W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

Re: IETF seeking feedback on proposed "Token Binding" Working Group

From: Colin Gallagher <colingallagher.rpcv@gmail.com>
Date: Wed, 11 Feb 2015 18:42:01 -0800
Message-ID: <CABghAMg4-kXP6Ez=tkorfvHpx4f5LFxwLNHu+KL5BqR6NS1v1Q@mail.gmail.com>
To: unbearable@ietf.org
Cc: public-web-security@w3.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>
I suggest connecting with crypostorm.is staff and soliciting their input
for starters.
On Feb 11, 2015 4:03 AM, "Arthur Barstow" <art.barstow@gmail.com> wrote:

> [ Bcc: WebApps, WebAppSec, Web Security IG; Reply-to: unbearable @
> ietf.org ]
>
> Hi All,
>
> Below is an e-mail from Stephen Farrell regarding a proposed "Token
> Binding" Working Group at the IETF. Stephen is interested in feedback
> regarding the proposed group:
>
> * Home: <https://datatracker.ietf.org/wg/tokbind/charter/>
> * Draft spec: <https://tools.ietf.org/html/draft-balfanz-https-token-
> binding>
> * List archive: <http://www.ietf.org/mail-archive/web/unbearable/
> current/maillist.html>
>
> The Draft charter includes:
>
> [[
> Web services generate various security tokens (e.g. HTTP cookies, OAuth
> tokens, etc.) for web applications to access protected resources. Currently
> these are bearer tokens, i.e. any party in possession of such token gains
> access to the protected resource. Attackers export bearer tokens from
> client machines or from compromised network connections, present these
> bearer tokens to Web services, and impersonate authenticated users. Token
> Binding enables defense against such attacks by cryptographically binding
> security tokens to a secret held by the client.
>
> The tasks of this working group are as follows:
>
> 1. Specify the Token Binding protocol v1.0.
> 2. Specify the use of the Token Binding protocol in combination with HTTPS.
>
> ...
> ]]
>
> WebAppSec, Web Security IG - this is mainly an FYI for you.
>
> WebApps - please note the draft spec includes a new XHR property
> "withRefererTokenBindingID" <https://tools.ietf.org/html/
> draft-balfanz-https-token-binding-00#section-3.4>.
>
> If anyone has feedback about the proposal, please send it to the
> unbearable @ ietf.org list. However, comments related to the XHR aspect
> should be Cc/Bcc to public-webapps.
>
> -Thanks, AB
>
>  On 6 Feb 2015, at 8:40 am, Stephen Farrell<stephen.farrell@cs.tcd.ie>
>> wrote:
>>
>>
>> Hi Mark & W3C folks,
>>
>> (I'm cc'ing various W3C folks I know in case one of you just know
>> the answer and can save us some iterations, apologies to the others
>> of you:-)
>>
>> We're starting the chartering process for a WG aiming to do better
>> than bearer tokens. [1] As of now, it looks like that has a good
>> chance of getting into some or all browsers which is great. We'll
>> see what else turns up during the chartering process as usual, and
>> please do comment on that also as usual.
>>
>> One thing I noted is that the current draft [2] for part of this
>> work proposes (in section 3.4 [3]) a small change to XHR, so I
>> wanted to bring that up with you and see if you think that's a
>> thing that'll need to be addressed during chartering or if it's
>> ok to handle later (in whatever is the right manner) after we've
>> chartered an IETF WG. Or maybe it's something that's already done
>> or bring done in W3C.
>>
>> The informal IESG evaluation of this charter is set for Feb 19th,
>> so if we could figure it out by then that'd be great. If not,
>> we've another couple of weeks of external review when we can get
>> it done, but I'd prefer be quick if we can.
>>
>> And in case it helps, I think the simplest way to handle this if
>> the change turns out to be needed in the end, would be for the
>> relevant folks to just keep chatting and ideally get that XHR
>> change tee'd up in W3C. In the meantime, the IETF spec could say
>> something like "if you did change XHR in such-and-such a way then..."
>> just so's we don't get in one another's way. Or maybe some other
>> plan is better.
>>
>> Anyway, please let me know who's the right W3C person to keep
>> in the loop on this and hopefully let's sort it out in the next
>> week or so.
>>
>> Cheers,
>> Stephen.
>>
>>
>>
>> [1]https://datatracker.ietf.org/wg/tokbind/charter/
>> [2]https://tools.ietf.org/html/draft-balfanz-https-token-binding
>> [3]
>> https://tools.ietf.org/html/draft-balfanz-https-token-
>> binding-00#section-3.4
>>
>>
>
>
Received on Thursday, 12 February 2015 02:44:53 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 12 February 2015 02:44:54 UTC