Token Binding over HTTP
draft-ietf-tokbind-https-18
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2018-10-04
|
18 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2018-09-17
|
18 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2018-09-12
|
18 | (System) | RFC Editor state changed to RFC-EDITOR from REF |
2018-09-10
|
18 | (System) | RFC Editor state changed to REF from EDIT |
2018-07-20
|
18 | (System) | RFC Editor state changed to EDIT from MISSREF |
2018-07-20
|
18 | John Bradley | Shepherd Write-Up for "Token Binding over HTTP” (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why … Shepherd Write-Up for "Token Binding over HTTP” (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? This specification is proposed as a 'Proposed Standard' document. The type of RFC is indicated. This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections using The Token Binding Protocol. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections. We describe both first-party and federated scenarios. In a first- party scenario, an HTTP server is able to cryptographically bind the security tokens it issues to a client, and which the client subsequently returns to the server, to the TLS connection between the client and server. Such bound security tokens are protected from misuse since the server can generally detect if they are replayed inappropriately, e.g., over other TLS connections. Federated token bindings, on the other hand, allow servers to cryptographically bind security tokens to a TLS connection that the client has with a different server than the one issuing the token. This Internet-Draft is a companion document to The Token Binding Protocol. Working Group Summary This document achieved WG consensus and had no objections. Document Quality Multiple Implementations of Token Binding exist and have undergone informal interoperability testing. Google has token binding behind a feature flag in Chrome that is currently defaulted off. They have also implemented it in their reverse proxy infrastructure. They have also added support to the boringssl open source project. Microsoft added support in Windows 10 RS2 at the beginning of 2017 (later back ported to RS1) . Edge and IE use that platform support. It is also available to other applications via system API. There is also support in ADFS. https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding NGINX has an open source module https://github.com/google/ngx_token_binding Token Binding support for Apache https://github.com/zmartzone/mod_token_binding Openssl patches in opensource https://github.com/google/token_bind Ping Identity has tested patches to Java and set up a test environment. https://www.ietf.org/mail-archive/web/unbearable/current/msg01332.html A useful slide share overview https://www.slideshare.net/Identiverse/beyond-bearer-token-binding-as-the-foundation-for-a-more-secure-web-cis-2017 Drafts using token binding exist in the OAuth work group and for OpenID Connect. Personnel John Bradley is the document shepherd and the responsible area director is Eric Rescorla. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd was involved in the working group review process and verified the document for correctness. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? There are no concerns regarding the document reviews. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. No (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no concerns with the document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. The authors have confirmed full conformance with the provisions of BCP 78 and BCP 79: A. Popov: https://mailarchive.ietf.org/arch/msg/unbearable/-PNkkvofwM6i2FZx0S8U8gpxT4U M. Nystroem: https://mailarchive.ietf.org/arch/msg/unbearable/3JmCYYUFW3GsQeQg09uVg8AyGGU D. Balfanz: https://mailarchive.ietf.org/arch/msg/unbearable/dn_tob6yiFjT5CQiTVhBb6tSVuI A. Langley: https://mailarchive.ietf.org/arch/msg/unbearable/kSKP5wUvL7VyxRO5u9hmRf8WYw8 J. Hodges: https://mailarchive.ietf.org/arch/msg/unbearable/DE1dvfbYVDv3gVmepXM9sOeAKhQ Nick Harper (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed for this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There is solid consensus in the working group for publishing this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) Nobody threatened an appeal or expressed extreme discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd checked the document. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No formal review is needed. (13) Have all references within this document been identified as either normative or informative? Yes. The references are split into normative and informative references. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All normative references are published RFCs. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. There are no downward normative references. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of an existing RFC. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). This document registers two new Message Header Fields. Below are the Internet Assigned Numbers Authority (IANA) Permanent Message Header Field registration information per [RFC3864]. Header field name: Sec-Token-Binding Applicable protocol: HTTP Status: standard Author/Change controller: IETF Specification document(s): this one Header field name: Include-Referred-Token-Binding-ID Applicable protocol: HTTP Status: standard Author/Change controller: IETF Specification document(s): this one (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. There is no text in formal languages in the document. |
2018-07-17
|
18 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2018-07-16
|
18 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2018-07-13
|
18 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2018-07-11
|
18 | (System) | RFC Editor state changed to MISSREF |
2018-07-11
|
18 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2018-07-11
|
18 | (System) | Announcement was received by RFC Editor |
2018-07-11
|
18 | (System) | IANA Action state changed to In Progress |
2018-07-11
|
18 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2018-07-11
|
18 | Amy Vezza | IESG has approved the document |
2018-07-11
|
18 | Amy Vezza | Closed "Approve" ballot |
2018-07-11
|
18 | Amy Vezza | Ballot approval text was generated |
2018-07-11
|
18 | Amy Vezza | Ballot writeup was changed |
2018-07-11
|
18 | Eric Rescorla | IESG state changed to Approved-announcement to be sent from IESG Evaluation::AD Followup |
2018-07-11
|
18 | Alissa Cooper | [Ballot comment] Thank you for addressing my DISCUSS. |
2018-07-11
|
18 | Alissa Cooper | [Ballot Position Update] Position for Alissa Cooper has been changed to No Objection from Discuss |
2018-06-26
|
18 | Andrei Popov | New version available: draft-ietf-tokbind-https-18.txt |
2018-06-26
|
18 | (System) | New version approved |
2018-06-26
|
18 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2018-06-26
|
18 | Andrei Popov | Uploaded new revision |
2018-06-26
|
17 | Ben Campbell | [Ballot comment] Thanks for addressing my DISCUSS and substantive comments in pre-submission text. I did not check editorial comments. I have one remaining (non-blocking) question … [Ballot comment] Thanks for addressing my DISCUSS and substantive comments in pre-submission text. I did not check editorial comments. I have one remaining (non-blocking) question on section 6: Are the “applications” from paragraph 3 the same as those from paragraph 2? It seems like paragraph 2 is talking more about local APIs (at least, I see that was mentioned in the text in version 17 but not in 18), but paragraph 3 uses an example of a signal from a server. (I can accept that the difference in control may be weak enough for web applications that the distinction does not matter.) |
2018-06-26
|
17 | Ben Campbell | [Ballot Position Update] Position for Ben Campbell has been changed to Yes from Discuss |
2018-06-05
|
17 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-17.txt |
2018-06-05
|
17 | (System) | New version approved |
2018-06-05
|
17 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2018-06-05
|
17 | Dirk Balfanz | Uploaded new revision |
2018-06-03
|
16 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2018-06-03
|
16 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2018-06-03
|
16 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-16.txt |
2018-06-03
|
16 | (System) | New version approved |
2018-06-03
|
16 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2018-06-03
|
16 | Dirk Balfanz | Uploaded new revision |
2018-05-14
|
15 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Ready. Reviewer: Tobias Gondrom. |
2018-05-10
|
15 | Cindy Morgan | IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation |
2018-05-10
|
15 | Eric Rescorla | EKR's notes on the DISCUSS discussion from today's call: - John Bradley described the meaning of S 6 and Ben is satisfied with it. John … EKR's notes on the DISCUSS discussion from today's call: - John Bradley described the meaning of S 6 and Ben is satisfied with it. John will work with the authors to produce new text. - The PSL thing is a bit of a mess. EKR agreed to reach out to the HTTPBIS WG and get their recommendation for the right citations. |
2018-05-10
|
15 | Martin Vigoureux | [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux |
2018-05-10
|
15 | Benjamin Kaduk | [Ballot comment] I agree with Alexey about clarifying that backslashes are only for readability. I'm curious why Section 2 limits to at most one referred_token_binding. … [Ballot comment] I agree with Alexey about clarifying that backslashes are only for readability. I'm curious why Section 2 limits to at most one referred_token_binding. Section 2 A TokenBindingMessage is validated by the server as described in Section 4.2. ("Server Processing Rules") of [I-D.ietf-tokbind-protocol]. Nit: no period after "4.2". [...] If validation fails and a Token Binding is rejected, any associated bound tokens MUST also be rejected by the server. I repeat my remark about "associated" from tokbind-protocol. Section 2.1 It seems a little unusual to see "Applications other than Web browsers MAY [...]", though I do not object. Section 3 To be clear, this means that the EKM used is the one from before the renegotiation, corresponding in the somewhat-common use case of renegotiation for optional client authentication to the unauthenticated-client state, right? Section 5.3 As illustrated in Section 5.5, when a client receives this header field, it should take the TokenBindingID of the provided TokenBinding from the referrer and create a referred TokenBinding with it to include in the TokenBindingMessage on the redirect request. In other words, the Token Binding message in the redirect request to the Token Provider now includes one provided binding and one referred binding, the latter constructed from the binding between the client and the Token Consumer. I'm not really an HTTP expert, but is "redirect request" the right term (as opposed to, say, "redirected request" or "post-redirect request")? The TokenBindingMessage SHOULD contain a TokenBinding with TokenBindingType referred_token_binding. At this point we may have lost track of what "The TokenBindingMessage" refers to -- some explicit scope (the message sent to the Token Provider after following the redirect) could be helpful. Section 7.1 The goal of the Federated Token Binding mechanisms is to prevent attackers from exporting and replaying tokens used in protocols between the client and Token Consumer, [...] Do we actually need to limit the scope to Token Consumer? The Token Provider may also issue tokens that we want to protect, after all. Section 7.2 Do we need to repeat the normative statements already made in [TBPROTO]? Maybe we can just say that [TBPROTO] requires these things to be used, to protect against [TRIPLE-HS]. |
2018-05-10
|
15 | Benjamin Kaduk | [Ballot Position Update] New position, No Objection, has been recorded for Benjamin Kaduk |
2018-05-09
|
15 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2018-05-09
|
15 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2018-05-09
|
15 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2018-05-09
|
15 | Andrei Popov | New version available: draft-ietf-tokbind-https-15.txt |
2018-05-09
|
15 | (System) | New version approved |
2018-05-09
|
15 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2018-05-09
|
15 | Andrei Popov | Uploaded new revision |
2018-05-09
|
14 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2018-05-09
|
14 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2018-05-09
|
14 | Ben Campbell | [Ballot discuss] I plan to ballot "YES", but I want to clear up once concern first: After reading section 6 several times, I don't know … [Ballot discuss] I plan to ballot "YES", but I want to clear up once concern first: After reading section 6 several times, I don't know what it means. I think it's hard enough to understand that implementers will not interpret it in a consistent way. It's entirely possibly this is "just me", but I want to discuss it before progressing. I think this can be fixed easily with either some clarification text, or an argument that the issue is, in fact, "just me". In particular, the 2nd paragraph is pretty convoluted, but even after several readings the best I can get out of it is "Servers that use token-binding with native clients should let them use token-binding", which I suspect is not the (entire) point. Since these "native applications" are described as using HTTP, it's not obvious to me what is different for them. Additionally, I assumed "native applications" to mean non-browser, yet the third paragraph talks about "such implementations" but uses a browser-based example. Is there a different meaning intended? |
2018-05-09
|
14 | Ben Campbell | [Ballot comment] Substantive Comments: §1.1: Please consider using the boilerplate from 8174 across the cluster. Both this and the protocol draft have lower case keyword … [Ballot comment] Substantive Comments: §1.1: Please consider using the boilerplate from 8174 across the cluster. Both this and the protocol draft have lower case keyword instances. §8.2: - Does it really make sense to wait for a user to request the keys be expired? I suspect the average user does this about never. Did the working group discuss possibly making the keys default to expiring after some period of time? - Why is the SHOULD in paragraph 2 not a MUST? Editorial Comments: §2: - Paragraph 1: "The ABNF of the Sec-Token-Binding header field is (in [RFC7230] style, see also Section 8.3 of [RFC7231]):" The open parenthesis before "in" seems misplaced. Also, as written the comma after "style" creates a comma splice. (Note that this pattern occurs elsewhere in the document.) - Paragraph 3: The paragraph is a single hard-to-parse sentence. Please consider breaking into simpler sentences. - example: Am I correct to assume the backslashes are just for print purposes and are not in the actual message? If so, please mention that. § 2.1: - first paragraph, "Within the latter context...": There was no former context. I suggest "Within that context..." - 2nd paragraph: The first sentence is hard to parse. I suggest breaking it into separate paragraphs, or restructure without the center-imbedding. - 2nd to last paragraph: Does "SHOULD generally" mean the same as just "SHOULD"? §5.1: 2nd paragraph: Unneeded comma in "... itself, to another server..." §5.2, - last bullet: " (between client and Token Consumer)" seems more than parenthetical. Please consider removing the parentheses. - paragraph after last bullet: The parenthetical phrase starting with "(proving possession...) is quite long and makes the sentence hard to parse. Given that the concept is covered in the immediately preceding paragraph, can it be removed? §7.1 and §7.2: These sections seem to be copied from (or restate requirements in) the protocol and negotiation drafts. Can they be included by reference instead, or at least attributed? §7.2, 2nd paragraph: This seams like a restatement of §7.1. §8.3: Unneeded comma in first sentence. |
2018-05-09
|
14 | Ben Campbell | [Ballot Position Update] New position, Discuss, has been recorded for Ben Campbell |
2018-05-09
|
14 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2018-05-09
|
14 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2018-05-09
|
14 | Alissa Cooper | [Ballot discuss] Section 2.1 says: "The scoping of Token Binding key pairs generated by Web browsers for use in first-party and federation use cases … [Ballot discuss] Section 2.1 says: "The scoping of Token Binding key pairs generated by Web browsers for use in first-party and federation use cases defined in this specification (Section 5), and intended for binding HTTP cookies, MUST be no wider than the granularity of "effective top-level domain (public suffix) + 1" (eTLD+1). I.e., the scope of Token Binding key pairs is no wider than the scope at which cookies can be set (see [RFC6265]), but MAY be more narrow if cookies are scoped more narrowly." My reading of RFC 6265 is that it does not actually forbid cookie setting at a scope wider than eTLD+1, although I could be reading Section 5.3 of that document wrong. That section says that if the user agent is configured to reject public suffixes, then there is a case where a set-cookie request should be ignored. If the intent here is to normatively restrict the scope of Token Binding key pairs to eTLD+1 regardless of whether the user agent restricts cookies to that scope, that needs to be stated clearly. I kind of hate to say this but with the way this is phrased I also think you need a normative reference for the concept of "effective top-level domain." (I suspect this would be considered a downref and may not already be in the downref registry, but I'm not one to make a fuss about that.) |
2018-05-09
|
14 | Alissa Cooper | [Ballot comment] I would also suggest s/but/and/ in the last sentence quoted from 2.1 above. |
2018-05-09
|
14 | Alissa Cooper | [Ballot Position Update] New position, Discuss, has been recorded for Alissa Cooper |
2018-05-09
|
14 | Warren Kumari | [Ballot comment] Thank you for a well written and easily understood document - it is unusual to be able to cover like this in such … [Ballot comment] Thank you for a well written and easily understood document - it is unusual to be able to cover like this in such an easily understood manner. I'd suggest looking at Tim Chown's excellent OpsDir review: https://datatracker.ietf.org/doc/review-ietf-tokbind-https-14-opsdir-lc-chown-2018-05-08/ , especially the bit about a "diagram of the relationship between the various elements in a federated scenario" Some text about what to do with a (hypothetical) status code 309 might be helpful - this says it MUST be ignored; does this mean a -bis document if / when it is released? Could the document describe how to decide if future 30x codes are acceptible? Or it is clear that there will never be >308?. [ Edit: You probably want RFC 8174 instead of RFC 2119 ] |
2018-05-09
|
14 | Warren Kumari | Ballot comment text updated for Warren Kumari |
2018-05-09
|
14 | Warren Kumari | [Ballot comment] Thank you for a well written and easily understood document - it is unusual to be able to cover like this in such … [Ballot comment] Thank you for a well written and easily understood document - it is unusual to be able to cover like this in such an easily understood manner. I'd suggest looking at Tim Chown's excellent OpsDir review: https://datatracker.ietf.org/doc/review-ietf-tokbind-https-14-opsdir-lc-chown-2018-05-08/ , especially the bit about a "diagram of the relationship between the various elements in a federated scenario" Some text about what to do with a (hypothetical) status code 309 might be helpful - this says it MUST be ignored; does this mean a -bis document if / when it is released? Could the document describe how to decide if future 30x codes are acceptible? Or it is clear that there will never be >308?. |
2018-05-09
|
14 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2018-05-08
|
14 | Suresh Krishnan | [Ballot Position Update] Position for Suresh Krishnan has been changed to No Objection from Yes |
2018-05-08
|
14 | Suresh Krishnan | [Ballot Position Update] New position, Yes, has been recorded for Suresh Krishnan |
2018-05-08
|
14 | Tim Chown | Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Tim Chown. Sent review to list. |
2018-05-07
|
14 | Ignas Bagdonas | [Ballot Position Update] New position, No Objection, has been recorded for Ignas Bagdonas |
2018-05-07
|
14 | Adam Roach | [Ballot comment] Thanks to everyone who worked on this document. I am balloting "Yes", but still have a handful of comments, including several that I … [Ballot comment] Thanks to everyone who worked on this document. I am balloting "Yes", but still have a handful of comments, including several that I believe are rather important. --------------------------------------------------------------------------- §2: > Once a client and server have negotiated the Token Binding Protocol > with HTTP/1.1 or HTTP/2 (see [I-D.ietf-tokbind-protocol] and > [I-D.ietf-tokbind-negotiation]) Presuming this document is intended to cover use of TLS 1.3, I believe this list needs to also include [I-D.ietf-tokbind-tls13]. --------------------------------------------------------------------------- §5.3: > When a client receives the Include-Referred-Token-Binding-ID header, > it includes the referred token binding even if both the Token > Provider and the Token Consumer fall under the same eTLD+1 and the > provided and referred token binding IDs are the same. Note that the > referred token binding is sent only on the request resulting from the > redirect and not on any subsequent requests to the Token Provider. I think this needs some clarification about handling of multiple redirections of the transaction. E.g.: Token Consumer sends a 3xx to redirect the user to a Token Provider (using, perhaps, an endpoint that is in the process of being migrated), and then the Token Provider sends an additional 3xx to get the client to the correct server. Presumably, the inclusion of the referred token binding should survive both redirections, but this text might be read as preventing that. --------------------------------------------------------------------------- §5.3: > This header field has only meaning if the HTTP status code is 301, > 302, 303, 307 or 308, and MUST be ignored by the client for any other > status codes. I'm somewhat less sanguine about this than Alexey is: we've had 3xx-class response codes registered as recently as three years ago, and I see no reason to believe that the future won't hold additional development work on HTTP overall. While I understand that 305 and 306 are deprecated, and the use of the header field is nonsensical in 304 and, to a lesser degree, in 300, it seems that there is no harm that results in any of these cases if *this* document doesn't prohibit them. Taken one at a time -- In the case of 300, the presence of the header field would indicate that whichever option was followed by the user agent would receive a copy of the token binding, which is as sensible a thing for a server to ask for as 300 is in the first place. In the case of 304, there is no server to receive the token binding, so no harm could possible be induced. For 305 and 306, to the extent that these are used any more (and they're not), the request will arrive back at the same origin that sent the response; which, again, causes no information to be divulged that should not be. I would strongly recommend changing this to cover all codes in the 300-399 range, for the purpose of forward-compatibility with new redirection codes. --------------------------------------------------------------------------- §5.4: > The TLS Extension for Token Binding Protocol Negotiation > [I-D.ietf-tokbind-negotiation] Same comment as above regarding [I-D.ietf-tokbind-tls13]. --------------------------------------------------------------------------- §5.5: > | {EKMn}Ksm: | EKM for server "n", signed by private key of TBID | > | | "m", where "n" must represent server receiving the | > | | ETBMSG, if a conveyed TB's type is | > | | provided_token_binding, then m = n, else if TB's | > | | type is referred_token_binding, then m != n. E.g., | > | | see step 1b in diagram below. | I was able, with some effort, to muddle through these words and (I think) figure out the intention, but the construction is very difficult to follow. I think you want to swap the comma after "ETBMSG" for a period. --------------------------------------------------------------------------- §11.1: > [fetch-spec] > WhatWG, "Fetch", Living Standard , > . I share Alexey's concern about a normative reference to a living document. I would like to suggest referencing a specific snapshot (e.g., commit hash), but the specific referenced document makes this infeasible by means of an aggressive red-box warning that effectively precludes doing so. I agree that understanding the document is not a prerequisite to understanding or implementing this one, and so agree that (for the time being) moving the document to the informative reference section is advisable. |
2018-05-07
|
14 | Adam Roach | [Ballot Position Update] New position, Yes, has been recorded for Adam Roach |
2018-05-06
|
14 | Alexey Melnikov | [Ballot comment] I have mostly nits and questions for this document, but see further down, there might be some minor bugs. In Section 2: 2. … [Ballot comment] I have mostly nits and questions for this document, but see further down, there might be some minor bugs. In Section 2: 2. The Sec-Token-Binding HTTP Request Header Field Sec-Token-Binding = EncodedTokenBindingMessage The header field name is Sec-Token-Binding and its single value, EncodedTokenBindingMessage, is a base64url encoding of a single TokenBindingMessage, as defined in [I-D.ietf-tokbind-protocol], using the URL- and filename-safe character set described in Section 5 of [RFC4648], with all trailing padding characters '=' omitted and without the inclusion of any line breaks, whitespace, or other additional characters. For example: Sec-Token-Binding: AIkAAgBBQFzK4_bhAqLDwRQxqJWte33d7hZ0hZWHwk-miKPg4E\ 9fcgs7gBPoz-9RfuDfN9WCw6keHEw1ZPQMGs9CxpuHm-YAQM_j\ aOwwej6a-cQBGU7CJpUHOvXG4VvjNq8jDsvta9Y8_bPEPj25Gg\ mKiPjhJEtZA6mJ_9SNifLvVBTi7fR9wSAAAA I think you should explain here that \ at the end of each line denotes line continuation and that it is not actually a part of the value. Later in the same section: The TokenBindingMessage MAY also contain exactly one TokenBinding structure with TokenBindingType of referred_token_binding, as specified in Section 5.3. In addition to the latter, or rather than the latter, the TokenBindingMessage MAY contain other TokenBinding structures. This sentence made me wonder whether it is Ok for a compliant implementation to only process the first 2 TokenBinding structures and ignore the rest? This is use case-specific, and such use cases are outside the scope of this specification. At the top of page 11 (Section 5.3): This header field has only meaning if the HTTP status code is 301, 302, 303, 307 or 308, and MUST be ignored by the client for any other status codes. I just want to point out to other reviewers that this list is non extensible and will not work with any future 3XX status codes (however unlikely they are). I am still trying to decide how I feel about that ;-). In 7.3, next to the last paragraph: If A has a pre-existing relationship with S (perhaps has an account on S), it now appears to the server S as if A is connecting to it, even though it is really C. (If the server S does not simply use Token Binding IDs to identify clients, but also uses bound authentication cookies, then A would also have to trick C into sending one of A's cookies to S, which it can do through a variety of C's cookies? means - inserting cookies through Javascript APIs, setting cookies through related-domain attacks, etc.) In other words, A tricked C into logging into A's account on S. This could lead to a loss of Not sure whether A is correct here either. privacy for C, since A presumably has some other way to also access the account, and can thus indirectly observe A's behavior (for "C's behaviour"? A can always know A's behaviour. example, if S has a feature that lets account holders see their activity history on S). 11.1. Normative References [fetch-spec] WhatWG, "Fetch", Living Standard , . I am looking forward to having a discussion within IESG to having a normative reference to a non stable document ;-). However, in this case I am not convinced that the reference needs to be normative, as it is only used to explain why "Sec-" header field prefix was used. |
2018-05-06
|
14 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov |
2018-05-03
|
14 | Eric Rescorla | Changed consensus to Yes from Unknown |
2018-05-03
|
14 | Linda Dunbar | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Linda Dunbar. Sent review to list. |
2018-05-01
|
14 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-14.txt |
2018-05-01
|
14 | (System) | New version approved |
2018-05-01
|
14 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2018-05-01
|
14 | Dirk Balfanz | Uploaded new revision |
2018-04-26
|
13 | Mirja Kühlewind | [Ballot Position Update] Position for Mirja Kühlewind has been changed to No Objection from No Record |
2018-04-26
|
13 | Mirja Kühlewind | [Ballot comment] Maybe use normative SHOULDs in sec 8.2: "HTTPS clients such as Web user agents should therefore provide a user interface for discarding … [Ballot comment] Maybe use normative SHOULDs in sec 8.2: "HTTPS clients such as Web user agents should therefore provide a user interface for discarding Token Binding key pairs" and "the user agent should also discard Token Binding key pairs from such modes after the session is over" Nit: 1) In abstract: s/This Internet-Draft/This document/ 2) Maybe provide a refernce for SAML |
2018-04-26
|
13 | Mirja Kühlewind | Ballot comment text updated for Mirja Kühlewind |
2018-04-13
|
13 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA - Not OK |
2018-04-13
|
13 | Andrei Popov | New version available: draft-ietf-tokbind-https-13.txt |
2018-04-13
|
13 | (System) | New version approved |
2018-04-13
|
13 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2018-04-13
|
13 | Andrei Popov | Uploaded new revision |
2018-03-28
|
12 | Suhas Nandakumar | Request for Telechat review by ARTART is assigned to Mark Nottingham |
2018-03-28
|
12 | Suhas Nandakumar | Request for Telechat review by ARTART is assigned to Mark Nottingham |
2018-03-19
|
12 | Eric Rescorla | Placed on agenda for telechat - 2018-05-10 |
2018-03-19
|
12 | Eric Rescorla | IESG state changed to IESG Evaluation from Waiting for Writeup |
2018-03-19
|
12 | Eric Rescorla | Ballot has been issued |
2018-03-19
|
12 | Eric Rescorla | [Ballot Position Update] New position, Yes, has been recorded for Eric Rescorla |
2018-03-19
|
12 | Eric Rescorla | Created "Approve" ballot |
2018-03-19
|
12 | Eric Rescorla | Ballot writeup was changed |
2018-03-12
|
12 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2018-03-09
|
12 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2018-03-09
|
12 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-tokbind-https-12. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has completed its review of draft-ietf-tokbind-https-12. If any part of this review is inaccurate, please let us know. The IANA Services Operator understands that, upon approval of this document, there is a single action which we must complete. In the Permanent Message Header Field Names subregistry of the Message Headers registry located at: https://www.iana.org/assignments/message-headers two new header field names are to be registered as follows: Header Field Name: Sec-Token-Binding Template: Protocol: HTTP Status: standard Reference: [RFC-to-be] Header Field Name: Include-Referred-Token-Binding-ID Template: Protocol: HTTP Status: standard Reference: [RFC-to-be] Because this registry requires Expert Review [RFC8126] for registration, we've contacted the IESG-designated expert in a separate ticket to request approval. Expert review should be completed before your document can be approved for publication as an RFC. The IANA Services Operator understands that this is the only action required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed. Thank you, Sabrina Tanamal Senior IANA Services Specialist |
2018-03-02
|
12 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tim Chown |
2018-03-02
|
12 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tim Chown |
2018-03-01
|
12 | Jean Mahoney | Request for Last Call review by GENART is assigned to Linda Dunbar |
2018-03-01
|
12 | Jean Mahoney | Request for Last Call review by GENART is assigned to Linda Dunbar |
2018-03-01
|
12 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Tobias Gondrom |
2018-03-01
|
12 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Tobias Gondrom |
2018-02-26
|
12 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2018-02-26
|
12 | Amy Vezza | The following Last Call announcement was sent out (ends 2018-03-12): From: The IESG To: IETF-Announce CC: ekr@rtfm.com, John Bradley , draft-ietf-tokbind-https@ietf.org, unbearable@ietf.org, … The following Last Call announcement was sent out (ends 2018-03-12): From: The IESG To: IETF-Announce CC: ekr@rtfm.com, John Bradley , draft-ietf-tokbind-https@ietf.org, unbearable@ietf.org, tokbind-chairs@ietf.org, ve7jtb@ve7jtb.com Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Token Binding over HTTP) to Proposed Standard The IESG has received a request from the Token Binding WG (tokbind) to consider the following document: - 'Token Binding over HTTP' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2018-03-12. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections. We describe both first-party and federated scenarios. In a first- party scenario, an HTTP server is able to cryptographically bind the security tokens it issues to a client, and which the client subsequently returns to the server, to the TLS connection between the client and server. Such bound security tokens are protected from misuse since the server can generally detect if they are replayed inappropriately, e.g., over other TLS connections. Federated token bindings, on the other hand, allow servers to cryptographically bind security tokens to a TLS connection that the client has with a different server than the one issuing the token. This Internet-Draft is a companion document to The Token Binding Protocol. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ballot/ No IPR declarations have been submitted directly on this I-D. |
2018-02-26
|
12 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2018-02-26
|
12 | Amy Vezza | Last call announcement was changed |
2018-02-24
|
12 | Eric Rescorla | Last call was requested |
2018-02-24
|
12 | Eric Rescorla | Last call announcement was generated |
2018-02-24
|
12 | Eric Rescorla | Ballot approval text was generated |
2018-02-24
|
12 | Eric Rescorla | Ballot writeup was generated |
2018-02-24
|
12 | Eric Rescorla | Please issue this last call after IETF has completed. |
2018-02-24
|
12 | Eric Rescorla | IESG state changed to Last Call Requested from AD Evaluation::AD Followup |
2018-01-07
|
12 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2018-01-07
|
12 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-12.txt |
2018-01-07
|
12 | (System) | New version approved |
2018-01-07
|
12 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2018-01-07
|
12 | Dirk Balfanz | Uploaded new revision |
2017-11-27
|
11 | Eric Rescorla | IESG state changed to AD Evaluation::Revised I-D Needed from AD Evaluation |
2017-11-15
|
11 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-11.txt |
2017-11-15
|
11 | (System) | New version approved |
2017-11-15
|
11 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, … Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , Nick Harper , tokbind-chairs@ietf.org, Jeff Hodges |
2017-11-15
|
11 | Dirk Balfanz | Uploaded new revision |
2017-10-14
|
10 | Eric Rescorla | IESG state changed to AD Evaluation from Publication Requested |
2017-09-29
|
10 | John Bradley | Shepherd Write-Up for "Token Binding over HTTP” (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why … Shepherd Write-Up for "Token Binding over HTTP” (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? This specification is proposed as a 'Proposed Standard' document. The type of RFC is indicated. This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections using The Token Binding Protocol. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections. We describe both first-party and federated scenarios. In a first- party scenario, an HTTP server is able to cryptographically bind the security tokens it issues to a client, and which the client subsequently returns to the server, to the TLS connection between the client and server. Such bound security tokens are protected from misuse since the server can generally detect if they are replayed inappropriately, e.g., over other TLS connections. Federated token bindings, on the other hand, allow servers to cryptographically bind security tokens to a TLS connection that the client has with a different server than the one issuing the token. This Internet-Draft is a companion document to The Token Binding Protocol. Working Group Summary This document achieved WG consensus and had no objections. Document Quality Multiple Implementations of Token Binding exist and have undergone informal interoperability testing. Google has token binding behind a feature flag in Chrome that is currently defaulted off. They have also implemented it in their reverse proxy infrastructure. They have also added support to the boringssl open source project. Microsoft added support in Windows 10 RS2 at the beginning of 2017 (later back ported to RS1) . Edge and IE use that platform support. It is also available to other applications via system API. There is also support in ADFS. https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding NGINX has an open source module https://github.com/google/ngx_token_binding Token Binding support for Apache https://github.com/google/ngx_token_binding Openssl patches in opensource https://github.com/google/token_bind Ping Identity has tested patches to Java and set up a test environment. https://www.ietf.org/mail-archive/web/unbearable/current/msg01332.html A useful slide share overview https://www.slideshare.net/Identiverse/beyond-bearer-token-binding-as-the-foundation-for-a-more-secure-web-cis-2017 Drafts using token binding exist in the OAuth work group and for OpenID Connect. Personnel John Bradley is the document shepherd and the responsible area director is Eric Rescorla. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd was involved in the working group review process and verified the document for correctness. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? There are no concerns regarding the document reviews. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. No (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no concerns with the document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. The authors have confirmed full conformance with the provisions of BCP 78 and BCP 79: A. Popov: https://mailarchive.ietf.org/arch/msg/unbearable/-PNkkvofwM6i2FZx0S8U8gpxT4U M. Nystroem: https://mailarchive.ietf.org/arch/msg/unbearable/3JmCYYUFW3GsQeQg09uVg8AyGGU D. Balfanz: https://mailarchive.ietf.org/arch/msg/unbearable/dn_tob6yiFjT5CQiTVhBb6tSVuI A. Langley: https://mailarchive.ietf.org/arch/msg/unbearable/kSKP5wUvL7VyxRO5u9hmRf8WYw8 J. Hodges: https://mailarchive.ietf.org/arch/msg/unbearable/DE1dvfbYVDv3gVmepXM9sOeAKhQ Nick Harper (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed for this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There is solid consensus in the working group for publishing this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) Nobody threatened an appeal or expressed extreme discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd checked the document. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No formal review is needed. (13) Have all references within this document been identified as either normative or informative? Yes. The references are split into normative and informative references. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All normative references are published RFCs. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. There are no downward normative references. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of an existing RFC. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). This document registers two new Message Header Fields. Below are the Internet Assigned Numbers Authority (IANA) Permanent Message Header Field registration information per [RFC3864]. Header field name: Sec-Token-Binding Applicable protocol: HTTP Status: standard Author/Change controller: IETF Specification document(s): this one Header field name: Include-Referred-Token-Binding-ID Applicable protocol: HTTP Status: standard Author/Change controller: IETF Specification document(s): this one (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. There is no text in formal languages in the document. |
2017-09-29
|
10 | John Bradley | Responsible AD changed to Eric Rescorla |
2017-09-29
|
10 | John Bradley | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2017-09-29
|
10 | John Bradley | IESG state changed to Publication Requested |
2017-09-29
|
10 | John Bradley | IESG process started in state Publication Requested |
2017-09-28
|
10 | John Bradley | Changed document writeup |
2017-09-25
|
10 | John Bradley | Notification list changed to John Bradley <ve7jtb@ve7jtb.com> |
2017-09-25
|
10 | John Bradley | Document shepherd changed to John Bradley |
2017-09-25
|
10 | John Bradley | IETF WG state changed to WG Consensus: Waiting for Write-Up from Waiting for WG Chair Go-Ahead |
2017-07-21
|
10 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-10.txt |
2017-07-21
|
10 | (System) | New version approved |
2017-07-21
|
10 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , tokbind-chairs@ietf.org, Jeff Hodges |
2017-07-21
|
10 | Dirk Balfanz | Uploaded new revision |
2017-04-21
|
09 | Andrei Popov | New version available: draft-ietf-tokbind-https-09.txt |
2017-04-21
|
09 | (System) | New version approved |
2017-04-21
|
09 | (System) | Request for posting confirmation emailed to previous authors: Andrey Popov , Dirk Balfanz , Magnus Nystrom , Adam Langley , tokbind-chairs@ietf.org, Jeff Hodges |
2017-04-21
|
09 | Andrei Popov | Uploaded new revision |
2017-03-27
|
08 | Leif Johansson | IETF WG state changed to Waiting for WG Chair Go-Ahead from In WG Last Call |
2017-02-16
|
08 | Andrei Popov | New version available: draft-ietf-tokbind-https-08.txt |
2017-02-16
|
08 | (System) | New version approved |
2017-02-16
|
08 | (System) | Request for posting confirmation emailed to previous authors: "Magnus Nystrom" , "Adam Langley" , "Dirk Balfanz" , "Andrey Popov" , tokbind-chairs@ietf.org, "Jeff Hodges" |
2017-02-16
|
08 | Andrei Popov | Uploaded new revision |
2016-11-23
|
07 | Andrei Popov | New version available: draft-ietf-tokbind-https-07.txt |
2016-11-23
|
07 | (System) | New version approved |
2016-11-23
|
07 | (System) | Request for posting confirmation emailed to previous authors: "Magnus Nystrom" , "Adam Langley" , "Dirk Balfanz" , "Andrey Popov" , tokbind-chairs@ietf.org, "Jeff Hodges" |
2016-11-23
|
07 | Andrei Popov | Uploaded new revision |
2016-11-16
|
06 | Leif Johansson | IETF WG state changed to In WG Last Call from WG Document |
2016-08-26
|
06 | Andrei Popov | New version available: draft-ietf-tokbind-https-06.txt |
2016-07-07
|
05 | Andrei Popov | New version available: draft-ietf-tokbind-https-05.txt |
2016-07-07
|
04 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-04.txt |
2016-03-21
|
03 | John Bradley | Added to session: IETF-95: tokbind Mon-1000 |
2016-03-21
|
03 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-03.txt |
2015-10-15
|
02 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-02.txt |
2015-06-30
|
01 | Dirk Balfanz | New version available: draft-ietf-tokbind-https-01.txt |
2015-03-27
|
00 | John Bradley | This document now replaces draft-balfanz-https-token-binding instead of None |
2015-03-27
|
00 | John Bradley | Intended Status changed to Proposed Standard from None |
2015-03-27
|
00 | Andrei Popov | New version available: draft-ietf-tokbind-https-00.txt |