| draft-ietf-tokbind-https-10.txt | draft-ietf-tokbind-https-11.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force A. Popov | Internet Engineering Task Force A. Popov | |||
| Internet-Draft M. Nystroem | Internet-Draft M. Nystroem | |||
| Intended status: Standards Track Microsoft Corp. | Intended status: Standards Track Microsoft Corp. | |||
| Expires: January 22, 2018 D. Balfanz, Ed. | Expires: May 19, 2018 D. Balfanz, Ed. | |||
| A. Langley | A. Langley | |||
| N. Harper | N. Harper | |||
| Google Inc. | Google Inc. | |||
| J. Hodges | J. Hodges | |||
| PayPal | PayPal | |||
| July 21, 2017 | November 15, 2017 | |||
| Token Binding over HTTP | Token Binding over HTTP | |||
| draft-ietf-tokbind-https-10 | draft-ietf-tokbind-https-11 | |||
| Abstract | Abstract | |||
| This document describes a collection of mechanisms that allow HTTP | This document describes a collection of mechanisms that allow HTTP | |||
| servers to cryptographically bind security tokens (such as cookies | servers to cryptographically bind security tokens (such as cookies | |||
| and OAuth tokens) to TLS connections. | and OAuth tokens) to TLS connections. | |||
| We describe both first-party and federated scenarios. In a first- | We describe both first-party and federated scenarios. In a first- | |||
| party scenario, an HTTP server is able to cryptographically bind the | party scenario, an HTTP server is able to cryptographically bind the | |||
| security tokens it issues to a client, and which the client | security tokens it issues to a client, and which the client | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Protocol. | Protocol. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 22, 2018. | This Internet-Draft will expire on May 19, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| skipping to change at page 2, line 45 ¶ | skipping to change at page 2, line 45 ¶ | |||
| 5.3. HTTP Redirects . . . . . . . . . . . . . . . . . . . . . 8 | 5.3. HTTP Redirects . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5.4. Negotiated Key Parameters . . . . . . . . . . . . . . . . 10 | 5.4. Negotiated Key Parameters . . . . . . . . . . . . . . . . 10 | |||
| 5.5. Federation Example . . . . . . . . . . . . . . . . . . . 11 | 5.5. Federation Example . . . . . . . . . . . . . . . . . . . 11 | |||
| 6. Implementation Considerations . . . . . . . . . . . . . . . . 13 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 13 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 7.1. Security Token Replay . . . . . . . . . . . . . . . . . . 13 | 7.1. Security Token Replay . . . . . . . . . . . . . . . . . . 13 | |||
| 7.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS | 7.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS | |||
| Versions . . . . . . . . . . . . . . . . . . . . . . . . 14 | Versions . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.3. Sensitivity of the Sec-Token-Binding Header . . . . . . . 14 | 7.3. Sensitivity of the Sec-Token-Binding Header . . . . . . . 14 | |||
| 7.4. Securing Federated Sign-On Protocols . . . . . . . . . . 15 | 7.4. Securing Federated Sign-On Protocols . . . . . . . . . . 15 | |||
| 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 17 | 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 8.1. Scoping of Token Binding Key Pairs . . . . . . . . . . . 17 | 8.1. Scoping of Token Binding Key Pairs . . . . . . . . . . . 18 | |||
| 8.2. Lifetime of Token Binding Key Pairs . . . . . . . . . . . 18 | 8.2. Lifetime of Token Binding Key Pairs . . . . . . . . . . . 18 | |||
| 8.3. Correlation . . . . . . . . . . . . . . . . . . . . . . . 18 | 8.3. Correlation . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 20 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| The Token Binding Protocol [I-D.ietf-tokbind-protocol] defines a | The Token Binding Protocol [I-D.ietf-tokbind-protocol] defines a | |||
| Token Binding ID for a TLS connection between a client and a server. | Token Binding ID for a TLS connection between a client and a server. | |||
| The Token Binding ID of a TLS connection is constructed using the | The Token Binding ID of a TLS connection is constructed using the | |||
| public key of a private-public key pair. The client proves | public key of a private-public key pair. The client proves | |||
| possession of the corresponding private key. This Token Binding key | possession of the corresponding private key. This Token Binding key | |||
| pair is long-lived. I.e., subsequent TLS connections between the | pair is long-lived. I.e., subsequent TLS connections between the | |||
| same client and server have the same Token Binding ID, unless | same client and server have the same Token Binding ID, unless | |||
| skipping to change at page 17, line 31 ¶ | skipping to change at page 17, line 31 ¶ | |||
| referred Token Binding ID in an application-level message as part of | referred Token Binding ID in an application-level message as part of | |||
| the redirect URL) is one way to assure that the man-in-the-middle | the redirect URL) is one way to assure that the man-in-the-middle | |||
| between client and Token Consumer cannot affect the communication of | between client and Token Consumer cannot affect the communication of | |||
| the referred Token Binding ID to the Token Provider. | the referred Token Binding ID to the Token Provider. | |||
| Therefore, the Sec-Token-Binding header field in the federated sign- | Therefore, the Sec-Token-Binding header field in the federated sign- | |||
| on use case contains both: a proof of possession of the provided | on use case contains both: a proof of possession of the provided | |||
| Token Binding key, as well as a proof of possession of the referred | Token Binding key, as well as a proof of possession of the referred | |||
| Token Binding key. | Token Binding key. | |||
| Note that the presence of Token Binding does not relieve the Token | ||||
| Provider and Token Consumer from performing various checks to ensure | ||||
| the security of clients during federated sign-on protocols. These | ||||
| include the following: | ||||
| o The Token Provider should not issue tokens to Token Consumers that | ||||
| have been shown to act maliciously. To aid in this, the | ||||
| federation protocol should identify the Token Consumer to the | ||||
| Token Provider (e.g., through OAuth client IDs or similar | ||||
| mechanisms), and the Token Provider should ensure that tokens are | ||||
| indeed issued to the Token Consumer identified in the token | ||||
| request (e.g., by verifying that the redirect URI is associated | ||||
| with the OAuth client ID.) | ||||
| o The Token Consumer should verify that the tokens were issued for | ||||
| it, and not some other token consumer. To aid in this, the | ||||
| federation protocol should include an audience parameter in the | ||||
| token response, or apply equivalent mechanisms (the implicit OAuth | ||||
| flow requires Token Consumers to identify themselves when they | ||||
| exchange OAuth authorization codes for OAuth refresh tokens, | ||||
| leaving it up to the Token Provider to verify that the OAuth | ||||
| authorization was delivered to the correct Token Consumer). | ||||
| 8. Privacy Considerations | 8. Privacy Considerations | |||
| 8.1. Scoping of Token Binding Key Pairs | 8.1. Scoping of Token Binding Key Pairs | |||
| Clients use different Token Binding key pairs for different servers, | Clients use different Token Binding key pairs for different servers, | |||
| so as to not allow Token Binding to become a tracking tool across | so as to not allow Token Binding to become a tracking tool across | |||
| different servers. However, the scoping of the Token Binding key | different servers. However, the scoping of the Token Binding key | |||
| pairs to servers varies according to the scoping rules of the | pairs to servers varies according to the scoping rules of the | |||
| application protocol (Section 4.1 of [I-D.ietf-tokbind-protocol]). | application protocol (Section 4.1 of [I-D.ietf-tokbind-protocol]). | |||
| skipping to change at page 20, line 9 ¶ | skipping to change at page 20, line 29 ¶ | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [fetch-spec] | [fetch-spec] | |||
| WhatWG, "Fetch", Living Standard , | WhatWG, "Fetch", Living Standard , | |||
| <https://fetch.spec.whatwg.org/>. | <https://fetch.spec.whatwg.org/>. | |||
| [I-D.ietf-tokbind-negotiation] | [I-D.ietf-tokbind-negotiation] | |||
| Popov, A., Nystrom, M., Balfanz, D., and A. Langley, | Popov, A., Nystrom, M., Balfanz, D., and A. Langley, | |||
| "Transport Layer Security (TLS) Extension for Token | "Transport Layer Security (TLS) Extension for Token | |||
| Binding Protocol Negotiation", draft-ietf-tokbind- | Binding Protocol Negotiation", draft-ietf-tokbind- | |||
| negotiation-09 (work in progress), July 2017. | negotiation-10 (work in progress), October 2017. | |||
| [I-D.ietf-tokbind-protocol] | [I-D.ietf-tokbind-protocol] | |||
| Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. | Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. | |||
| Hodges, "The Token Binding Protocol Version 1.0", draft- | Hodges, "The Token Binding Protocol Version 1.0", draft- | |||
| ietf-tokbind-protocol-15 (work in progress), July 2017. | ietf-tokbind-protocol-16 (work in progress), October 2017. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | |||
| Procedures for Message Header Fields", BCP 90, RFC 3864, | Procedures for Message Header Fields", BCP 90, RFC 3864, | |||
| DOI 10.17487/RFC3864, September 2004, | DOI 10.17487/RFC3864, September 2004, | |||
| <http://www.rfc-editor.org/info/rfc3864>. | <https://www.rfc-editor.org/info/rfc3864>. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | |||
| Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | |||
| <http://www.rfc-editor.org/info/rfc4648>. | <https://www.rfc-editor.org/info/rfc4648>. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
| DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
| <http://www.rfc-editor.org/info/rfc5246>. | <https://www.rfc-editor.org/info/rfc5246>. | |||
| [RFC5705] Rescorla, E., "Keying Material Exporters for Transport | [RFC5705] Rescorla, E., "Keying Material Exporters for Transport | |||
| Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, | Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, | |||
| March 2010, <http://www.rfc-editor.org/info/rfc5705>. | March 2010, <https://www.rfc-editor.org/info/rfc5705>. | |||
| [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | |||
| DOI 10.17487/RFC6265, April 2011, | DOI 10.17487/RFC6265, April 2011, | |||
| <http://www.rfc-editor.org/info/rfc6265>. | <https://www.rfc-editor.org/info/rfc6265>. | |||
| [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Message Syntax and Routing", | Protocol (HTTP/1.1): Message Syntax and Routing", | |||
| RFC 7230, DOI 10.17487/RFC7230, June 2014, | RFC 7230, DOI 10.17487/RFC7230, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7230>. | <https://www.rfc-editor.org/info/rfc7230>. | |||
| [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | |||
| DOI 10.17487/RFC7231, June 2014, | DOI 10.17487/RFC7231, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7231>. | <https://www.rfc-editor.org/info/rfc7231>. | |||
| [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for | [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for | |||
| HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, | HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7541>. | <https://www.rfc-editor.org/info/rfc7541>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [OpenID.Core] | [OpenID.Core] | |||
| Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | |||
| C. Mortimore, "OpenID Connect Core 1.0", August 2015, | C. Mortimore, "OpenID Connect Core 1.0", August 2015, | |||
| <http://openid.net/specs/openid-connect-core-1_0.html>. | <http://openid.net/specs/openid-connect-core-1_0.html>. | |||
| [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, | [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, | |||
| "Transport Layer Security (TLS) Renegotiation Indication | "Transport Layer Security (TLS) Renegotiation Indication | |||
| Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, | Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, | |||
| <http://www.rfc-editor.org/info/rfc5746>. | <https://www.rfc-editor.org/info/rfc5746>. | |||
| [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <http://www.rfc-editor.org/info/rfc6749>. | <https://www.rfc-editor.org/info/rfc6749>. | |||
| [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | |||
| Transfer Protocol Version 2 (HTTP/2)", RFC 7540, | Transfer Protocol Version 2 (HTTP/2)", RFC 7540, | |||
| DOI 10.17487/RFC7540, May 2015, | DOI 10.17487/RFC7540, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7540>. | <https://www.rfc-editor.org/info/rfc7540>. | |||
| [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., | [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., | |||
| Langley, A., and M. Ray, "Transport Layer Security (TLS) | Langley, A., and M. Ray, "Transport Layer Security (TLS) | |||
| Session Hash and Extended Master Secret Extension", | Session Hash and Extended Master Secret Extension", | |||
| RFC 7627, DOI 10.17487/RFC7627, September 2015, | RFC 7627, DOI 10.17487/RFC7627, September 2015, | |||
| <http://www.rfc-editor.org/info/rfc7627>. | <https://www.rfc-editor.org/info/rfc7627>. | |||
| [TRIPLE-HS] | [TRIPLE-HS] | |||
| Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, | Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, | |||
| A., and P. Strub, "Triple Handshakes and Cookie Cutters: | A., and P. Strub, "Triple Handshakes and Cookie Cutters: | |||
| Breaking and Fixing Authentication over TLS. IEEE | Breaking and Fixing Authentication over TLS. IEEE | |||
| Symposium on Security and Privacy", 2014. | Symposium on Security and Privacy", 2014. | |||
| Authors' Addresses | Authors' Addresses | |||
| Andrei Popov | Andrei Popov | |||
| End of changes. 26 change blocks. | ||||
| 28 lines changed or deleted | 51 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||