[Unbearable] Include-Referred-Token-Binding-ID redirects within a domain
Brian Campbell <bcampbell@pingidentity.com> Wed, 27 July 2016 19:31 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0526212D8E4 for <unbearable@ietfa.amsl.com>; Wed, 27 Jul 2016 12:31:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snR1ERwWmxZR for <unbearable@ietfa.amsl.com>; Wed, 27 Jul 2016 12:31:35 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24F6F12D8E2 for <unbearable@ietf.org>; Wed, 27 Jul 2016 12:31:35 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id q83so80170171iod.1 for <unbearable@ietf.org>; Wed, 27 Jul 2016 12:31:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to; bh=7ZRD36VBazxTOPxwP1kdhbDYBuHrrziAY8ZECUx06XQ=; b=bofJ+eijwy7vl98m3MYDcKlnjQBU1nCcIROYneUH9u+YU4r2W0w6ngdae3zBYt/hom DZALnTwgwWoeTbzUSjjUZlTbhUuer/cbStm+2Ad0g50omTLpgUnEFUkttUZmhMn0ydBD jClvEl+UEfXP6w8UP1qbo48MQlcicC0V2X0nc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7ZRD36VBazxTOPxwP1kdhbDYBuHrrziAY8ZECUx06XQ=; b=WbLNiQqIw3JDZvPrNPdmmRD159OeZ6aYbUAG3LOXOrEY0RhDqOvU33+DFwoRn5hlrm IdQDBdRTc+6MzezWQqSYTDgKeaTPuWr2PnHVbwDhUc08wrvg96coYlRxxdk4FMd7j7Ma vOvZs7GWYAX9jENAKDIR7F1/NpK5N+qeHIgNmElzeX0UZlXkfbHSSxRB4nxkVsUjjHvG q808bb6yGcu9BbZWRJ271UBRR4VHkF5Wy09cxC5JJzh+Qf+ZIAsVuqNIao+XQFb4B0mj q5UTBgjNOJCHEMMSjU3VrR8oPkQR/H9/lWALC1xHtJz9ICGapaqzHu/1pOO94iqQfhCr nPjQ==
X-Gm-Message-State: AEkoousMqMnSAbYp49wgV8kFMa7erIajax28yqR8yj/4yQyPN7PBCuRiMdB1uOlUsqsbuxMF07n5XzggDhwGzctG
X-Received: by 10.107.8.140 with SMTP id h12mr35625878ioi.95.1469647886967; Wed, 27 Jul 2016 12:31:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.28.149 with HTTP; Wed, 27 Jul 2016 12:30:57 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Jul 2016 13:30:57 -0600
Message-ID: <CA+k3eCQBubC1Cfzo2gtO_7ntw_pOVF7UQAukr-DcACkra-ivLA@mail.gmail.com>
To: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="001a113fb6b03f93820538a3100f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/xMDHXYjH8WW2N-hifODLPqAa17w>
Subject: [Unbearable] Include-Referred-Token-Binding-ID redirects within a domain
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 19:31:47 -0000
What is the expected behavior when a browser receives a redirect with the Include-Referred-Token-Binding-ID but is from and to URIs in the same TLD+1 and everyone is able to negotiate Token Binding? I don't think the situation is explicitly covered in HTTPSTB. For example, when a request made to https://application.example.com receives an HTTP 302 that has Include-Referred-Token-Binding-ID:true with https://idp.example.com as the location. Is only the provided token binding sent by the browser to https://idp.example.com? Or are a provided and referred token binding both sent (with the same token binding id)? Or something else? This situation is fairly common in federated SSO deployments today and, depending on how things work from the HTTPSTB perspective, the referred token binding alone might not be enough of a signal to the token provider about what token binding ID to bind into the SSO token. The initial draft of TB for OpenID Connect, <http://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.html> for example, relies on the presence of the Referred Token Binding being sent. I guess I'm suggesting, so federated protocols that use HTTPSTB don't have to have special treatment of this situation, that HTTPSTB explicitly say that a redirect with the Include-Referred-Token-Binding-ID header signals to the browser that it is to send a referred token binding on the resulting request even when both resources fall under the same same TLD+1 and the provided and referred token bindings would be the same.
- Re: [Unbearable] Include-Referred-Token-Binding-I… Brian Campbell
- Re: [Unbearable] Include-Referred-Token-Binding-I… Nick Harper
- [Unbearable] Include-Referred-Token-Binding-ID re… Brian Campbell