BN3PR03MB1445B30EF30B69B5F51564078C480@BN3PR03MB1445.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 18 May 2016 12:29:53 -0600
Message-ID: <CA+k3eCR5KJKGoqLRi2ztJwGLkFCHpq=o8X=P+Zb=QbU0QhNSPw@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="001a113f9ab0f7ad530533220cd6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/unbearable/ybIwRqdNrv8gsoq5H21s4aKDhmo>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] HTTPSTB: distinct header for the referred Token Binding (issue #35)
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 18:30:26 -0000

Arguing on the internet is usually about this effective in swaying one
viewpoint or the other.

I appreciate the discourse though and, short of a mad rush of support, I
concede on the proposal.

On Tue, May 17, 2016 at 4:35 PM, Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

> Ø  The HTTP layer does need to know about TB for TB to be of any value -
> that's where the signature(s) get verified and where cookies and other
> tokens are actually bound.
>
> With the current TB message structure, the HTTP layer can simply pass the
> contents of the header to the TB library, get back verified bindings and
> act on the ones that the HTTP layer understands. And I like the fact that
> currently the TB library gets all available TB information at one time and
> in one piece.
>
>
>
> Ø  But my point isn't that it can't be done. It's that it's really useful
> to be able to look at HTTP and tell whats going on without having to use a
> protocol analyzer or TB parser.
>
> Understood. I’m merely pointing out that e.g. when debugging an issue,
> it’s usually not enough to see what types of bindings were sent, so
> generally one can’t avoid parsing TokenBinding messages anyway, and parsing
> tools will likely become available.
>
>
>
> Ø  It's not an optimization but rather just a simplification where the
> provided TB is always sent the same way no matter what and the
> referrer/referred is processed independently
>
> Provided and referred bindings can’t be processed entirely independently:
> e.g. referred binding cannot be used if the provided one fails
> verification. A TB library can only ensure this if it has access to all
> available bindings.
>
>
>
> Ø  But I was looking the share the viewpoint of what seems simpler at the
> HTTP layer from someone who works primarily at the HTTP layer.
>
> To be clear, I highly value your viewpoint, although I disagree with it.
> Bringing it up on the mailing list is certainly the right thing to do.
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Tuesday, May 17, 2016 1:57 PM
> *To:* Andrei Popov <Andrei.Popov@microsoft.com>
> *Cc:* IETF Tokbind WG <unbearable@ietf.org>
> *Subject:* Re: [Unbearable] HTTPSTB: distinct header for the referred
> Token Binding (issue #35)
>
>
>
> Despite my lack of agreement, Andrei, I appreciate the reply. My replies
> inline below...
>
>
>
> On Tue, May 17, 2016 at 11:21 AM, Andrei Popov <Andrei.Popov@microsoft.com>
> wrote:
>
> Hi Brian,
>
>
>
> The current format, where all Token Bindings are contained in one Token
> Binding message, provides useful encapsulation. The HTTP layer does not
> need to know the details of the Token Binding protocol, which can be
> implemented in a separate library. If tomorrow we define a new Token
> Binding type, an existing HTTP implementation can carry it in the
> Sec-Token-Binding header without modification. Only the Token Binding
> library would need to be updated.
>
>
>
> The HTTP layer does need to know about TB for TB to be of any value -
> that's where the signature(s) get verified and where cookies and other
> tokens are actually bound.  If a new Token Binding type is defined (which
> honestly seems unlikely), yes it could be carried in the current format but
> the HTTP layer would also need to be updated to do anything useful with it.
> I don't see the benefit of this encapsulation.
>
> Ø  At the HTTP layer separate headers will make it much more clear what
> is going on. Just looking for the presence or absence of the
> Sec-Referred-Token-Binding header will indicate if a referred TB was sent,
> which is very easy.
>
> This can be solved by including a TB parser in the protocol analyzer.
> Which would also provide further useful insights into TB key parameters,
> etc.
>
>
>
> But my point isn't that it can't be done. It's that it's really useful to
> be able to look at HTTP and tell whats going on without having to use a
> protocol analyzer or TB parser.
>
>
> Ø  Having a separate header for the referred TB allows the client/user
> agent to always send the provided TB via Sec-Token-Binding and not have to
> build a new TB message on the redirect request and then go back to the
> provided TB on subsequent requests.
>
> I don’t think there’s an optimization an HTTP stack can do WRT building TB
> messages that a Token Binding library can’t, and the Token Binding library
> is where such optimizations belong.
>
>
>
> It's not an optimization but rather just a simplification where the
> provided TB is always sent the same way no matter what and the
> referrer/referred is processed independently. To my eye, that's better
> cohesion and less coupling.
>
> HTTP/2 header compression, however, is an optimization in the HTTP layer
> that would be helped by having the provided TB header not change.
>
>
>
>
>
> For the above reasons, I would prefer to keep all Token Bindings in one
> Token Binding message.
>
>
>
>
> I got a pretty good idea of your preference when I first mentioned
> separate headers in BA :) My preference is obviously different and I wanted
> to voice that on the list/github. But I guess ultimately it's an aesthetics
> or eye of the beholder kind of thing. I won't fight about it too hard. And
> I'm just a guy, not an editor. But I was looking the share the viewpoint of
> what seems simpler at the HTTP layer from someone who works primarily at
> the HTTP layer. I hope that viewpoint can be considered even though two
> headers is different than what's already done.
>
> I'd also be interested in knowing if others in the WG have opinions here
> or if I'm the outlier?
>
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* Unbearable [mailto:unbearable-bounces@ietf.org] *On Behalf Of *Brian
> Campbell
> *Sent:* Monday, May 16, 2016 1:22 PM
> *To:* IETF Tokbind WG <unbearable@ietf.org>
> *Subject:* [Unbearable] HTTPSTB: distinct header for the referred Token
> Binding (issue #35)
>
>
>
> It seems like github recently started sending some notifications to the WG
> list but it's not clear how reliable that is so I'm gonna double post
> anyway. The text from
> https://github.com/TokenBinding/Internet-Drafts/issues/35 follows.
>
> As mentioned at IETF 95
> <https://datatracker.ietf.org/doc/minutes-95-tokbind/> I propose that the
> referred Token Binding be sent via a separate header (say
> Sec-Referred-Token-Binding) rather than as part of the Sec-Token-Binding
> header.
>
> At the HTTP layer separate headers will make it much more clear what is
> going on. Just looking for the presence or absence of the
> Sec-Referred-Token-Binding header will indicate if a referred TB was sent,
> which is very easy. Rather than having to decode the Sec-Token-Binding
> header value and process the binary content, which is possible but much
> more involved.
>
> Having a separate header for the referred TB allows the client/user agent
> to always send the provided TB via Sec-Token-Binding and not have to build
> a new TB message on the redirect request and then go back to the provided
> TB on subsequent requests. Also not having the value of Sec-Token-Binding
> change (other then a new TLS session with new EKM) should make it nicely
> efficient with HTTP/2 header compression.
>
> I also believe it will be easier to covey the concepts in the text of the
> spec. Talking about when the Sec-Referred-Token-Binding is sent or not sent
> rather than talking about when the referred TB is included as part of the
> TB message that is sent with Sec-Token-Binding seems much more
> straightforward.
>
> Anecdotally, there's been some discussion about using TB in OpenID Connect
> and and in talking about it people often say "the referred token binding
> header", which isn't accurate relative to HTTPSTB-03 but belies the fact
> that federation folks already think about it as separate header. And I
> think that's a natural way think about it so it's not terribly surprising.
> I won't name any names but one of the chairs of the WG is among those who
> said "the referred token binding header."
>
> I realize this is not an insignificant change but I strongly believe it'd
> be a simplification and improvement for HTTPS TB. There's not yet (that I'm
> aware of anyway) any profiling of TB for federation like protocols such
> OpenID Connect, OAuth or SAML so this would be an opportune time to change
> how the referred Token Binding is conveyed.
>
>
>
>
>

v2.23.0 | Report a Bug | By Email