* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Tokbind Status Pages

Token Binding (Active WG)
Sec Area: Eric Rescorla, Kathleen Moriarty | 2015-Mar-24 —  
Chairs
 
 


IETF-99 tokbind minutes

Session 2017-07-17 1550-1720: Berlin/Brussels - Audio stream - tokbind chatroom

Minutes

minutes-99-tokbind-00 minutes



          Token Bindings IETF 99
          ===
          
          0RTT and 1RTT
          ---
          
          - Nick presents 0RTT and 1RTT discussion
            * Lucy & Martin expresses support for multiple drafts
          - Nick presents changes from -01
            * Martin asks question about DHE KEX - may need to open issue to
            ensure uniqueness
            * Nick clarifies the threat-model in play for DHE KEX
          - Nick presents overview of 0-RTT TB initial handshake
          - Nick presents exporters requirements for 0-RTT
            * Martin: protocols should specify a profile both for 0RTT and 0RTT-TB
            * Martin: include section that contains the profile for 0RTT-TB for HTTP
            * Martin: include advice for other protocols
          - Nick presents options for switching exporters
            * Consensus around using normal exporter
            * Discussion at mic on the value of the client certificate analogy
          
          Proxies and Terminators
          ---
          
          - Brian intro to TTRP draft based on feedback from IETF98
            * MikeJones: have usecases that require > 2 token bindings, pls specify
            syntax that allows multiple TBs
            * StefanSantesson: have you considered AJP?
            * Brian: no
            * EKR: sanitization seems sketchy
            * Brian: aware of feedback
            * Brian and EKR discussion the header security / sanitization issue
            * Dirk: based on google experience support the current proposal
            * ERK: why not establish a shared key and MAC the header
            * Brian: security considerations support that notion
            * EKR: risk of misconfiguration is signifficant - if the orig headers
            are passed thourough => major issue
            * Brian: worried about key mgmt for one specific application - need
            broader applicability
            * JohnBradley: what wg would be appropriate for a general solution?
            * MikeJones: ...
            * JoeSaloway: sanitization is a problem - needs a solution
            * WilliamDennis: not fully understand the problem.. more complexity
            adds risk that TB doesn't get deployed
            * (?)Google: passing EKM is better than new shared key mech
            * RichSaltz: assumption of trust in TTRP is not valid
            * MartinT: its simple to implement MAC using TLS exporter on the
            inside leg
            * EKR clarifies as AD that this is a WG decision
            * Discussion around the assumptions - is TLS used
            * LJ: how can we produce a document based on MartinThomsons ideas?
            * Brian: TTRP is important for getting deployment of TB
            * various folks involved in a discussion on where and when to create
            a MAC spec
            * WilliamDennis: complexity should be at the operator/data center level
            * LucyLynch: appreciate draft for exposing important issues:
            sanitization etc
          
            * Brian contiues preso
            * MartinT: don't provide information to backend that the backend
            can't use
            * MartinT: MikeJones request for > 2 TB IDs is fine
            * MartinT: make these Sec-* headers
            * StefanSantesson asks clarification on the sanitization issue
            * Vinnod: why not provide both TB ID and EKM for more complex
            applications?
            * Nick & Brian & MikeJ discuss requirements for > 2 TBs
          
            * Brian shows example of running code
          
          - Open Mic:
            * StefanSantesson: TB for SAML?
            * MikeJones: should use confirmation method (borrowed from SAML)
            based on the work in OpenIDC
            * MikeJones: no opinion as to where it gets done
            * JeffH: agree with Mike -
            * There seems to be support...
          
            * Lucy: Nick - please include a problem statement
          
          



Generated from PyHt script /wg/tokbind/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -