Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
RFC 8472

Document Type RFC - Proposed Standard (October 2018; No errata)
Last updated 2018-10-08
Replaces draft-popov-tokbind-negotiation
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd John Bradley
Shepherd write-up Show (last changed 2018-07-20)
IESG IESG state RFC 8472 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Eric Rescorla
Send notices to John Bradley <ve7jtb@ve7jtb.com>
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                     A. Popov, Ed.
Request for Comments: 8472                                   M. Nystroem
Category: Standards Track                                Microsoft Corp.
ISSN: 2070-1721                                               D. Balfanz
                                                             Google Inc.
                                                            October 2018

              Transport Layer Security (TLS) Extension for
                   Token Binding Protocol Negotiation

Abstract

   This document specifies a Transport Layer Security (TLS) extension
   for the negotiation of Token Binding protocol version and key
   parameters.  Negotiation of Token Binding in TLS 1.3 and later
   versions is beyond the scope of this document.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8472.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Popov, et al.                Standards Track                    [Page 1]
RFC 8472         Token Binding Negotiation TLS Extension    October 2018

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
   2.  Token Binding Negotiation ClientHello Extension . . . . . . .   2
   3.  Token Binding Negotiation ServerHello Extension . . . . . . .   3
   4.  Negotiating Token Binding Protocol Version and Key Parameters   4
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
     6.1.  Downgrade Attacks . . . . . . . . . . . . . . . . . . . .   6
     6.2.  Triple Handshake Vulnerability in TLS 1.2 and Older TLS
           Versions  . . . . . . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   In order to use the Token Binding protocol [RFC8471], the client and
   server need to agree on the Token Binding protocol version and the
   parameters (signature algorithm and length) of the Token Binding key.
   This document specifies a new TLS [RFC5246] extension to accomplish
   this negotiation without introducing additional network round trips
   in TLS 1.2 and earlier versions.  [TOKENBIND-TLS13] addresses Token
   Binding in TLS 1.3.  The negotiation of the Token Binding protocol
   and key parameters in combination with TLS 1.3 and later versions is
   beyond the scope of this document.  (Note: This document deals with
   TLS 1.2 and therefore refers to RFC 5246 (which has been obsoleted by
   RFC 8446).  [TOKENBIND-TLS13] addresses Token Binding in TLS 1.3).

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Token Binding Negotiation ClientHello Extension

   The client uses the "token_binding" TLS extension to indicate the
   highest supported Token Binding protocol version and key parameters.

   enum {
       token_binding(24), (65535)
   } ExtensionType;

Popov, et al.                Standards Track                    [Page 2]
RFC 8472         Token Binding Negotiation TLS Extension    October 2018

   The "extension_data" field of this extension contains a
   "TokenBindingParameters" value.
Show full document text