Token Binding WG Note - IETF98 Chicago Venue: Zurich A @ Swisshotel Chicago Time: 3:20pm, March 27, 2017 * Note Well and Agenda Bashing # WGLC issues First, Denis's suggestion to rename a subsection of the security considerations (ABC collusion) was dealt with. The chairs asked for the support of Denis's change. There was no support. There were strong support in the WG room to keep text as is. Then, the WG moved to Martin's List: * Q1. Is the sue of TLS extensions justified? The chairs asked to hum if there is a support for keeping text as is. There was a strong hum. * Q3. Do we need signatures for referred token bindings? Dirk explained the reasons behind having signature. It was decided that some more explanation is to be put in the text. Dirk has created a ticket on it. There was a scoping question but ... * Q2. Is eTLD+1 necessary? The question on the table is whether to * Keep the text as is (eTLD+1) * Move to scheme + origin + port. The reason for eTLD+1 is a MUST maximum for the web browser (cookie scope). Martin + Jeff will work on the langauge of the rationale for eTLD+1 and make a pull request. * Q4. Longer EKM? Currently, it is 32bytes. Martin suggested TLS terminater sedn EKM and EKM length. Then there were series of support for simpler solution: 32b ekm for this version. Humms 1. Go back to 32 bytes EKM 2. Cureent text + clarification 3. Variable EKM + length Strong consnesus on going back to 32 bytes EKM. ## 0RTT (Nick) draft-ietf-tokbind-tls13-0rtt-01 New language added to security consideration for PoP. Clent siwth from 0-RTT export to normal exporter during connection Client indicates 0-RTT exporter is in use with extension in TokenBInding struct Token binding with 0-RTT creates replayable token. TLS extension signaling that client is willing to use 0-RTT token binding seems to be needed. Slied 8 will be gone. Further conversation on switching the exporters should be done. ### Other issues * none. ## Proxys & TLS terminators (Brian Campbell) draft-campbell-tokbind-tls-term Brian explained about the rationale for having a spec. and provided two options. * Provide enough materials in the HTTP header to the backend * Provide the info that TokenBinding was validated. There were supporters on both side. Tony Nadalin argued that interoperability is not necessary at this level. More discussion needed. ## Attestation TB draft-mandyam-tokbind-attest Not to be dealt with at this time. The meeting was adjourned at 4:51pm.