Re: IETF seeking feedback on proposed "Token Binding" Working Group from Colin Gallagher on 2015-02-12 (public-web-security@w3.org from February 2015)

From: Colin Gallagher <colingallagher.rpcv@gmail.com>
Date: Wed, 11 Feb 2015 20:10:32 -0800
To: unbearable@ietf.org
Cc: public-web-security@w3.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <CABghAMiUw8s=PieDdcrMmsgA6pgGbKGFXot1-D73JX7sWwwkKA@mail.gmail.com>
Ah, oops. I meant, connect with https://cryptostorm.is staff. Solicit their
input. Sorry for misspelling in prior email.
On Feb 11, 2015 6:42 PM, "Colin Gallagher" <colingallagher.rpcv@gmail.com>
wrote:

> I suggest connecting with crypostorm.is staff and soliciting their input
> for starters.
> On Feb 11, 2015 4:03 AM, "Arthur Barstow" <art.barstow@gmail.com> wrote:
>
>> [ Bcc: WebApps, WebAppSec, Web Security IG; Reply-to: unbearable @
>> ietf.org ]
>>
>> Hi All,
>>
>> Below is an e-mail from Stephen Farrell regarding a proposed "Token
>> Binding" Working Group at the IETF. Stephen is interested in feedback
>> regarding the proposed group:
>>
>> * Home: <https://datatracker.ietf.org/wg/tokbind/charter/>
>> * Draft spec: <https://tools.ietf.org/html/draft-balfanz-https-token-
>> binding>
>> * List archive: <http://www.ietf.org/mail-archive/web/unbearable/
>> current/maillist.html>
>>
>> The Draft charter includes:
>>
>> [[
>> Web services generate various security tokens (e.g. HTTP cookies, OAuth
>> tokens, etc.) for web applications to access protected resources. Currently
>> these are bearer tokens, i.e. any party in possession of such token gains
>> access to the protected resource. Attackers export bearer tokens from
>> client machines or from compromised network connections, present these
>> bearer tokens to Web services, and impersonate authenticated users. Token
>> Binding enables defense against such attacks by cryptographically binding
>> security tokens to a secret held by the client.
>>
>> The tasks of this working group are as follows:
>>
>> 1. Specify the Token Binding protocol v1.0.
>> 2. Specify the use of the Token Binding protocol in combination with
>> HTTPS.
>>
>> ...
>> ]]
>>
>> WebAppSec, Web Security IG - this is mainly an FYI for you.
>>
>> WebApps - please note the draft spec includes a new XHR property
>> "withRefererTokenBindingID" <https://tools.ietf.org/html/
>> draft-balfanz-https-token-binding-00#section-3.4>.
>>
>> If anyone has feedback about the proposal, please send it to the
>> unbearable @ ietf.org list. However, comments related to the XHR aspect
>> should be Cc/Bcc to public-webapps.
>>
>> -Thanks, AB
>>
>>  On 6 Feb 2015, at 8:40 am, Stephen Farrell<stephen.farrell@cs.tcd.ie>
>>> wrote:
>>>
>>>
>>> Hi Mark & W3C folks,
>>>
>>> (I'm cc'ing various W3C folks I know in case one of you just know
>>> the answer and can save us some iterations, apologies to the others
>>> of you:-)
>>>
>>> We're starting the chartering process for a WG aiming to do better
>>> than bearer tokens. [1] As of now, it looks like that has a good
>>> chance of getting into some or all browsers which is great. We'll
>>> see what else turns up during the chartering process as usual, and
>>> please do comment on that also as usual.
>>>
>>> One thing I noted is that the current draft [2] for part of this
>>> work proposes (in section 3.4 [3]) a small change to XHR, so I
>>> wanted to bring that up with you and see if you think that's a
>>> thing that'll need to be addressed during chartering or if it's
>>> ok to handle later (in whatever is the right manner) after we've
>>> chartered an IETF WG. Or maybe it's something that's already done
>>> or bring done in W3C.
>>>
>>> The informal IESG evaluation of this charter is set for Feb 19th,
>>> so if we could figure it out by then that'd be great. If not,
>>> we've another couple of weeks of external review when we can get
>>> it done, but I'd prefer be quick if we can.
>>>
>>> And in case it helps, I think the simplest way to handle this if
>>> the change turns out to be needed in the end, would be for the
>>> relevant folks to just keep chatting and ideally get that XHR
>>> change tee'd up in W3C. In the meantime, the IETF spec could say
>>> something like "if you did change XHR in such-and-such a way then..."
>>> just so's we don't get in one another's way. Or maybe some other
>>> plan is better.
>>>
>>> Anyway, please let me know who's the right W3C person to keep
>>> in the loop on this and hopefully let's sort it out in the next
>>> week or so.
>>>
>>> Cheers,
>>> Stephen.
>>>
>>>
>>>
>>> [1]https://datatracker.ietf.org/wg/tokbind/charter/
>>> [2]https://tools.ietf.org/html/draft-balfanz-https-token-binding
>>> [3]
>>> https://tools.ietf.org/html/draft-balfanz-https-token-
>>> binding-00#section-3.4
>>>
>>>
>>
>>
Received on Thursday, 12 February 2015 04:13:36 UTC