| draft-ietf-tokbind-ttrp-05.txt | draft-ietf-tokbind-ttrp-06.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force B. Campbell | Internet Engineering Task Force B. Campbell | |||
| Internet-Draft Ping Identity | Internet-Draft Ping Identity | |||
| Intended status: Standards Track June 21, 2018 | Intended status: Standards Track July 27, 2018 | |||
| Expires: December 23, 2018 | Expires: January 28, 2019 | |||
| HTTPS Token Binding with TLS Terminating Reverse Proxies | HTTPS Token Binding with TLS Terminating Reverse Proxies | |||
| draft-ietf-tokbind-ttrp-05 | draft-ietf-tokbind-ttrp-06 | |||
| Abstract | Abstract | |||
| This document defines HTTP header fields that enable a TLS | This document defines HTTP header fields that enable a TLS | |||
| terminating reverse proxy to convey information to a backend server | terminating reverse proxy to convey information to a backend server | |||
| about the validated Token Binding Message received from a client, | about the validated Token Binding Message received from a client, | |||
| which enables that backend server to bind, or verify the binding of, | which enables that backend server to bind, or verify the binding of, | |||
| cookies and other security tokens to the client's Token Binding key. | cookies and other security tokens to the client's Token Binding key. | |||
| This facilitates the reverse proxy and backend server functioning | This facilitates the reverse proxy and backend server functioning | |||
| together as though they are a single logical server side deployment | together as though they are a single logical server side deployment | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 23, 2018. | This Internet-Draft will expire on January 28, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| 2. HTTP Header Fields and Processing Rules . . . . . . . . . . . 4 | 2. HTTP Header Fields and Processing Rules . . . . . . . . . . . 4 | |||
| 2.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1.1. Token Binding ID . . . . . . . . . . . . . . . . . . 4 | 2.1.1. Token Binding ID . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1.2. Token Binding Type . . . . . . . . . . . . . . . . . 4 | 2.1.2. Token Binding Type . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Token Binding ID HTTP Header Fields . . . . . . . . . . . 4 | 2.2. Token Binding ID HTTP Header Fields . . . . . . . . . . . 4 | |||
| 2.3. Processing Rules . . . . . . . . . . . . . . . . . . . . 5 | 2.3. Processing Rules . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.4. Examples . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.4. Examples . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.4.1. Provided Token Binding ID . . . . . . . . . . . . . . 6 | 2.4.1. Provided Token Binding ID . . . . . . . . . . . . . . 6 | |||
| 2.4.2. Provided and Referred Token Binding IDs . . . . . . . 7 | 2.4.2. Provided and Referred Token Binding IDs . . . . . . . 7 | |||
| 2.4.3. Provided and Other Token Binding IDs . . . . . . . . 8 | 2.4.3. Provided and Other Token Binding IDs . . . . . . . . 8 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 3. TLS Versions and Best Practices . . . . . . . . . . . . . . . 8 | |||
| 3.1. HTTP Headers . . . . . . . . . . . . . . . . . . . . . . 9 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.2. TLS Versions and Best Practices . . . . . . . . . . . . . 9 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5.1. HTTP Message Header Field Names Registration . . . . . . 10 | |||
| 4.1. HTTP Message Header Field Names Registration . . . . . . 10 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 6.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| 5.2. Informative References . . . . . . . . . . . . . . . . . 11 | ||||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| Token Binding over HTTP [I-D.ietf-tokbind-https] provides a mechanism | Token Binding over HTTP [I-D.ietf-tokbind-https] provides a mechanism | |||
| that enables HTTP servers to cryptographically bind cookies and other | that enables HTTP servers to cryptographically bind cookies and other | |||
| security tokens to a key generated by the client. When the use of | security tokens to a key generated by the client. When the use of | |||
| Token Binding is negotiated in the TLS [RFC5246] handshake | Token Binding is negotiated in the TLS [RFC5246] handshake | |||
| skipping to change at page 8, line 48 ¶ | skipping to change at page 8, line 48 ¶ | |||
| Sec-Provided-Token-Binding-ID: AgBBQA35hcCjI5GEHLLAZ0i2l2ZvQe-bSPAP | Sec-Provided-Token-Binding-ID: AgBBQA35hcCjI5GEHLLAZ0i2l2ZvQe-bSPAP | |||
| 7jovkZJM4wYHgmmXNd1aRpnQmXK9ghUmrdtS6p_e2uSlMXIVKOIwgys | 7jovkZJM4wYHgmmXNd1aRpnQmXK9ghUmrdtS6p_e2uSlMXIVKOIwgys | |||
| Sec-Other-Token-Binding-ID: 4d.AgBBQEevBm3SEMqx6pKKyRdLHpGCb3_IldN6 | Sec-Other-Token-Binding-ID: 4d.AgBBQEevBm3SEMqx6pKKyRdLHpGCb3_IldN6 | |||
| GxsW2lm6gBCXrbGMaawenNzMeSgxwRmY7BW3hVuV3nPxGsV9B8N0Zic,B.AgBBQIO | GxsW2lm6gBCXrbGMaawenNzMeSgxwRmY7BW3hVuV3nPxGsV9B8N0Zic,B.AgBBQIO | |||
| q3qbrcHLxvWW-E36f06xBOGguibMqkyJxJkbBHXrqOmWFuSOsWwfN02rMsUUSEJP2 | q3qbrcHLxvWW-E36f06xBOGguibMqkyJxJkbBHXrqOmWFuSOsWwfN02rMsUUSEJP2 | |||
| zSletxuk4exmelFKSaE | zSletxuk4exmelFKSaE | |||
| Figure 8: Headers in HTTP Request to Backend Server | Figure 8: Headers in HTTP Request to Backend Server | |||
| 3. Security Considerations | 3. TLS Versions and Best Practices | |||
| 3.1. HTTP Headers | ||||
| TLS 1.2 [RFC5246] is cited in this document because, at the time of | ||||
| writing, it is the latest version that is widely deployed. However, | ||||
| this document is applicable with other TLS versions that allow for | ||||
| negotiating the use of Token Binding. [I-D.ietf-tokbind-tls13], for | ||||
| example, describes Token Binding for TLS 1.3 [I-D.ietf-tls-tls13]. | ||||
| Implementation security considerations for TLS, including version | ||||
| recommendations, can be found in Recommendations for Secure Use of | ||||
| Transport Layer Security (TLS) and Datagram Transport Layer Security | ||||
| (DTLS) [BCP195]. | ||||
| 4. Security Considerations | ||||
| The headers described herein enable a reverse proxy and backend | The headers described herein enable a reverse proxy and backend | |||
| server to function together as though they are a single logical | server to function together as though they are a single logical | |||
| server side deployment of HTTPS Token Binding. Use of the headers | server side deployment of HTTPS Token Binding. Use of the headers | |||
| outside that intended use case, however, may undermine the | outside that intended use case, however, may undermine the | |||
| protections afforded by Token Binding. Therefore steps MUST be taken | protections afforded by Token Binding. Therefore steps MUST be taken | |||
| to prevent unintended use, both in sending the headers and in relying | to prevent unintended use, both in sending the headers and in relying | |||
| on their value. | on their value. | |||
| Producing and consuming the headers SHOULD be a configurable option, | Producing and consuming the headers SHOULD be a configurable option, | |||
| skipping to change at page 9, line 47 ¶ | skipping to change at page 10, line 7 ¶ | |||
| private network such that the backend application is only able to | private network such that the backend application is only able to | |||
| accept requests from the reverse proxy and the proxy can only make | accept requests from the reverse proxy and the proxy can only make | |||
| requests to that server. Other deployments that meet the | requests to that server. Other deployments that meet the | |||
| requirements set forth herein are also possible. | requirements set forth herein are also possible. | |||
| Employing the "Sec-" header field prefix for the headers defined | Employing the "Sec-" header field prefix for the headers defined | |||
| herein denotes them as forbidden header names (see [fetch-spec]), | herein denotes them as forbidden header names (see [fetch-spec]), | |||
| which means they cannot be set or modified programmatically by script | which means they cannot be set or modified programmatically by script | |||
| running in-browser. | running in-browser. | |||
| 3.2. TLS Versions and Best Practices | 5. IANA Considerations | |||
| TLS 1.2 [RFC5246] is cited in this document because, at the time of | ||||
| writing, it is the latest version that is widely deployed. However, | ||||
| this document is applicable with other TLS versions that allow for | ||||
| negotiating the use of Token Binding. [I-D.ietf-tokbind-tls13], for | ||||
| example, describes Token Binding for TLS 1.3 [I-D.ietf-tls-tls13]. | ||||
| Implementation security considerations for TLS, including version | ||||
| recommendations, can be found in Recommendations for Secure Use of | ||||
| Transport Layer Security (TLS) and Datagram Transport Layer Security | ||||
| (DTLS) [BCP195]. | ||||
| 4. IANA Considerations | ||||
| 4.1. HTTP Message Header Field Names Registration | 5.1. HTTP Message Header Field Names Registration | |||
| This document specifies the following new HTTP header fields, | This document specifies the following new HTTP header fields, | |||
| registration of which is requested in the "Permanent Message Header | registration of which is requested in the "Permanent Message Header | |||
| Field Names" registry defined in [RFC3864]. | Field Names" registry defined in [RFC3864]. | |||
| o Header Field Name: "Sec-Provided-Token-Binding-ID" | o Header Field Name: "Sec-Provided-Token-Binding-ID" | |||
| o Applicable protocol: HTTP | o Applicable protocol: HTTP | |||
| o Status: standard | o Status: standard | |||
| o Author/change Controller: IETF | o Author/change Controller: IETF | |||
| o Specification Document(s): [[ this specification ]] | o Specification Document(s): [[ this specification ]] | |||
| skipping to change at page 10, line 37 ¶ | skipping to change at page 10, line 33 ¶ | |||
| o Status: standard | o Status: standard | |||
| o Author/change Controller: IETF | o Author/change Controller: IETF | |||
| o Specification Document(s): [[ this specification ]] | o Specification Document(s): [[ this specification ]] | |||
| o Header Field Name: "Sec-Other-Token-Binding-ID" | o Header Field Name: "Sec-Other-Token-Binding-ID" | |||
| o Applicable protocol: HTTP | o Applicable protocol: HTTP | |||
| o Status: standard | o Status: standard | |||
| o Author/change Controller: IETF | o Author/change Controller: IETF | |||
| o Specification Document(s): [[ this specification ]] | o Specification Document(s): [[ this specification ]] | |||
| 5. References | 6. References | |||
| 5.1. Normative References | 6.1. Normative References | |||
| [BCP195] Sheffer, Y., Holz, R., and P. Saint-Andre, | [BCP195] Sheffer, Y., Holz, R., and P. Saint-Andre, | |||
| "Recommendations for Secure Use of Transport Layer | "Recommendations for Secure Use of Transport Layer | |||
| Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
| (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May | |||
| 2015, <http://www.rfc-editor.org/info/bcp195>. | 2015, <http://www.rfc-editor.org/info/bcp195>. | |||
| [I-D.ietf-tokbind-https] | [I-D.ietf-tokbind-https] | |||
| Popov, A., Nystrom, M., Balfanz, D., Langley, A., Harper, | Popov, A., Nystrom, M., Balfanz, D., Langley, A., Harper, | |||
| N., and J. Hodges, "Token Binding over HTTP", draft-ietf- | N., and J. Hodges, "Token Binding over HTTP", draft-ietf- | |||
| skipping to change at page 11, line 48 ¶ | skipping to change at page 11, line 48 ¶ | |||
| [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Message Syntax and Routing", | Protocol (HTTP/1.1): Message Syntax and Routing", | |||
| RFC 7230, DOI 10.17487/RFC7230, June 2014, | RFC 7230, DOI 10.17487/RFC7230, June 2014, | |||
| <https://www.rfc-editor.org/info/rfc7230>. | <https://www.rfc-editor.org/info/rfc7230>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 5.2. Informative References | 6.2. Informative References | |||
| [fetch-spec] | [fetch-spec] | |||
| WhatWG, "Fetch", Living Standard , | WhatWG, "Fetch", Living Standard , | |||
| <https://fetch.spec.whatwg.org/>. | <https://fetch.spec.whatwg.org/>. | |||
| [I-D.ietf-tls-tls13] | [I-D.ietf-tls-tls13] | |||
| Rescorla, E., "The Transport Layer Security (TLS) Protocol | Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", draft-ietf-tls-tls13-28 (work in progress), | Version 1.3", draft-ietf-tls-tls13-28 (work in progress), | |||
| March 2018. | March 2018. | |||
| skipping to change at page 12, line 32 ¶ | skipping to change at page 12, line 32 ¶ | |||
| The author would like to thank the following people for their various | The author would like to thank the following people for their various | |||
| contributions to the specification: Vinod Anupam, Dirk Balfanz, John | contributions to the specification: Vinod Anupam, Dirk Balfanz, John | |||
| Bradley, William Denniss, Nick Harper, Jeff Hodges, Subodh Iyengar, | Bradley, William Denniss, Nick Harper, Jeff Hodges, Subodh Iyengar, | |||
| Leif Johansson, Michael B. Jones, Yoav Nir, James Manger, Andrei | Leif Johansson, Michael B. Jones, Yoav Nir, James Manger, Andrei | |||
| Popov, Eric Rescorla, Piotr Sikora, Martin Thomson, and Hans Zandbelt | Popov, Eric Rescorla, Piotr Sikora, Martin Thomson, and Hans Zandbelt | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| draft-ietf-tokbind-ttrp-06 | ||||
| o Move TLS Versions and Best Practices out of Security | ||||
| Considerations to its own top-level section. | ||||
| draft-ietf-tokbind-ttrp-05 | draft-ietf-tokbind-ttrp-05 | |||
| o Editorial updates. | o Editorial updates. | |||
| o Change one character in the last example to help emphasize the | o Change one character in the last example to help emphasize the | |||
| case-insensitivity of hex. | case-insensitivity of hex. | |||
| o Add a TLS Versions and Best Practices section with BCP195 and also | o Add a TLS Versions and Best Practices section with BCP195 and also | |||
| mention of ietf-tokbind-tls13 and ietf-tls-tls13. | mention of ietf-tokbind-tls13 and ietf-tls-tls13. | |||
| skipping to change at page 13, line 5 ¶ | skipping to change at page 13, line 9 ¶ | |||
| o Add an example with Sec-Other-Token-Binding-ID. | o Add an example with Sec-Other-Token-Binding-ID. | |||
| o Use the HEXDIG core ABNF rule for EncodedTokenBindingType and | o Use the HEXDIG core ABNF rule for EncodedTokenBindingType and | |||
| mention case-insensitive in the text. | mention case-insensitive in the text. | |||
| o Minor editorial fixes. | o Minor editorial fixes. | |||
| o Add to the Acknowledgements and remove the 'and others' bit. | o Add to the Acknowledgements and remove the 'and others' bit. | |||
| draft-ietf-tokbind-ttrp-03 | ||||
| o Add a header to allow for additional token binding types other | o Add a header to allow for additional token binding types other | |||
| than provided and referred to be conveyed. | than provided and referred to be conveyed. | |||
| o Reword the Abstract somewhat for (hopefully) improved readability. | o Reword the Abstract somewhat for (hopefully) improved readability. | |||
| o Minor editorial and formatting updates. | o Minor editorial and formatting updates. | |||
| draft-ietf-tokbind-ttrp-02 | draft-ietf-tokbind-ttrp-02 | |||
| o Add to the Acknowledgements. | o Add to the Acknowledgements. | |||
| skipping to change at page 13, line 47 ¶ | skipping to change at page 14, line 5 ¶ | |||
| draft-ietf-tokbind-ttrp-00 | draft-ietf-tokbind-ttrp-00 | |||
| o Initial WG draft from draft-campbell-tokbind-ttrp. | o Initial WG draft from draft-campbell-tokbind-ttrp. | |||
| draft-campbell-tokbind-ttrp-01 | draft-campbell-tokbind-ttrp-01 | |||
| o Minor editorial fixes. | o Minor editorial fixes. | |||
| o Add to the Acknowledgements. | o Add to the Acknowledgements. | |||
| draft-campbell-tokbind-ttrp-00 | ||||
| o Initial draft based on 'consensus to work on the problem' from the | o Initial draft based on 'consensus to work on the problem' from the | |||
| Seoul meeting [1][2] and reflecting the consensus approach from | Seoul meeting [1][2] and reflecting the consensus approach from | |||
| discussions at the Chicago meeting [3]. | discussions at the Chicago meeting [3]. | |||
| [1] https://www.ietf.org/proceedings/97/minutes/minutes-97- | [1] https://www.ietf.org/proceedings/97/minutes/minutes-97- | |||
| tokbind-01.txt (minutes from Seoul) | tokbind-01.txt (minutes from Seoul) | |||
| [2] https://www.ietf.org/proceedings/97/slides/slides-97-tokbind- | [2] https://www.ietf.org/proceedings/97/slides/slides-97-tokbind- | |||
| reverse-proxies-00.pdf (slides from Seoul) | reverse-proxies-00.pdf (slides from Seoul) | |||
| [3] https://mailarchive.ietf.org/arch/msg/ | [3] https://mailarchive.ietf.org/arch/msg/ | |||
| unbearable/_ZHI8y2Vs5WMP8VMRr7zroo_sNU (summary of discussion) | unbearable/_ZHI8y2Vs5WMP8VMRr7zroo_sNU (summary of discussion) | |||
| End of changes. 13 change blocks. | ||||
| 32 lines changed or deleted | 36 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||