Minutes IETF101: tokbind
minutes-101-tokbind-00
| Meeting Minutes | Token Binding (tokbind) WG | |
|---|---|---|
| Date and time | 2018-03-21 15:20 | |
| Title | Minutes IETF101: tokbind | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2018-03-21 |
minutes-101-tokbind-00
Unbearable notes 21-Mar-18
The chairs reported that the three core Token Binding specs are scheduled for
the IESG telechat on May 10th
No IESG feedback or area reviews have been received so far
====
Brian Campbell presented on HTTPS Token Binding with TLS Terminating Reverse
Proxies - draft-ietf-tokbind-ttrp-03
He added the Sec-Other-Token-Binding-ID header, per working group
requests He thinks it's probably time for WGLC
Vinod Anupam: Trust between proxy and back end
Do we want a mechanism to validate this?
Brian: No
Chris Newman: Asked about relationship to the "Proxy" Protocol
The "Proxy" protocol is not an RFC
Brian: I am very much trying to solve for the HTTP use case
Andrei Popov: Asked about Sec-Other-Token-Binding-ID
Why not combine all Token Binding IDs into this one header?
Brian: I think that having names for Provided and Referred
simplifies the common cases
Kyle Kekritz: What guidance would you give developers?
Brian: Not sure what additional guidance I'd give developers
Leif Johansson: How many people have implemented this?
Several
Leif: Asked for additional reviewers
William Denniss and Nick Harper agreed to review within the next
month
Tony Nadalin: Have any interop problems been seen?
Brian: None that I'm aware of
Kyle Kekritz: We have implemented this
William Dennis, Vinod Anupam spoke in favor of the draft
====
Nick Harper presented on 0RTT and 1RTT
1RTT is implemented in Chrome
0RTT is not implemented in Chrome
Facebook has also implemented 1RTT
Tony Nadalin: It looks simple but I'm not sure if there will be interop
problems or not
Kyle: Facebook implemented 1RTT and it works fine
Leif: We will ask for an early SecDir review
Nick: 0RTT is expired - he hasn't had time lately to work on it
It needs more implementation experience
John Bradley: Is there a danger of people using TLS 1.3 0RTT with Token Binding
and getting no security?
Nick: There is guidance in the specs about this
Andrei Popov: The keys are different so there's no danger
====
Vinod Anupam discussed Token Binding support in Fetch
The PR https://github.com/whatwg/fetch/pull/325 has existed for a
while The Fetch WG requires Web platform tests for new features
Problematic because Python does not implement Token
Binding yet and the Fetch tests are in Python They
plan to create alternate tests for Fetch Token
Binding
Fetch describes how to use HTTP to fetch resources in a browser
Most of the text is about how browsers use Token
Binding in the contexts where they fetch data
Brian Campbell asked for clarification about what the fetch support is trying
to do Jeff Hodges said that the Fetch spec specifies algorithms used inside
browsers Vinod: The Fetch spec does have a JavaScript fetch API
There are additions to this API in the PR
====
Giridhar Mandyam presented on Attested TLS Token Binding -
draft-mandyam-tokbind-attest-03
Proposes an extension to communicate attestation information for
token bindings Looking for co-editors Trying to understand what
attestation types should be supported
Andrei: Attestation is very important
The previous drafts lacked information about the formats of the
attestation statements This has interoperable considerations The
draft is missing critical information Microsoft is considering
implementing attestations for Windows
Giri: I agree. We went through this with the WebAuthn spec.
I would take a similar approach to WebAuthn
Andrei: Having one well-defined method would be a good start
Tony: Microsoft has needs for TPM and Packed attestation formats
Microsoft would work with Giri to flesh out his draft
Vinod: I will look into what formats Google would want
Leif: Want to see an updated individual draft that's fleshed out with
additional editors