| draft-ietf-tokbind-https-05.txt | draft-ietf-tokbind-https-06.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force A. Popov | Internet Engineering Task Force A. Popov | |||
| Internet-Draft M. Nystroem | Internet-Draft M. Nystroem | |||
| Intended status: Standards Track Microsoft Corp. | Intended status: Standards Track Microsoft Corp. | |||
| Expires: January 8, 2017 D. Balfanz, Ed. | Expires: February 27, 2017 D. Balfanz, Ed. | |||
| A. Langley | A. Langley | |||
| Google Inc. | Google Inc. | |||
| J. Hodges | J. Hodges | |||
| Paypal | Paypal | |||
| July 7, 2016 | August 26, 2016 | |||
| Token Binding over HTTP | Token Binding over HTTP | |||
| draft-ietf-tokbind-https-05 | draft-ietf-tokbind-https-06 | |||
| Abstract | Abstract | |||
| This document describes a collection of mechanisms that allow HTTP | This document describes a collection of mechanisms that allow HTTP | |||
| servers to cryptographically bind authentication tokens (such as | servers to cryptographically bind authentication tokens (such as | |||
| cookies and OAuth tokens) to TLS [RFC5246] connections. | cookies and OAuth tokens) to TLS [RFC5246] connections. | |||
| We describe both _first-party_ and _federated_ scenarios. In a | We describe both _first-party_ and _federated_ scenarios. In a | |||
| first-party scenario, an HTTP server is able to cryptographically | first-party scenario, an HTTP server is able to cryptographically | |||
| bind the security tokens it issues to a client, and which the client | bind the security tokens it issues to a client, and which the client | |||
| skipping to change at page 2, line 7 ¶ | skipping to change at page 2, line 7 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 8, 2017. | This Internet-Draft will expire on February 27, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 36 ¶ | skipping to change at page 2, line 36 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 2. The Sec-Token-Binding Header Field . . . . . . . . . . . . . 4 | 2. The Sec-Token-Binding Header Field . . . . . . . . . . . . . 4 | |||
| 2.1. HTTPS Token Binding Key Pair Scoping . . . . . . . . . . 4 | 2.1. HTTPS Token Binding Key Pair Scoping . . . . . . . . . . 4 | |||
| 3. First-party Use Cases . . . . . . . . . . . . . . . . . . . . 5 | 3. First-party Use Cases . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Federation Use Cases . . . . . . . . . . . . . . . . . . . . 5 | 4. Federation Use Cases . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.3. HTTP Redirects . . . . . . . . . . . . . . . . . . . . . 7 | 4.3. HTTP Redirects . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.4. Negotiated Key Parameters . . . . . . . . . . . . . . . . 9 | 4.4. Negotiated Key Parameters . . . . . . . . . . . . . . . . 9 | |||
| 4.5. Federation Example . . . . . . . . . . . . . . . . . . . 9 | 4.5. Federation Example . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 5. Implementation Considerations . . . . . . . . . . . . . . . . 12 | |||
| 5.1. Security Token Replay . . . . . . . . . . . . . . . . . . 12 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS | 6.1. Security Token Replay . . . . . . . . . . . . . . . . . . 12 | |||
| Versions . . . . . . . . . . . . . . . . . . . . . . . . 12 | 6.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS | |||
| 5.3. Sensitivity of the Sec-Token-Binding Header . . . . . . . 12 | Versions . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.4. Securing Federated Sign-On Protocols . . . . . . . . . . 13 | 6.3. Sensitivity of the Sec-Token-Binding Header . . . . . . . 13 | |||
| 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 15 | 6.4. Securing Federated Sign-On Protocols . . . . . . . . . . 14 | |||
| 6.1. Scoping of Token Binding Keys . . . . . . . . . . . . . . 15 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 16 | |||
| 6.2. Life Time of Token Binding Keys . . . . . . . . . . . . . 16 | 7.1. Scoping of Token Binding Keys . . . . . . . . . . . . . . 16 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 7.2. Life Time of Token Binding Keys . . . . . . . . . . . . . 16 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 | 7.3. Correlation . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 17 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 18 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 18 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 19 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | ||||
| 1. Introduction | 1. Introduction | |||
| The Token Binding Protocol [I-D.ietf-tokbind-protocol] defines a | The Token Binding Protocol [I-D.ietf-tokbind-protocol] defines a | |||
| Token Binding ID for a TLS connection between a client and a server. | Token Binding ID for a TLS connection between a client and a server. | |||
| The Token Binding ID of a TLS connection is related to a private key, | The Token Binding ID of a TLS connection is related to a private key, | |||
| that the client proves possession of to the server, and is long-lived | that the client proves possession of to the server, and is long-lived | |||
| (i.e., subsequent TLS connections between the same client and server | (i.e., subsequent TLS connections between the same client and server | |||
| have the same Token Binding ID). When issuing a security token (e.g. | have the same Token Binding ID). When issuing a security token (e.g. | |||
| an HTTP cookie or an OAuth token) to a client, the server can include | an HTTP cookie or an OAuth token) to a client, the server can include | |||
| skipping to change at page 4, line 16 ¶ | skipping to change at page 4, line 16 ¶ | |||
| Once a client and server have negotiated the Token Binding Protocol | Once a client and server have negotiated the Token Binding Protocol | |||
| with HTTP/1.1 or HTTP/2 (see [I-D.ietf-tokbind-protocol] and | with HTTP/1.1 or HTTP/2 (see [I-D.ietf-tokbind-protocol] and | |||
| [I-D.ietf-tokbind-negotiation]), clients MUST include the Sec-Token- | [I-D.ietf-tokbind-negotiation]), clients MUST include the Sec-Token- | |||
| Binding header field in their HTTP requests. The ABNF of the Sec- | Binding header field in their HTTP requests. The ABNF of the Sec- | |||
| Token-Binding header field is (in [RFC7230] style, see also [RFC7231] | Token-Binding header field is (in [RFC7230] style, see also [RFC7231] | |||
| Section 8.3): | Section 8.3): | |||
| Sec-Token-Binding = EncodedTokenBindingMessage | Sec-Token-Binding = EncodedTokenBindingMessage | |||
| The header field name is "Sec-Token-Binding", and | The header field name is "Sec-Token-Binding" and its value is a | |||
| EncodedTokenBindingMessage is a base64url encoding (see [RFC4648] | base64url encoding of the TokenBindingMessage defined in | |||
| Section 5) of the TokenBindingMessage as defined in | [I-D.ietf-tokbind-protocol] using the URL- and filename-safe | |||
| [I-D.ietf-tokbind-protocol]. | character set described in Section 5 of [RFC4648], with all trailing | |||
| pad characters '=' omitted and without the inclusion of any line | ||||
| breaks, whitespace, or other additional characters. | ||||
| For example: | For example: | |||
| Sec-Token-Binding: <base64url-encoded TokenBindingMessage> | Sec-Token-Binding: <base64url-encoded TokenBindingMessage> | |||
| The TokenBindingMessage MUST contain one TokenBinding structure with | The TokenBindingMessage MUST contain one TokenBinding structure with | |||
| TokenBindingType of provided_token_binding, which MUST be signed with | TokenBindingType of provided_token_binding, which MUST be signed with | |||
| the Token Binding private key used by the client for connections | the Token Binding private key used by the client for connections | |||
| between itself and the server that the HTTP request is sent to | between itself and the server that the HTTP request is sent to | |||
| (clients use different Token Binding keys for different servers, see | (clients use different Token Binding keys for different servers, see | |||
| skipping to change at page 5, line 19 ¶ | skipping to change at page 5, line 21 ¶ | |||
| The Token Binding key pair scoping for those key pairs generated in | The Token Binding key pair scoping for those key pairs generated in | |||
| the context of the first-party and federation use cases defined in | the context of the first-party and federation use cases defined in | |||
| this specification (below), and to be used for binding HTTP cookies | this specification (below), and to be used for binding HTTP cookies | |||
| MUST be at the granularity of "effective top-level domain (public | MUST be at the granularity of "effective top-level domain (public | |||
| suffix) + 1" (eTLD+1), i.e., at the same granularity at which cookies | suffix) + 1" (eTLD+1), i.e., at the same granularity at which cookies | |||
| can be set (see [RFC6265]). Key pairs used to bind other application | can be set (see [RFC6265]). Key pairs used to bind other application | |||
| tokens, such as OAuth tokens, SHOULD adhere to the above eTLD+1 | tokens, such as OAuth tokens, SHOULD adhere to the above eTLD+1 | |||
| scoping requirement for those tokens being employed in first-party or | scoping requirement for those tokens being employed in first-party or | |||
| federation scenarios as described below, e.g., OAuth refresh tokens | federation scenarios as described below, e.g., OAuth refresh tokens | |||
| or Open ID Connect "ID Tokens". See also Section 6.1, below. | or Open ID Connect "ID Tokens". See also Section 7.1, below. | |||
| Scoping rules for other HTTP-based application contexts are outside | Scoping rules for other HTTP-based application contexts are outside | |||
| the scope of this specification. | the scope of this specification. | |||
| 3. First-party Use Cases | 3. First-party Use Cases | |||
| In a first-party use case, an HTTP server issues a security token | In a first-party use case, an HTTP server issues a security token | |||
| such as a cookie (or similar) to a client, and expects the client to | such as a cookie (or similar) to a client, and expects the client to | |||
| return the security token at a later time, e.g., in order to | return the security token at a later time, e.g., in order to | |||
| authenticate. Binding the security token to the TLS connection | authenticate. Binding the security token to the TLS connection | |||
| skipping to change at page 8, line 15 ¶ | skipping to change at page 8, line 15 ¶ | |||
| about the Token Binding used between the client and the Token | about the Token Binding used between the client and the Token | |||
| Consumer to the Token Provider. | Consumer to the Token Provider. | |||
| As illustrated in Section 4.5, when a client receives this header | As illustrated in Section 4.5, when a client receives this header | |||
| field, it should take the TokenBindingID of the provided TokenBinding | field, it should take the TokenBindingID of the provided TokenBinding | |||
| from the referrer and create a referred TokenBinding with it to | from the referrer and create a referred TokenBinding with it to | |||
| include in the TokenBindingMessage on the redirect request. In other | include in the TokenBindingMessage on the redirect request. In other | |||
| words, the Token Binding message in the redirect request to the Token | words, the Token Binding message in the redirect request to the Token | |||
| Provider now includes one provided binding and one referred binding, | Provider now includes one provided binding and one referred binding, | |||
| the latter constructed from the binding between the client and the | the latter constructed from the binding between the client and the | |||
| Token Consumer. Note that that the referred token binding is sent | Token Consumer. | |||
| only on the request resulting from the redirect and not on any | ||||
| subsequent requests to the Token Provider | When a client receives the Include-Referred-Token-Binding-ID header, | |||
| it includes the referred token binding even if both the Token | ||||
| Provider and the Token Consumer fall under the same eTLD+1 and the | ||||
| provided and referred token binding IDs are the same. Note that the | ||||
| referred token binding is sent only on the request resulting from the | ||||
| redirect and not on any subsequent requests to the Token Provider. | ||||
| If the Include-Referred-Token-Binding-ID header field is received in | If the Include-Referred-Token-Binding-ID header field is received in | |||
| response to a request that did not include the Token-Binding header | response to a request that did not include the Token-Binding header | |||
| field, the client MUST ignore the Include-Referred-Token-Binding-ID | field, the client MUST ignore the Include-Referred-Token-Binding-ID | |||
| header field. | header field. | |||
| This header field has only meaning if the HTTP status code is 301, | This header field has only meaning if the HTTP status code is 301, | |||
| 302, 303, 307 or 308, and MUST be ignored by the client for any other | 302, 303, 307 or 308, and MUST be ignored by the client for any other | |||
| status codes. If the client supports the Token Binding Protocol, and | status codes. If the client supports the Token Binding Protocol, and | |||
| has negotiated the Token Binding Protocol with both the Token | has negotiated the Token Binding Protocol with both the Token | |||
| skipping to change at page 9, line 44 ¶ | skipping to change at page 9, line 50 ¶ | |||
| between the client and Token Provider, use different key parameters. | between the client and Token Provider, use different key parameters. | |||
| The client MUST use the key parameters negotiated with the Token | The client MUST use the key parameters negotiated with the Token | |||
| Consumer in the referred_token_binding TokenBinding of the | Consumer in the referred_token_binding TokenBinding of the | |||
| TokenBindingMessage, even if those key parameters are different from | TokenBindingMessage, even if those key parameters are different from | |||
| the ones negotiated with the origin that the header field is sent to. | the ones negotiated with the origin that the header field is sent to. | |||
| Token Providers SHOULD support all the Token Binding key parameters | Token Providers SHOULD support all the Token Binding key parameters | |||
| specified in the [I-D.ietf-tokbind-protocol]. If a token provider | specified in the [I-D.ietf-tokbind-protocol]. If a token provider | |||
| does not support the key parameters specified in the | does not support the key parameters specified in the | |||
| referred_token_binding TokenBinding in the TokenBindingMessage, it | referred_token_binding TokenBinding in the TokenBindingMessage, it | |||
| MUST issue an unbound token. | MUST NOT issue a bound token. | |||
| 4.5. Federation Example | 4.5. Federation Example | |||
| The diagram below shows a typical HTTP Redirect-based Web Browser SSO | The diagram below shows a typical HTTP Redirect-based Web Browser SSO | |||
| Profile (no artifact, no callbacks), featuring binding of, e.g., a | Profile (no artifact, no callbacks), featuring binding of, e.g., a | |||
| TLS Token Binding ID into an OpenID Connect "ID Token". | TLS Token Binding ID into an OpenID Connect "ID Token". | |||
| Legend: | Legend: | |||
| +------------+------------------------------------------------------+ | +------------+------------------------------------------------------+ | |||
| skipping to change at page 12, line 5 ¶ | skipping to change at page 12, line 10 ¶ | |||
| | ID Token w/TBID1, issued for TC | | | ID Token w/TBID1, issued for TC | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| | 4. user is signed-on, any security-relevant cookie(s)| | | 4. user is signed-on, any security-relevant cookie(s)| | |||
| | that are set SHOULD contain TBID1 | | | that are set SHOULD contain TBID1 | | |||
| |<------------------------------| | | |<------------------------------| | | |||
| | | | | | | | | |||
| | | | | | | | | |||
| 5. Security Considerations | 5. Implementation Considerations | |||
| 5.1. Security Token Replay | HTTPS-based applications may have multi-party use cases other than, | |||
| or in addition to, the HTTP redirect-based signaling-and-conveyance | ||||
| of referred token bindings, as presented above in Section 4.3. | ||||
| Thus, generic Token Binding implementations intended to support any | ||||
| HTTPS-based client-side application (e.g., so-called "native | ||||
| applications"), should provide means for applications to have Token | ||||
| Binding messages, containing Token Binding IDs of various | ||||
| application-specified Token Binding types and for application- | ||||
| specified TLS connections, conveyed over an application-specified | ||||
| HTTPS connection, i.e., within the TokenBindingMessage conveyed by | ||||
| the Sec-Token-Binding header field. | ||||
| However, such applications MUST only convey Token Binding IDs to | ||||
| other servers if the server associated with a Token Binding ID | ||||
| explicitly signals to do so, e.g., by returning an Include-Referred- | ||||
| Token-Binding-ID HTTP response header field. | ||||
| NOTE: See Section 7 "Privacy Considerations", for privacy guidance | ||||
| regarding the use of this functionality. | ||||
| 6. Security Considerations | ||||
| 6.1. Security Token Replay | ||||
| The goal of the Federated Token Binding mechanisms is to prevent | The goal of the Federated Token Binding mechanisms is to prevent | |||
| attackers from exporting and replaying tokens used in protocols | attackers from exporting and replaying tokens used in protocols | |||
| between the client and Token Consumer, thereby impersonating | between the client and Token Consumer, thereby impersonating | |||
| legitimate users and gaining access to protected resources. Bound | legitimate users and gaining access to protected resources. Bound | |||
| tokens can still be replayed by malware present in the client. In | tokens can still be replayed by malware present in the client. In | |||
| order to export the token to another machine and successfully replay | order to export the token to another machine and successfully replay | |||
| it, the attacker also needs to export the corresponding private key. | it, the attacker also needs to export the corresponding private key. | |||
| The Token Binding private key is therefore a high-value asset and | The Token Binding private key is therefore a high-value asset and | |||
| MUST be strongly protected, ideally by generating it in a hardware | MUST be strongly protected, ideally by generating it in a hardware | |||
| security module that prevents key export. | security module that prevents key export. | |||
| 5.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions | 6.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions | |||
| The Token Binding protocol relies on the exported key material (EKM) | The Token Binding protocol relies on the exported key material (EKM) | |||
| value [RFC5705] to associate a TLS connection with a TLS Token | value [RFC5705] to associate a TLS connection with a TLS Token | |||
| Binding. The triple handshake attack [TRIPLE-HS] is a known | Binding. The triple handshake attack [TRIPLE-HS] is a known | |||
| vulnerability in TLS 1.2 and older TLS versions, allowing the | vulnerability in TLS 1.2 and older TLS versions, allowing the | |||
| attacker to synchronize keying material between TLS connections. The | attacker to synchronize keying material between TLS connections. The | |||
| attacker can then successfully replay bound tokens. For this reason, | attacker can then successfully replay bound tokens. For this reason, | |||
| the Token Binding protocol MUST NOT be negotiated with these TLS | the Token Binding protocol MUST NOT be negotiated with these TLS | |||
| versions, unless the Extended Master Secret [RFC7627] and | versions, unless the Extended Master Secret [RFC7627] TLS extension | |||
| Renegotiation Indication [RFC5746] TLS extensions have also been | has also been negotiated. In addition, TLS renegotiation MUST NOT be | |||
| negotiated. | initiated or allowed, unless the Renegotiation Indication [RFC5746] | |||
| TLS extension has been negotiated. | ||||
| 5.3. Sensitivity of the Sec-Token-Binding Header | 6.3. Sensitivity of the Sec-Token-Binding Header | |||
| The purpose of the Token Binding protocol is to convince the server | The purpose of the Token Binding protocol is to convince the server | |||
| that the client that initiated the TLS connection controls a certain | that the client that initiated the TLS connection controls a certain | |||
| key pair. For the server to correctly draw this conclusion after | key pair. For the server to correctly draw this conclusion after | |||
| processing the Sec-Token-Binding header field, certain secrecy and | processing the Sec-Token-Binding header field, certain secrecy and | |||
| integrity requirements must be met. | integrity requirements must be met. | |||
| For example, the client's private Token Binding key must be kept | For example, the client's private Token Binding key must be kept | |||
| secret by the client. If the private key is not secret, then another | secret by the client. If the private key is not secret, then another | |||
| actor in the system could create a valid Token Binding header field, | actor in the system could create a valid Token Binding header field, | |||
| skipping to change at page 13, line 47 ¶ | skipping to change at page 14, line 33 ¶ | |||
| example, if S has a feature that lets account holders see their | example, if S has a feature that lets account holders see their | |||
| activity history on S). | activity history on S). | |||
| Therefore, we need to protect the integrity of the Sec-Token-Binding | Therefore, we need to protect the integrity of the Sec-Token-Binding | |||
| header field. One origin should not be able to set the Sec-Token- | header field. One origin should not be able to set the Sec-Token- | |||
| Binding header field (through a DOM API or otherwise) that the User | Binding header field (through a DOM API or otherwise) that the User | |||
| Agent uses with another origin. Employing the "Sec-" header field | Agent uses with another origin. Employing the "Sec-" header field | |||
| prefix helps to meet this requirement by denoting the header field | prefix helps to meet this requirement by denoting the header field | |||
| name to be a "forbidden header name", see [fetch-spec]. | name to be a "forbidden header name", see [fetch-spec]. | |||
| 5.4. Securing Federated Sign-On Protocols | 6.4. Securing Federated Sign-On Protocols | |||
| As explained above, in a federated sign-in scenario a client will | As explained above, in a federated sign-in scenario a client will | |||
| prove possession of two different key pairs to a Token Provider: One | prove possession of two different key pairs to a Token Provider: One | |||
| key pair is the "provided" Token Binding key pair (which the client | key pair is the "provided" Token Binding key pair (which the client | |||
| normally uses with the Token Provider), and the other is the | normally uses with the Token Provider), and the other is the | |||
| "referred" Token Binding key pair (which the client normally uses | "referred" Token Binding key pair (which the client normally uses | |||
| with the Token Consumer). The Token Provider is expected to issue a | with the Token Consumer). The Token Provider is expected to issue a | |||
| token that is bound to the referred Token Binding key. | token that is bound to the referred Token Binding key. | |||
| Both proofs (that of the provided Token Binding key and that of the | Both proofs (that of the provided Token Binding key and that of the | |||
| skipping to change at page 15, line 34 ¶ | skipping to change at page 16, line 20 ¶ | |||
| referred Token Binding key in an application-level message as part of | referred Token Binding key in an application-level message as part of | |||
| the redirect URL) is one way to assure that the man-in-the-middle | the redirect URL) is one way to assure that the man-in-the-middle | |||
| between client and Token Consumer cannot affect the communication of | between client and Token Consumer cannot affect the communication of | |||
| the referred Token Binding key to the Token Provider. | the referred Token Binding key to the Token Provider. | |||
| Therefore, the Sec-Token-Binding header field in the federated sign- | Therefore, the Sec-Token-Binding header field in the federated sign- | |||
| on use case contains both, a proof of possession of the provided | on use case contains both, a proof of possession of the provided | |||
| Token Binding key, as well as a proof of possession of the referred | Token Binding key, as well as a proof of possession of the referred | |||
| Token Binding key. | Token Binding key. | |||
| 6. Privacy Considerations | 7. Privacy Considerations | |||
| 6.1. Scoping of Token Binding Keys | 7.1. Scoping of Token Binding Keys | |||
| Clients use different Token Binding key pairs for different servers, | Clients use different Token Binding key pairs for different servers, | |||
| so as to not allow Token Binding to become a tracking tool across | so as to not allow Token Binding to become a tracking tool across | |||
| different servers. However, the scoping of the Token Binding key | different servers. However, the scoping of the Token Binding key | |||
| pairs to servers varies according to the scoping rules of the | pairs to servers varies according to the scoping rules of the | |||
| application protocol ([I-D.ietf-tokbind-protocol] section 4.1). | application protocol ([I-D.ietf-tokbind-protocol] section 4.1). | |||
| In the case of HTTP cookies, servers may use Token Binding to secure | In the case of HTTP cookies, servers may use Token Binding to secure | |||
| their cookies. These cookies can be attached to any sub-domain of | their cookies. These cookies can be attached to any sub-domain of | |||
| effective top-level domains, and clients therefore should use the | effective top-level domains, and clients therefore should use the | |||
| same Token Binding key across such subdomains. This will ensure that | same Token Binding key across such subdomains. This will ensure that | |||
| any server capable of receiving the cookie will see the same Token | any server capable of receiving the cookie will see the same Token | |||
| Binding ID from the client, and thus be able to verify the token | Binding ID from the client, and thus be able to verify the token | |||
| binding of the cookie. See Section 2.1, above. | binding of the cookie. See Section 2.1, above. | |||
| 6.2. Life Time of Token Binding Keys | 7.2. Life Time of Token Binding Keys | |||
| Token Binding keys do not have an expiration time. This means that | Token Binding keys do not have an expiration time. This means that | |||
| they can potentially be used by a server to track a user across an | they can potentially be used by a server to track a user across an | |||
| extended period of time (similar to a long-lived cookie). HTTPS | extended period of time (similar to a long-lived cookie). HTTPS | |||
| clients such as web user agents should therefore provide a user | clients such as web user agents should therefore provide a user | |||
| interface for discarding Token Binding keys (similar to the | interface for discarding Token Binding keys (similar to the | |||
| affordances provided to delete cookies). | affordances provided to delete cookies). | |||
| If a user agent provides modes such as private browsing mode in which | If a user agent provides modes such as private browsing mode in which | |||
| the user is promised that browsing state such as cookies are | the user is promised that browsing state such as cookies are | |||
| discarded after the session is over, the user agent should also | discarded after the session is over, the user agent should also | |||
| discard Token Binding keys from such modes after the session is over. | discard Token Binding keys from such modes after the session is over. | |||
| Generally speaking, users should be given the same level of control | Generally speaking, users should be given the same level of control | |||
| over life time of Token Binding keys as they have over cookies or | over life time of Token Binding keys as they have over cookies or | |||
| other potential tracking mechanisms. | other potential tracking mechanisms. | |||
| 7. IANA Considerations | 7.3. Correlation | |||
| An application's various communicating endpoints, that receive Token | ||||
| Binding IDs for TLS connections other than their own, obtain | ||||
| information about the application's other TLS connections (in this | ||||
| context, "an application" is a combination of client-side and server- | ||||
| side components, communicating over HTTPS, where the client side may | ||||
| be either or both web browser-based or native application-based). | ||||
| These other Token Binding IDs can serve as correlation handles for | ||||
| the endpoints of the other connections. If the receiving endpoints | ||||
| are otherwise aware of these other connections, then no additional | ||||
| information is being exposed. For instance, if in a redirect-based | ||||
| federation protocol, the Identity Provider and Relying Party already | ||||
| possess URLs for one another, also having Token Binding IDs for these | ||||
| connections does not provide additional correlation information. If | ||||
| not, then, by providing the other Token Binding IDs, additional | ||||
| information is exposed that can be used to correlate the other | ||||
| endpoints. In such cases, a privacy analysis of enabled correlations | ||||
| and their potential privacy impacts should be performed as part of | ||||
| the application design decisions of how, and whether, to utilize | ||||
| Token Binding. | ||||
| Also, applications must take care to only reveal Token Binding IDs to | ||||
| other endpoints if the server associated with a Token Binding ID | ||||
| explicitly signals to do so, see Section 5 | ||||
| "Implementation Considerations". | ||||
| Finally, care should be taken to ensure that unrelated applications | ||||
| do not obtain information about each other's Token Bindings. For | ||||
| instance, a Token Binding implementation shared between multiple | ||||
| applications on a given system should prevent unrelated applications | ||||
| from obtaining each other's Token Binding information. This may be | ||||
| accomplished by using techniques such as application isolation and | ||||
| key segregation, depending upon system capabilities. | ||||
| 8. IANA Considerations | ||||
| Below are the Internet Assigned Numbers Authority (IANA) Permanent | Below are the Internet Assigned Numbers Authority (IANA) Permanent | |||
| Message Header Field registration information per [RFC3864]. | Message Header Field registration information per [RFC3864]. | |||
| Header field name: Sec-Token-Binding | Header field name: Sec-Token-Binding | |||
| Applicable protocol: HTTP | Applicable protocol: HTTP | |||
| Status: standard | Status: standard | |||
| Author/Change controller: IETF | Author/Change controller: IETF | |||
| Specification document(s): this one | Specification document(s): this one | |||
| Header field name: Include-Referred-Token-Binding-ID | Header field name: Include-Referred-Token-Binding-ID | |||
| Applicable protocol: HTTP | Applicable protocol: HTTP | |||
| Status: standard | Status: standard | |||
| Author/Change controller: IETF | Author/Change controller: IETF | |||
| Specification document(s): this one | Specification document(s): this one | |||
| [[TODO: possibly add further considerations wrt the behavior of the | [[TODO: possibly add further considerations wrt the behavior of the | |||
| above header fields, per <https://tools.ietf.org/html/ | above header fields, per <https://tools.ietf.org/html/ | |||
| rfc7231#section-8.3>]] | rfc7231#section-8.3>]] | |||
| skipping to change at page 16, line 43 ¶ | skipping to change at page 18, line 14 ¶ | |||
| Header field name: Include-Referred-Token-Binding-ID | Header field name: Include-Referred-Token-Binding-ID | |||
| Applicable protocol: HTTP | Applicable protocol: HTTP | |||
| Status: standard | Status: standard | |||
| Author/Change controller: IETF | Author/Change controller: IETF | |||
| Specification document(s): this one | Specification document(s): this one | |||
| [[TODO: possibly add further considerations wrt the behavior of the | [[TODO: possibly add further considerations wrt the behavior of the | |||
| above header fields, per <https://tools.ietf.org/html/ | above header fields, per <https://tools.ietf.org/html/ | |||
| rfc7231#section-8.3>]] | rfc7231#section-8.3>]] | |||
| 8. Acknowledgements | 9. Acknowledgements | |||
| This document incorporates comments and suggestions offered by Eric | This document incorporates comments and suggestions offered by Eric | |||
| Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony | Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony | |||
| Nadalin, Michael Jones, Bill Cox, Nick Harper, Brian Campbell and | Nadalin, Michael B. Jones, Bill Cox, Nick Harper, Brian Campbell, | |||
| others. | and others. | |||
| 9. References | 10. References | |||
| 9.1. Normative References | 10.1. Normative References | |||
| [fetch-spec] | [fetch-spec] | |||
| WhatWG, "Fetch", Living Standard , | WhatWG, "Fetch", Living Standard , | |||
| <https://fetch.spec.whatwg.org/>. | <https://fetch.spec.whatwg.org/>. | |||
| [I-D.ietf-tokbind-negotiation] | [I-D.ietf-tokbind-negotiation] | |||
| Popov, A., Nystrom, M., Balfanz, D., and A. Langley, | Popov, A., Nystrom, M., Balfanz, D., and A. Langley, | |||
| "Transport Layer Security (TLS) Extension for Token | "Transport Layer Security (TLS) Extension for Token | |||
| Binding Protocol Negotiation", draft-ietf-tokbind- | Binding Protocol Negotiation", draft-ietf-tokbind- | |||
| negotiation-03 (work in progress), July 2016. | negotiation-03 (work in progress), July 2016. | |||
| [I-D.ietf-tokbind-protocol] | [I-D.ietf-tokbind-protocol] | |||
| Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. | Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. | |||
| Hodges, "The Token Binding Protocol Version 1.0", draft- | Hodges, "The Token Binding Protocol Version 1.0", draft- | |||
| ietf-tokbind-protocol-07 (work in progress), July 2016. | ietf-tokbind-protocol-08 (work in progress), July 2016. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | |||
| Procedures for Message Header Fields", BCP 90, RFC 3864, | Procedures for Message Header Fields", BCP 90, RFC 3864, | |||
| DOI 10.17487/RFC3864, September 2004, | DOI 10.17487/RFC3864, September 2004, | |||
| <http://www.rfc-editor.org/info/rfc3864>. | <http://www.rfc-editor.org/info/rfc3864>. | |||
| skipping to change at page 18, line 19 ¶ | skipping to change at page 19, line 36 ¶ | |||
| [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | |||
| DOI 10.17487/RFC7231, June 2014, | DOI 10.17487/RFC7231, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7231>. | <http://www.rfc-editor.org/info/rfc7231>. | |||
| [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for | [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for | |||
| HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, | HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7541>. | <http://www.rfc-editor.org/info/rfc7541>. | |||
| 9.2. Informative References | 10.2. Informative References | |||
| [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, | [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, | |||
| "Transport Layer Security (TLS) Renegotiation Indication | "Transport Layer Security (TLS) Renegotiation Indication | |||
| Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, | Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, | |||
| <http://www.rfc-editor.org/info/rfc5746>. | <http://www.rfc-editor.org/info/rfc5746>. | |||
| [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <http://www.rfc-editor.org/info/rfc6749>. | <http://www.rfc-editor.org/info/rfc6749>. | |||
| End of changes. 26 change blocks. | ||||
| 49 lines changed or deleted | 116 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||