Re: IETF seeking feedback on proposed "Token Binding" Working Group

I suggest connecting with staff and soliciting their input
for starters.
On Feb 11, 2015 4:03 AM, "Arthur Barstow" <> wrote:

> [ Bcc: WebApps, WebAppSec, Web Security IG; Reply-to: unbearable @
> ]
> Hi All,
> Below is an e-mail from Stephen Farrell regarding a proposed "Token
> Binding" Working Group at the IETF. Stephen is interested in feedback
> regarding the proposed group:
> * Home: <>
> * Draft spec: <
> binding>
> * List archive: <
> current/maillist.html>
> The Draft charter includes:
> [[
> Web services generate various security tokens (e.g. HTTP cookies, OAuth
> tokens, etc.) for web applications to access protected resources. Currently
> these are bearer tokens, i.e. any party in possession of such token gains
> access to the protected resource. Attackers export bearer tokens from
> client machines or from compromised network connections, present these
> bearer tokens to Web services, and impersonate authenticated users. Token
> Binding enables defense against such attacks by cryptographically binding
> security tokens to a secret held by the client.
> The tasks of this working group are as follows:
> 1. Specify the Token Binding protocol v1.0.
> 2. Specify the use of the Token Binding protocol in combination with HTTPS.
> ...
> ]]
> WebAppSec, Web Security IG - this is mainly an FYI for you.
> WebApps - please note the draft spec includes a new XHR property
> "withRefererTokenBindingID" <
> draft-balfanz-https-token-binding-00#section-3.4>.
> If anyone has feedback about the proposal, please send it to the
> unbearable @ list. However, comments related to the XHR aspect
> should be Cc/Bcc to public-webapps.
> -Thanks, AB
>  On 6 Feb 2015, at 8:40 am, Stephen Farrell<>
>> wrote:
>> Hi Mark & W3C folks,
>> (I'm cc'ing various W3C folks I know in case one of you just know
>> the answer and can save us some iterations, apologies to the others
>> of you:-)
>> We're starting the chartering process for a WG aiming to do better
>> than bearer tokens. [1] As of now, it looks like that has a good
>> chance of getting into some or all browsers which is great. We'll
>> see what else turns up during the chartering process as usual, and
>> please do comment on that also as usual.
>> One thing I noted is that the current draft [2] for part of this
>> work proposes (in section 3.4 [3]) a small change to XHR, so I
>> wanted to bring that up with you and see if you think that's a
>> thing that'll need to be addressed during chartering or if it's
>> ok to handle later (in whatever is the right manner) after we've
>> chartered an IETF WG. Or maybe it's something that's already done
>> or bring done in W3C.
>> The informal IESG evaluation of this charter is set for Feb 19th,
>> so if we could figure it out by then that'd be great. If not,
>> we've another couple of weeks of external review when we can get
>> it done, but I'd prefer be quick if we can.
>> And in case it helps, I think the simplest way to handle this if
>> the change turns out to be needed in the end, would be for the
>> relevant folks to just keep chatting and ideally get that XHR
>> change tee'd up in W3C. In the meantime, the IETF spec could say
>> something like "if you did change XHR in such-and-such a way then..."
>> just so's we don't get in one another's way. Or maybe some other
>> plan is better.
>> Anyway, please let me know who's the right W3C person to keep
>> in the loop on this and hopefully let's sort it out in the next
>> week or so.
>> Cheers,
>> Stephen.
>> [1]
>> [2]
>> [3]
>> binding-00#section-3.4

Received on Thursday, 12 February 2015 02:44:53 UTC