idnits 2.17.1 draft-ietf-tokbind-tls13-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 21, 2018) is 2165 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-tokbind-negotiation-13 == Outdated reference: A later version (-19) exists of draft-ietf-tokbind-protocol-18 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group N. Harper 3 Internet-Draft Google Inc. 4 Updates: TBNEGO (if approved) May 21, 2018 5 Intended status: Standards Track 6 Expires: November 22, 2018 8 Token Binding for Transport Layer Security (TLS) Version 1.3 Connections 9 draft-ietf-tokbind-tls13-01 11 Abstract 13 Negotiation of the Token Binding protocol is only defined for 14 Transport Layer Security (TLS) versions 1.2 and earlier. Token 15 Binding users may wish to use it with TLS 1.3; this document defines 16 a backwards compatible way to negotiate Token Binding on TLS 1.3 17 connections. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on November 22, 2018. 36 Copyright Notice 38 Copyright (c) 2018 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 1. Introduction 53 Negotiating Token Binding using a TLS [I-D.ietf-tls-tls13] extension 54 as described in [I-D.ietf-tokbind-negotiation] is fairly 55 straightforward, but is restricted to TLS 1.2 and earlier. Only one 56 minor change is needed to use this extension to negotiate Token 57 Binding on connections using TLS 1.3 and later. Instead of the 58 server putting the "token_binding" extension in the ServerHello like 59 in TLS 1.2, in TLS 1.3 the server puts it in EncryptedExtensions 60 instead. 62 This document also non-normatively provides a clarification for the 63 definition of the TokenBinding.signature field from 64 [I-D.ietf-tokbind-protocol], since TLS 1.3 defines an alternate (but 65 API-compatible) exporter mechanism to the one in [RFC5705] used in 66 [I-D.ietf-tokbind-protocol]. 68 1.1. Requirements Language 70 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 71 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 72 "OPTIONAL" in this document are to be interpreted as described in BCP 73 14 [RFC2119] [RFC8174] when, and only when, they appear in all 74 capitals, as shown here. 76 2. Token Binding TLS Extension 78 In TLS 1.3, the "token_binding" TLS extension may be present only in 79 ClientHello and EncryptedExtensions handshake messages. The format 80 of the "token_binding" TLS extension remains the same as defined in 81 [I-D.ietf-tokbind-negotiation]. 83 A client puts the "token_binding" TLS extension in its ClientHello to 84 indicate its support for the Token Binding protocol. The client 85 should follow the same rules for when to send this extension and the 86 contents of its data as in section 2 of 87 [I-D.ietf-tokbind-negotiation]. Since the "token_binding" extension 88 remains unchanged from TLS 1.2 to TLS 1.3 in the ClientHello, a 89 client sending the "token_binding" extension in a TLS 1.3 ClientHello 90 is backwards compatible with a server that only supports TLS 1.2. 92 A server puts the "token_binding" TLS extension in the 93 EncryptedExtensions message following its ServerHello to indicate 94 support for the Token Binding protocol and to select protocol version 95 and key parameters. The server includes the extension following the 96 same rules as section 3 of [I-D.ietf-tokbind-negotiation], with the 97 following changes: 99 o The "token_binding" TLS extension is in EncryptedExtensions 100 instead of ServerHello. 102 o The server MUST NOT include both the "token_binding" extension and 103 the "early_data" extension on the same connection. 105 3. Interaction with 0-RTT Data 107 [I-D.ietf-tls-tls13] requires that extensions define their 108 interaction with 0-RTT. The "token_binding" extension MUST NOT be 109 used with 0-RTT unless otherwise specified in another draft. A 110 client MAY include both "early_data" and "token_binding" extensions 111 in its ClientHello - this indicates that the client is willing to 112 resume a connection and send early data (without Token Binding), or 113 negotiate Token Binding on the connection and have early data 114 rejected. 116 4. Clarification of TokenBinding.signature 118 This non-normative section provides a clarification on the definition 119 of the TokenBinding.signature field when used on a TLS 1.3 120 connection. 122 [I-D.ietf-tokbind-protocol] defines the TokenBinding.signature field 123 in terms of an exported keying material (EKM) value as defined in 124 [RFC5705]. [I-D.ietf-tls-tls13] provides an equivalent interface in 125 section 7.5. For clarity, using the terminology from 126 [I-D.ietf-tls-tls13], the EKM used in section 3.3 of 127 [I-D.ietf-tokbind-protocol] in TLS 1.3 is the exporter value (section 128 7.5 of [I-D.ietf-tls-tls13]) computed with the following parameters: 130 o Secret: exporter_master_secret. 132 o label: The ASCII string "EXPORTER-Token-Binding" with no 133 terminating NUL. 135 o context_value: No context value is supplied. 137 o key_length: 32 bytes. 139 These are the same input values as specified in section 3.3 of 140 [I-D.ietf-tokbind-protocol]. 142 5. Security Considerations 144 The consideration regarding downgrade attacks in 145 [I-D.ietf-tokbind-negotiation] still apply here: The parameters 146 negotiated in the "token_binding" extension are protected by the TLS 147 handshake. An active network attacker cannot modify or remove the 148 "token_binding" extension without also breaking the TLS connection. 150 This extension cannot be used with 0-RTT data, so the concerns in 151 [I-D.ietf-tls-tls13] about replay do not apply here. 153 6. References 155 6.1. Normative References 157 [I-D.ietf-tls-tls13] 158 Rescorla, E., "The Transport Layer Security (TLS) Protocol 159 Version 1.3", draft-ietf-tls-tls13-28 (work in progress), 160 March 2018. 162 [I-D.ietf-tokbind-negotiation] 163 Popov, A., Nystrom, M., Balfanz, D., and A. Langley, 164 "Transport Layer Security (TLS) Extension for Token 165 Binding Protocol Negotiation", draft-ietf-tokbind- 166 negotiation-13 (work in progress), May 2018. 168 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 169 Requirement Levels", BCP 14, RFC 2119, 170 DOI 10.17487/RFC2119, March 1997, . 173 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 174 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 175 May 2017, . 177 6.2. Informative References 179 [I-D.ietf-tokbind-protocol] 180 Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. 181 Hodges, "The Token Binding Protocol Version 1.0", draft- 182 ietf-tokbind-protocol-18 (work in progress), May 2018. 184 [RFC5705] Rescorla, E., "Keying Material Exporters for Transport 185 Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, 186 March 2010, . 188 Author's Address 190 Nick Harper 191 Google Inc. 193 Email: nharper@google.com