Minutes IETF103: tokbind
minutes-103-tokbind-00

IETF 103 Bangkok
Tokbind session notes - 5th Nov 2018

- TLS1.3 (Nick Harper)

draft-ietf-tokbind-tls13-02 has been updated to reflect final TLS 1.3 RFCs, and
is ready for WGLC.

- 0RTT and token binding (Nick Harper)
Pros and cons of trying to specify combined 0RTT and Token binding were
discussed, based on expired WG draft.

Chair noted that 0RTT is not required by the WG Charter.

Nick Harper: Google likely to enable 0RTT for a number of cases, but not token
binding - so they do not express a requirement for both to coexist.
Recommendation: do nothing for now, and don’t allow 0RTT and token binding on
the same connection. Reconsider if use cases emerge that require both, or if a
WG member wishes to resurrect the expired draft.

[Ed.: does “not allowing 0RTT and token binding on the same connection” require
any action from the WG? e.g. does it require a prohibition to be added to the
token binding specification?]

Mike Jones suggested the Chair note that “the working group expressed no
interest in continuing this work at present”

- TTRP WGLC/IESG issues (Brian Campbell)

BC noted that:
- “a major browser decided to drop token binding support”
- WGLC provoked a repeat of a previously-aired comment about client collusion -
otherwise nothing new

Dick Hardt: are there any implementations of this?
BC: Apache, Nginx; Facebook rumoured to be doing it internally, but not
confirmed; otherwise, “open source modules for popular web servers”.

John Bradley volunteers to shepherd document through to IETF 104 Prague

Conclusion: meeting in Prague probably not needed, and it appears the WG has
concluded its work.