| draft-ietf-tokbind-ttrp-02.txt | draft-ietf-tokbind-ttrp-03.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force B. Campbell | Internet Engineering Task Force B. Campbell | |||
| Internet-Draft Ping Identity | Internet-Draft Ping Identity | |||
| Intended status: Standards Track January 29, 2018 | Intended status: Standards Track February 25, 2018 | |||
| Expires: August 2, 2018 | Expires: August 29, 2018 | |||
| HTTPS Token Binding with TLS Terminating Reverse Proxies | HTTPS Token Binding with TLS Terminating Reverse Proxies | |||
| draft-ietf-tokbind-ttrp-02 | draft-ietf-tokbind-ttrp-03 | |||
| Abstract | Abstract | |||
| This document defines common HTTP header fields that enable a TLS | This document defines HTTP header fields that enable a TLS | |||
| terminating reverse proxy to convey information about the validated | terminating reverse proxy to convey information to a backend server | |||
| Token Binding Message sent by the client to a backend server, which | about the validated Token Binding Message received from a client, | |||
| enables that backend server to bind, or verify the binding of, | which enables that backend server to bind, or verify the binding of, | |||
| cookies and other security tokens to the client's Token Binding key. | cookies and other security tokens to the client's Token Binding key. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 2, 2018. | This Internet-Draft will expire on August 29, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 11 ¶ | skipping to change at page 2, line 11 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Notation and Conventions . . . . . . . . . . 3 | 1.1. Requirements Notation and Conventions . . . . . . . . . . 3 | |||
| 2. HTTP Header Fields and Processing Rules . . . . . . . . . . . 3 | 2. HTTP Header Fields and Processing Rules . . . . . . . . . . . 3 | |||
| 2.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1.1. Token Binding ID . . . . . . . . . . . . . . . . . . 4 | ||||
| 2.1.2. Token Binding Type . . . . . . . . . . . . . . . . . 4 | ||||
| 2.2. Token Binding ID HTTP Header Fields . . . . . . . . . . . 4 | 2.2. Token Binding ID HTTP Header Fields . . . . . . . . . . . 4 | |||
| 2.3. Processing Rules . . . . . . . . . . . . . . . . . . . . 4 | 2.3. Processing Rules . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.4. Examples . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.4. Examples . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.4.1. Provided Token Binding ID . . . . . . . . . . . . . . 6 | 2.4.1. Provided Token Binding ID . . . . . . . . . . . . . . 6 | |||
| 2.4.2. Provided and Referred Token Binding IDs . . . . . . . 6 | 2.4.2. Provided and Referred Token Binding IDs . . . . . . . 7 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.1. HTTP Message Header Field Names Registration . . . . . . 8 | 4.1. HTTP Message Header Field Names Registration . . . . . . 9 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . 8 | 5.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 5.2. Informative References . . . . . . . . . . . . . . . . . 9 | 5.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 9 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 10 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 10 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| Token Binding over HTTP [I-D.ietf-tokbind-https] provides a mechanism | Token Binding over HTTP [I-D.ietf-tokbind-https] provides a mechanism | |||
| that enables HTTP servers to cryptographically bind cookies and other | that enables HTTP servers to cryptographically bind cookies and other | |||
| security tokens to a key held by the browser or other HTTP client, | security tokens to a key held by the browser or other HTTP client, | |||
| possession of which is proven on the TLS [RFC5246] connections over | possession of which is proven on the TLS [RFC5246] connections over | |||
| which the tokens are used. When Token Binding is negotiated in the | which the tokens are used. When Token Binding is negotiated in the | |||
| TLS handshake [I-D.ietf-tokbind-negotiation] the client sends an | TLS handshake [I-D.ietf-tokbind-negotiation] the client sends an | |||
| encoded Token Binding Message [I-D.ietf-tokbind-protocol] as a header | encoded Token Binding Message [I-D.ietf-tokbind-protocol] as a header | |||
| skipping to change at page 3, line 13 ¶ | skipping to change at page 3, line 15 ¶ | |||
| opaque to clients who make requests to the proxy server and see | opaque to clients who make requests to the proxy server and see | |||
| responses as though they originated from the proxy server itself. | responses as though they originated from the proxy server itself. | |||
| TLS connections for HTTPS are established between each client and the | TLS connections for HTTPS are established between each client and the | |||
| reverse proxy server. | reverse proxy server. | |||
| Token Binding facilitates a binding of security tokens to a key held | Token Binding facilitates a binding of security tokens to a key held | |||
| by the client by way of the TLS connection between that client and | by the client by way of the TLS connection between that client and | |||
| the server. In a deployment where TLS is terminated by a reverse | the server. In a deployment where TLS is terminated by a reverse | |||
| proxy, however, the TLS connection is between the client and the | proxy, however, the TLS connection is between the client and the | |||
| proxy while the backend server is likely the system that will issue | proxy while the backend server is likely the system that will issue | |||
| cookies or other security tokens. Additional steps are therefore | and validate cookies or other security tokens. Additional steps are | |||
| needed to enable the use of Token Binding in such deployment | therefore needed to enable the use of Token Binding in such | |||
| architectures. In the absence of a standardized approach, different | deployment architectures. In the absence of a standardized approach, | |||
| implementations will address it differently, which will make | different implementations will address it differently, which will | |||
| interoperability between such implementations difficult or impossible | make interoperability between such implementations difficult or | |||
| without complex configurations or custom integrations. | impossible without complex configurations or custom integrations. | |||
| This document standardizes HTTP header field names that a TLS | This document standardizes HTTP header field names that a TLS | |||
| terminating reverse proxy (TTRP) adds to requests that it sends to | terminating reverse proxy (TTRP) adds to requests that it sends to | |||
| the backend servers. The headers contain the information from the | the backend servers. The headers contain information from the | |||
| validated Token Binding Message sent by the client to the proxy with | validated Token Binding Message sent by the client to the proxy, thus | |||
| the "Sec-Token-Binding" header, thus enabling the backend server to | enabling the backend server to bind, or verify the binding of, | |||
| bind, or verify the binding of, cookies and other security tokens to | cookies and other security tokens to the client's Token Binding key. | |||
| the client's Token Binding key. The usage of the headers, both the | The usage of the headers, both the reverse proxy adding it and the | |||
| reverse proxy adding it and the application server using them to bind | application server using them to bind cookies or other tokens, are to | |||
| cookies or other tokens, are to be configuration options of the | be configuration options of the respective systems as they will not | |||
| respective systems as they will not always be applicable. | always be applicable. | |||
| 1.1. Requirements Notation and Conventions | 1.1. Requirements Notation and Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. HTTP Header Fields and Processing Rules | 2. HTTP Header Fields and Processing Rules | |||
| 2.1. Encoding | 2.1. Encoding | |||
| The field-values of the HTTP headers defined herein utilize the | The field-values of the HTTP headers defined herein utilize the | |||
| following encoded forms. | following encoded forms. | |||
| A Token Binding ID is represented as an "EncodedTokenBindingID", for | 2.1.1. Token Binding ID | |||
| which the ABNF [RFC5234] syntax is shown in Figure 1 below. | ||||
| EncodedTokenBindingID = *( DIGIT / ALPHA / "-" / "_" ) | A Token Binding ID is represented as an "EncodedTokenBindingID", | |||
| which is thea base64url encoding of the TokenBindingID byte sequence | ||||
| (see section 3 of [I-D.ietf-tokbind-protocol]) using the URL and | ||||
| filename safe alphabet described in Section 5 of [RFC4648], with all | ||||
| trailing pad characters '=' omitted and without the inclusion of any | ||||
| line breaks, whitespace, or other additional characters. ABNF | ||||
| [RFC5234] syntax for "EncodedTokenBindingID" is shown in Figure 1 | ||||
| below. | ||||
| DIGIT = <Defined in Section B.1 of [RFC5234]> | EncodedTokenBindingID = *( DIGIT / ALPHA / "-" / "_" ) | |||
| ALPHA = <Defined in Section B.1 of [RFC5234]> | ||||
| Figure 1: Encoded Token Binding ID Header ABNF | DIGIT = <Defined in Section B.1 of [RFC5234]> | |||
| ALPHA = <Defined in Section B.1 of [RFC5234]> | ||||
| The value of an "EncodedTokenBindingID" is a base64url encoding of | Figure 1: Encoded Token Binding ID ABNF | |||
| the TokenBindingID byte sequence (see section 3 of | ||||
| [I-D.ietf-tokbind-protocol]) using the URL and filename safe alphabet | 2.1.2. Token Binding Type | |||
| described in Section 5 of [RFC4648], with all trailing pad characters | ||||
| '=' omitted and without the inclusion of any line breaks, whitespace, | A Token Binding type can be represented as an | |||
| or other additional characters. | "EncodedTokenBindingType", which is the base16 encoding (Section 8 of | |||
| [RFC4648]) of the single TokenBindingType byte. ABNF [RFC5234] | ||||
| syntax for "EncodedTokenBindingType" is shown in Figure 2 below. | ||||
| EncodedTokenBindingType = 1*2( DIGIT / | ||||
| "A" / "B" / "C" / "D" / "E" / "F" / | ||||
| "a" / "b" / "c" / "d" / "e" / "f" ) | ||||
| Figure 2: Encoded Token Binding Type ABNF | ||||
| 2.2. Token Binding ID HTTP Header Fields | 2.2. Token Binding ID HTTP Header Fields | |||
| The Token Binding Protocol [I-D.ietf-tokbind-protocol] recommends | The Token Binding Protocol [I-D.ietf-tokbind-protocol] recommends | |||
| that implementations make Token Binding IDs available to the | that implementations make Token Binding IDs available to the | |||
| application as opaque byte sequences, enabling those applications to | application as opaque byte sequences, enabling those applications to | |||
| use the Token Binding IDs when generating and verifying bound tokens. | use the Token Binding IDs when generating and verifying bound tokens. | |||
| In the context of a TLS terminating reverse proxy (TTRP) deployment, | In the context of a TLS terminating reverse proxy (TTRP) deployment, | |||
| the TTRP makes the Token Binding ID(s) available to the backend | the TTRP makes the Token Binding ID(s) available to the backend | |||
| application, when applicable, with the following header fields. | application with the following header fields. | |||
| Sec-Provided-Token-Binding-ID | Sec-Provided-Token-Binding-ID | |||
| The Token Binding ID of the provided Token Binding represented as | The Token Binding ID of the provided Token Binding represented as | |||
| an "EncodedTokenBindingID" as defined in Section 2.1. | an "EncodedTokenBindingID". | |||
| Sec-Referred-Token-Binding-ID | Sec-Referred-Token-Binding-ID | |||
| The Token Binding ID of the referred Token Binding represented as | The Token Binding ID of the referred Token Binding represented as | |||
| an "EncodedTokenBindingID" as defined in Section 2.1. | an "EncodedTokenBindingID". | |||
| Sec-Other-Token-Binding-ID | ||||
| Additional Token Bindings, other than provided and referred, that | ||||
| are sent by the client and validated by the TTRP are represented | ||||
| as a comma-separated list of the concatenation of the | ||||
| "EncodedTokenBindingType", a period (".") character, and the | ||||
| "EncodedTokenBindingID" of each. | ||||
| Both "Sec-Provided-Token-Binding-ID" and "Sec-Referred-Token-Binding- | Both "Sec-Provided-Token-Binding-ID" and "Sec-Referred-Token-Binding- | |||
| ID" are single HTTP header field-valued as defined in Section 3.2 of | ID" are single HTTP header field-valued as defined in Section 3.2 of | |||
| [RFC7230], which MUST NOT have a list of values or occur multiple | [RFC7230], which MUST NOT have a list of values or occur multiple | |||
| times in a request. An "EncodedTokenBindingID" is only for use in | times in a request. | |||
| HTTP requests and MUST NOT to be used in HTTP responses. | ||||
| All header fields defined herein are only for use in HTTP requests | ||||
| and MUST NOT to be used in HTTP responses. | ||||
| 2.3. Processing Rules | 2.3. Processing Rules | |||
| This section defines the applicable processing rules for a TLS | This section defines the applicable processing rules for a TLS | |||
| terminating reverse proxy (TTRP) and backend server(s) to provide | terminating reverse proxy (TTRP) and backend server(s) to provide | |||
| server side support of Token Binding over HTTP | server side support of Token Binding over HTTP | |||
| [I-D.ietf-tokbind-https] using the HTTP headers described in | [I-D.ietf-tokbind-https] using the HTTP headers described in | |||
| Section 2.2. Use of the technique is to be a configuration or | Section 2.2. Use of the technique is to be a configuration or | |||
| deployments option and the processing rules described herein are for | deployment option and the processing rules described herein are for | |||
| servers operating with that option enabled. | servers operating with that option enabled. | |||
| A TTRP negotiates the use of Token Binding with the client per | A TTRP negotiates the use of Token Binding with the client per | |||
| [I-D.ietf-tokbind-negotiation] and validates the Token Binding | [I-D.ietf-tokbind-negotiation] and validates the Token Binding | |||
| Message as defined in The Token Binding Protocol | Message as defined in The Token Binding Protocol | |||
| [I-D.ietf-tokbind-protocol] and Token Binding over HTTP | [I-D.ietf-tokbind-protocol] and Token Binding over HTTP | |||
| [I-D.ietf-tokbind-https] for each HTTP request on the underlying TLS | [I-D.ietf-tokbind-https] for each HTTP request on the underlying TLS | |||
| connection. Requests with a valid Token Binding Message (and meeting | connection. Requests with a valid Token Binding Message (and meeting | |||
| any other authorization or policy requirements of the TTRP) are | any other authorization or policy requirements of the TTRP) are | |||
| dispatched to the backend server with the following modifications. | dispatched to the backend server with the following modifications. | |||
| skipping to change at page 5, line 30 ¶ | skipping to change at page 6, line 7 ¶ | |||
| Binding-ID" header field of the dispatched request using the | Binding-ID" header field of the dispatched request using the | |||
| format defined in Section 2.2. | format defined in Section 2.2. | |||
| 3. If the Token Binding Message contains a referred Token Binding, | 3. If the Token Binding Message contains a referred Token Binding, | |||
| the referred Token Binding ID MUST be placed in the "Sec- | the referred Token Binding ID MUST be placed in the "Sec- | |||
| Referred-Token-Binding-ID" header field of the dispatched request | Referred-Token-Binding-ID" header field of the dispatched request | |||
| using the format defined in Section 2.2. Otherwise, the "Sec- | using the format defined in Section 2.2. Otherwise, the "Sec- | |||
| Referred-Token-Binding-ID" header field MUST NOT be present in | Referred-Token-Binding-ID" header field MUST NOT be present in | |||
| the dispatched request. | the dispatched request. | |||
| 4. Any occurrence of the "Sec-Provided-Token-Binding-ID" or "Sec- | 4. If the Token Binding Message contains any additional validated | |||
| Referred-Token-Binding-ID" header in the original incoming | Token Bindings, they are placed in the "Sec-Other-Token-Binding- | |||
| request MUST be removed or overwritten before forwarding the | ID" header field using the format defined in Section 2.2. If the | |||
| request. | Token Binding Message contains no additional valid Token | |||
| Bindings, the "Sec-Referred-Token-Binding-ID" header field MUST | ||||
| NOT be present in the dispatched request. | ||||
| Requests made over a TLS connection where the use of Token Binding | 5. Any occurrence of the "Sec-Provided-Token-Binding-ID", "Sec- | |||
| was not negotiated MUST be sanitized by removing any occurrences of | Referred-Token-Binding-ID", and "Sec-Other-Token-Binding-ID" | |||
| the "Sec-Provided-Token-Binding-ID" and "Sec-Referred-Token-Binding- | headers in the original incoming request MUST be removed or | |||
| ID" header fields prior to dispatching the request to the backend | overwritten before forwarding the request. | |||
| server. | ||||
| Requests made over a connection where the use of Token Binding was | ||||
| not negotiated MUST be sanitized by removing any occurrences of the | ||||
| "Sec-Provided-Token-Binding-ID", "Sec-Referred-Token-Binding-ID", and | ||||
| "Sec-Other-Token-Binding-ID" header fields prior to dispatching the | ||||
| request to the backend server. | ||||
| Forward proxies and other intermediaries MUST NOT add the "Sec- | Forward proxies and other intermediaries MUST NOT add the "Sec- | |||
| Provided-Token-Binding-ID" or "Sec-Referred-Token-Binding-ID" header | Provided-Token-Binding-ID" "Sec-Referred-Token-Binding-ID", or "Sec- | |||
| to requests. | Other-Token-Binding-ID" header to requests. | |||
| 2.4. Examples | 2.4. Examples | |||
| Extra line breaks and whitespace have been added to the following | Extra line breaks and whitespace have been added to the following | |||
| examples for display and formatting purposes only. | examples for display and formatting purposes only. | |||
| 2.4.1. Provided Token Binding ID | 2.4.1. Provided Token Binding ID | |||
| The following "Sec-Token-Binding" header is from an HTTP request made | The following "Sec-Token-Binding" header is from an HTTP request made | |||
| over a TLS connection between the client and the TTRP where the use | over a TLS connection between the client and the TTRP where the use | |||
| skipping to change at page 6, line 21 ¶ | skipping to change at page 6, line 50 ¶ | |||
| validate the Token Binding Message, for that connection is | validate the Token Binding Message, for that connection is | |||
| "AYVUayPTP9RmELNpGjFl6Ykm2CUx7pUMxe35yb11dgU"). The encoded Token | "AYVUayPTP9RmELNpGjFl6Ykm2CUx7pUMxe35yb11dgU"). The encoded Token | |||
| Binding Message has the provided Token Binding the client uses with | Binding Message has the provided Token Binding the client uses with | |||
| the server. | the server. | |||
| Sec-Token-Binding: AIkAAgBBQKzyIrmcY_YCtHVoSHBut69vrGfFdy1_YKTZfFJv | Sec-Token-Binding: AIkAAgBBQKzyIrmcY_YCtHVoSHBut69vrGfFdy1_YKTZfFJv | |||
| 6BjrZsKD9b9FRzSBxDs1twTqnAS71M1RBumuihhI9xqxXKkAQEtxe4jeUJU0WezxlQ | 6BjrZsKD9b9FRzSBxDs1twTqnAS71M1RBumuihhI9xqxXKkAQEtxe4jeUJU0WezxlQ | |||
| XWVSBFeHxFMdXRBIH_LKOSAuSMOJ0XEw1Q8DE248qkOiRKzw3KdSNYukYEPmO21bQi | XWVSBFeHxFMdXRBIH_LKOSAuSMOJ0XEw1Q8DE248qkOiRKzw3KdSNYukYEPmO21bQi | |||
| 3YYAAA | 3YYAAA | |||
| Figure 2: Header in HTTP Request to TTRP | Figure 3: Header in HTTP Request to TTRP | |||
| After validating the Token Binding Message, the TTRP removes the | After validating the Token Binding Message, the TTRP removes the | |||
| "Sec-Token-Binding" header and adds the following "Sec-Provided- | "Sec-Token-Binding" header and adds the following "Sec-Provided- | |||
| Token-Binding-ID" header with the provided Token Binding ID to the | Token-Binding-ID" header with the provided Token Binding ID to the | |||
| request that is dispatched to the backend server. | request that is dispatched to the backend server. | |||
| Sec-Provided-Token-Binding-ID: AgBBQKzyIrmcY_YCtHVoSHBut69vrGfFdy1_ | Sec-Provided-Token-Binding-ID: AgBBQKzyIrmcY_YCtHVoSHBut69vrGfFdy1_ | |||
| YKTZfFJv6BjrZsKD9b9FRzSBxDs1twTqnAS71M1RBumuihhI9xqxXKk | YKTZfFJv6BjrZsKD9b9FRzSBxDs1twTqnAS71M1RBumuihhI9xqxXKk | |||
| Figure 3: Header in HTTP Request to Backend Server | Figure 4: Header in HTTP Request to Backend Server | |||
| 2.4.2. Provided and Referred Token Binding IDs | 2.4.2. Provided and Referred Token Binding IDs | |||
| The following "Sec-Token-Binding" header is from an HTTP request made | The following "Sec-Token-Binding" header is from an HTTP request made | |||
| over a TLS connection between the client and the TTRP where the use | over a TLS connection between the client and the TTRP where the use | |||
| of Token Binding has been negotiated (The base64url-encoded | of Token Binding has been negotiated (The base64url-encoded | |||
| representation of the exported keying material, which can be used to | representation of the exported keying material, which can be used to | |||
| validate the Token Binding Message, for that connection is | validate the Token Binding Message, for that connection is | |||
| "wEWWCP1KPxfq-QL4NxYII_P4ti_9YYqrTpGs28BZEqE"). The encoded Token | "wEWWCP1KPxfq-QL4NxYII_P4ti_9YYqrTpGs28BZEqE"). The encoded Token | |||
| Binding Message has the provided Token Binding the client uses with | Binding Message has the provided Token Binding the client uses with | |||
| the server as well as the referred Token Binding that it uses with a | the server as well as the referred Token Binding that it uses with a | |||
| different server. | different server. | |||
| Sec-Token-Binding: ARIAAgBBQCfsI1D1sTq5mvT_2H_dihNIvuHJCHGjHPJchPav | Sec-Token-Binding: ARIAAgBBQCfsI1D1sTq5mvT_2H_dihNIvuHJCHGjHPJchPav | |||
| NbGrOo26-2JgT_IsbvZd4daDFbirYBIwJ-TK1rh8FzrC-psAQMyYIqXj7djGPev1dk | NbGrOo26-2JgT_IsbvZd4daDFbirYBIwJ-TK1rh8FzrC-psAQMyYIqXj7djGPev1dk | |||
| jV9XxLYGCyqOrBVEtBHrMUCeo22ymLg3OiFcl_fmOPxJbjxI6lKcF0lyfy-dSQmPIe | jV9XxLYGCyqOrBVEtBHrMUCeo22ymLg3OiFcl_fmOPxJbjxI6lKcF0lyfy-dSQmPIe | |||
| zQ0AAAECAEFArPIiuZxj9gK0dWhIcG63r2-sZ8V3LX9gpNl8Um_oGOtmwoP1v0VHNI | zQ0AAAECAEFArPIiuZxj9gK0dWhIcG63r2-sZ8V3LX9gpNl8Um_oGOtmwoP1v0VHNI | |||
| HEOzW3BOqcBLvUzVEG6a6KGEj3GrFcqQBAHQm0pzgUTXKLRamuKE1pmmP9I3UBVpoe | HEOzW3BOqcBLvUzVEG6a6KGEj3GrFcqQBAHQm0pzgUTXKLRamuKE1pmmP9I3UBVpoe | |||
| 1DBCe9H2l1VPpsImakUa6crAqZ-0CGBmji7bYzQogpKcyxTTFk5zdwAA | 1DBCe9H2l1VPpsImakUa6crAqZ-0CGBmji7bYzQogpKcyxTTFk5zdwAA | |||
| Figure 4: Header in HTTP Request to TTRP | Figure 5: Header in HTTP Request to TTRP | |||
| After validating the Token Binding Message, the TTRP removes the | After validating the Token Binding Message, the TTRP removes the | |||
| "Sec-Token-Binding" header and adds the following "Sec-Provided- | "Sec-Token-Binding" header and adds the following "Sec-Provided- | |||
| Token-Binding-ID" and "Sec-Referred-Token-Binding-ID" headers, with | Token-Binding-ID" and "Sec-Referred-Token-Binding-ID" headers, with | |||
| the provided and referred Token Binding IDs respectively, to the | the provided and referred Token Binding IDs respectively, to the | |||
| request that is dispatched to the backend server. | request that is dispatched to the backend server. | |||
| Sec-Provided-Token-Binding-ID: AgBBQCfsI1D1sTq5mvT_2H_dihNIvuHJCHGj | Sec-Provided-Token-Binding-ID: AgBBQCfsI1D1sTq5mvT_2H_dihNIvuHJCHGj | |||
| HPJchPavNbGrOo26-2JgT_IsbvZd4daDFbirYBIwJ-TK1rh8FzrC-ps | HPJchPavNbGrOo26-2JgT_IsbvZd4daDFbirYBIwJ-TK1rh8FzrC-ps | |||
| Sec-Referred-Token-Binding-ID: AgBBQKzyIrmcY_YCtHVoSHBut69vrGfFdy1_ | Sec-Referred-Token-Binding-ID: AgBBQKzyIrmcY_YCtHVoSHBut69vrGfFdy1_ | |||
| YKTZfFJv6BjrZsKD9b9FRzSBxDs1twTqnAS71M1RBumuihhI9xqxXKk | YKTZfFJv6BjrZsKD9b9FRzSBxDs1twTqnAS71M1RBumuihhI9xqxXKk | |||
| Figure 5: Headers in HTTP Request to Backend Server | Figure 6: Headers in HTTP Request to Backend Server | |||
| 3. Security Considerations | 3. Security Considerations | |||
| The headers described herein enable a reverse proxy and backend | The headers described herein enable a reverse proxy and backend | |||
| server to function together as though they are single logical server | server to function together as though they are single logical server | |||
| side deployment of HTTPS Token Binding. Use of the headers outside | side deployment of HTTPS Token Binding. Use of the headers outside | |||
| that intended use case, however, may undermine the protections | that intended use case, however, may undermine the protections | |||
| afforded by Token Binding. Therefore steps MUST be taken to prevent | afforded by Token Binding. Therefore steps MUST be taken to prevent | |||
| unintended use, both in sending the headers and in relying on their | unintended use, both in sending the headers and in relying on their | |||
| value. | value. | |||
| skipping to change at page 8, line 32 ¶ | skipping to change at page 9, line 22 ¶ | |||
| o Status: standard | o Status: standard | |||
| o Author/change Controller: IETF | o Author/change Controller: IETF | |||
| o Specification Document(s): [[ this specification ]] | o Specification Document(s): [[ this specification ]] | |||
| o Header Field Name: "Sec-Referred-Token-Binding-ID" | o Header Field Name: "Sec-Referred-Token-Binding-ID" | |||
| o Applicable protocol: HTTP | o Applicable protocol: HTTP | |||
| o Status: standard | o Status: standard | |||
| o Author/change Controller: IETF | o Author/change Controller: IETF | |||
| o Specification Document(s): [[ this specification ]] | o Specification Document(s): [[ this specification ]] | |||
| o Header Field Name: "Sec-Other-Token-Binding-ID" | ||||
| o Applicable protocol: HTTP | ||||
| o Status: standard | ||||
| o Author/change Controller: IETF | ||||
| o Specification Document(s): [[ this specification ]] | ||||
| 5. References | 5. References | |||
| 5.1. Normative References | 5.1. Normative References | |||
| [I-D.ietf-tokbind-https] | [I-D.ietf-tokbind-https] | |||
| Popov, A., Nystrom, M., Balfanz, D., Langley, A., Harper, | Popov, A., Nystrom, M., Balfanz, D., Langley, A., Harper, | |||
| N., and J. Hodges, "Token Binding over HTTP", draft-ietf- | N., and J. Hodges, "Token Binding over HTTP", draft-ietf- | |||
| tokbind-https-12 (work in progress), January 2018. | tokbind-https-12 (work in progress), January 2018. | |||
| [I-D.ietf-tokbind-negotiation] | [I-D.ietf-tokbind-negotiation] | |||
| skipping to change at page 10, line 4 ¶ | skipping to change at page 10, line 48 ¶ | |||
| [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | |||
| Procedures for Message Header Fields", BCP 90, RFC 3864, | Procedures for Message Header Fields", BCP 90, RFC 3864, | |||
| DOI 10.17487/RFC3864, September 2004, | DOI 10.17487/RFC3864, September 2004, | |||
| <https://www.rfc-editor.org/info/rfc3864>. | <https://www.rfc-editor.org/info/rfc3864>. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| The author would like to thank the following people for their various | The author would like to thank the following people for their various | |||
| contributions to the specification: Vinod Anupam, Dirk Balfanz, John | contributions to the specification: Vinod Anupam, Dirk Balfanz, John | |||
| Bradley, William Denniss, Nick Harper, Jeff Hodges, Subodh Iyengar, | Bradley, William Denniss, Nick Harper, Jeff Hodges, Subodh Iyengar, | |||
| Leif Johansson, Yoav Nir, Andrei Popov, Eric Rescorla, Piotr Sikora, | Leif Johansson, Michael B. Jones, Yoav Nir, Andrei Popov, Eric | |||
| Martin Thomson, Hans Zandbelt and others (please let me know, if | Rescorla, Piotr Sikora, Martin Thomson, Hans Zandbelt and others | |||
| you've contributed and I've forgotten you). | (please let me know, if you've contributed and I've forgotten you). | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| draft-ietf-tokbind-ttrp-03 | ||||
| o Add a header to allow for additional token binding types other | ||||
| than provided and referred to be conveyed. | ||||
| o Reword the Abstract somewhat for (hopefully) improved readability. | ||||
| o Minor editorial and formatting updates. | ||||
| draft-ietf-tokbind-ttrp-02 | draft-ietf-tokbind-ttrp-02 | |||
| o Add to the Acknowledgements. | o Add to the Acknowledgements. | |||
| o Update references for Token Binding negotiation, protocol, and | o Update references for Token Binding negotiation, protocol, and | |||
| https. | https. | |||
| o Use the boilerplate from RFC 8174. | o Use the boilerplate from RFC 8174. | |||
| o Reformat the "HTTP Header Fields and Processing Rules" section to | o Reformat the "HTTP Header Fields and Processing Rules" section to | |||
| skipping to change at page 10, line 47 ¶ | skipping to change at page 12, line 5 ¶ | |||
| draft-ietf-tokbind-ttrp-00 | draft-ietf-tokbind-ttrp-00 | |||
| o Initial WG draft from draft-campbell-tokbind-ttrp. | o Initial WG draft from draft-campbell-tokbind-ttrp. | |||
| draft-campbell-tokbind-ttrp-01 | draft-campbell-tokbind-ttrp-01 | |||
| o Minor editorial fixes. | o Minor editorial fixes. | |||
| o Add to the Acknowledgements. | o Add to the Acknowledgements. | |||
| draft-campbell-tokbind-ttrp-00 | ||||
| o Initial draft based on 'consensus to work on the problem' from the | o Initial draft based on 'consensus to work on the problem' from the | |||
| Seoul meeting [1][2] and reflecting the consensus approach from | Seoul meeting [1][2] and reflecting the consensus approach from | |||
| discussions at the Chicago meeting [3]. | discussions at the Chicago meeting [3]. | |||
| [1] https://www.ietf.org/proceedings/97/minutes/minutes-97- | [1] https://www.ietf.org/proceedings/97/minutes/minutes-97- | |||
| tokbind-01.txt (minutes from Seoul) | tokbind-01.txt (minutes from Seoul) | |||
| [2] https://www.ietf.org/proceedings/97/slides/slides-97-tokbind- | [2] https://www.ietf.org/proceedings/97/slides/slides-97-tokbind- | |||
| reverse-proxies-00.pdf (slides from Seoul) | reverse-proxies-00.pdf (slides from Seoul) | |||
| [3] https://mailarchive.ietf.org/arch/msg/ | [3] https://mailarchive.ietf.org/arch/msg/ | |||
| unbearable/_ZHI8y2Vs5WMP8VMRr7zroo_sNU (summary of discussion) | unbearable/_ZHI8y2Vs5WMP8VMRr7zroo_sNU (summary of discussion) | |||
| End of changes. 31 change blocks. | ||||
| 71 lines changed or deleted | 116 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||