Re: IETF seeking feedback on proposed "Token Binding" Working Group

Ah, oops. I meant, connect with staff. Solicit their
input. Sorry for misspelling in prior email.
On Feb 11, 2015 6:42 PM, "Colin Gallagher" <>

> I suggest connecting with staff and soliciting their input
> for starters.
> On Feb 11, 2015 4:03 AM, "Arthur Barstow" <> wrote:
>> [ Bcc: WebApps, WebAppSec, Web Security IG; Reply-to: unbearable @
>> ]
>> Hi All,
>> Below is an e-mail from Stephen Farrell regarding a proposed "Token
>> Binding" Working Group at the IETF. Stephen is interested in feedback
>> regarding the proposed group:
>> * Home: <>
>> * Draft spec: <
>> binding>
>> * List archive: <
>> current/maillist.html>
>> The Draft charter includes:
>> [[
>> Web services generate various security tokens (e.g. HTTP cookies, OAuth
>> tokens, etc.) for web applications to access protected resources. Currently
>> these are bearer tokens, i.e. any party in possession of such token gains
>> access to the protected resource. Attackers export bearer tokens from
>> client machines or from compromised network connections, present these
>> bearer tokens to Web services, and impersonate authenticated users. Token
>> Binding enables defense against such attacks by cryptographically binding
>> security tokens to a secret held by the client.
>> The tasks of this working group are as follows:
>> 1. Specify the Token Binding protocol v1.0.
>> 2. Specify the use of the Token Binding protocol in combination with
>> ...
>> ]]
>> WebAppSec, Web Security IG - this is mainly an FYI for you.
>> WebApps - please note the draft spec includes a new XHR property
>> "withRefererTokenBindingID" <
>> draft-balfanz-https-token-binding-00#section-3.4>.
>> If anyone has feedback about the proposal, please send it to the
>> unbearable @ list. However, comments related to the XHR aspect
>> should be Cc/Bcc to public-webapps.
>> -Thanks, AB
>>  On 6 Feb 2015, at 8:40 am, Stephen Farrell<>
>>> wrote:
>>> Hi Mark & W3C folks,
>>> (I'm cc'ing various W3C folks I know in case one of you just know
>>> the answer and can save us some iterations, apologies to the others
>>> of you:-)
>>> We're starting the chartering process for a WG aiming to do better
>>> than bearer tokens. [1] As of now, it looks like that has a good
>>> chance of getting into some or all browsers which is great. We'll
>>> see what else turns up during the chartering process as usual, and
>>> please do comment on that also as usual.
>>> One thing I noted is that the current draft [2] for part of this
>>> work proposes (in section 3.4 [3]) a small change to XHR, so I
>>> wanted to bring that up with you and see if you think that's a
>>> thing that'll need to be addressed during chartering or if it's
>>> ok to handle later (in whatever is the right manner) after we've
>>> chartered an IETF WG. Or maybe it's something that's already done
>>> or bring done in W3C.
>>> The informal IESG evaluation of this charter is set for Feb 19th,
>>> so if we could figure it out by then that'd be great. If not,
>>> we've another couple of weeks of external review when we can get
>>> it done, but I'd prefer be quick if we can.
>>> And in case it helps, I think the simplest way to handle this if
>>> the change turns out to be needed in the end, would be for the
>>> relevant folks to just keep chatting and ideally get that XHR
>>> change tee'd up in W3C. In the meantime, the IETF spec could say
>>> something like "if you did change XHR in such-and-such a way then..."
>>> just so's we don't get in one another's way. Or maybe some other
>>> plan is better.
>>> Anyway, please let me know who's the right W3C person to keep
>>> in the loop on this and hopefully let's sort it out in the next
>>> week or so.
>>> Cheers,
>>> Stephen.
>>> [1]
>>> [2]
>>> [3]
>>> binding-00#section-3.4

Received on Thursday, 12 February 2015 04:13:36 UTC