[ public-webapps should have been included but was not ]
Forwarded Message
Subject:IETF seeking feedback on proposed Token Binding Working Group
Date: Wed, 11 Feb 2015 07:00:35 -0500
From: Arthur Barstow art.bars...@gmail.com
Reply-To: unbeara...@ietf.org
CC: Stephen Farrell stephen.farr...@cs.tcd.ie
[ Bcc: WebApps, WebAppSec, Web Security IG; Reply-to: unbearable @
ietf.org ]
Hi All,
Below is an e-mail from Stephen Farrell regarding a proposed Token
Binding Working Group at the IETF. Stephen is interested in feedback
regarding the proposed group:
* Home: https://datatracker.ietf.org/wg/tokbind/charter/
* Draft spec:
https://tools.ietf.org/html/draft-balfanz-https-token-binding
* List archive:
http://www.ietf.org/mail-archive/web/unbearable/current/maillist.html
The Draft charter includes:
[[
Web services generate various security tokens (e.g. HTTP cookies, OAuth
tokens, etc.) for web applications to access protected resources.
Currently these are bearer tokens, i.e. any party in possession of such
token gains access to the protected resource. Attackers export bearer
tokens from client machines or from compromised network connections,
present these bearer tokens to Web services, and impersonate
authenticated users. Token Binding enables defense against such attacks
by cryptographically binding security tokens to a secret held by the client.
The tasks of this working group are as follows:
1. Specify the Token Binding protocol v1.0.
2. Specify the use of the Token Binding protocol in combination with HTTPS.
...
]]
WebAppSec, Web Security IG - this is mainly an FYI for you.
WebApps - please note the draft spec includes a new XHR property
withRefererTokenBindingID
https://tools.ietf.org/html/draft-balfanz-https-token-binding-00#section-3.4.
If anyone has feedback about the proposal, please send it to the
unbearable @ ietf.org list. However, comments related to the XHR aspect
should be Cc/Bcc to public-webapps.
-Thanks, AB
On 6 Feb 2015, at 8:40 am, Stephen Farrellstephen.farr...@cs.tcd.ie wrote:
Hi Mark W3C folks,
(I'm cc'ing various W3C folks I know in case one of you just know
the answer and can save us some iterations, apologies to the others
of you:-)
We're starting the chartering process for a WG aiming to do better
than bearer tokens. [1] As of now, it looks like that has a good
chance of getting into some or all browsers which is great. We'll
see what else turns up during the chartering process as usual, and
please do comment on that also as usual.
One thing I noted is that the current draft [2] for part of this
work proposes (in section 3.4 [3]) a small change to XHR, so I
wanted to bring that up with you and see if you think that's a
thing that'll need to be addressed during chartering or if it's
ok to handle later (in whatever is the right manner) after we've
chartered an IETF WG. Or maybe it's something that's already done
or bring done in W3C.
The informal IESG evaluation of this charter is set for Feb 19th,
so if we could figure it out by then that'd be great. If not,
we've another couple of weeks of external review when we can get
it done, but I'd prefer be quick if we can.
And in case it helps, I think the simplest way to handle this if
the change turns out to be needed in the end, would be for the
relevant folks to just keep chatting and ideally get that XHR
change tee'd up in W3C. In the meantime, the IETF spec could say
something like if you did change XHR in such-and-such a way then...
just so's we don't get in one another's way. Or maybe some other
plan is better.
Anyway, please let me know who's the right W3C person to keep
in the loop on this and hopefully let's sort it out in the next
week or so.
Cheers,
Stephen.
[1]https://datatracker.ietf.org/wg/tokbind/charter/
[2]https://tools.ietf.org/html/draft-balfanz-https-token-binding
[3]
https://tools.ietf.org/html/draft-balfanz-https-token-binding-00#section-3.4
