Unbearable notes 21-Mar-18 The chairs reported that the three core Token Binding specs are scheduled for the IESG telechat on May 10th No IESG feedback or area reviews have been received so far ==== Brian Campbell presented on HTTPS Token Binding with TLS Terminating Reverse Proxies - draft-ietf-tokbind-ttrp-03 He added the Sec-Other-Token-Binding-ID header, per working group requests He thinks it's probably time for WGLC Vinod Anupam: Trust between proxy and back end Do we want a mechanism to validate this? Brian: No Chris Newman: Asked about relationship to the "Proxy" Protocol The "Proxy" protocol is not an RFC Brian: I am very much trying to solve for the HTTP use case Andrei Popov: Asked about Sec-Other-Token-Binding-ID Why not combine all Token Binding IDs into this one header? Brian: I think that having names for Provided and Referred simplifies the common cases Kyle Kekritz: What guidance would you give developers? Brian: Not sure what additional guidance I'd give developers Leif Johansson: How many people have implemented this? Several Leif: Asked for additional reviewers William Denniss and Nick Harper agreed to review within the next month Tony Nadalin: Have any interop problems been seen? Brian: None that I'm aware of Kyle Kekritz: We have implemented this William Dennis, Vinod Anupam spoke in favor of the draft ==== Nick Harper presented on 0RTT and 1RTT 1RTT is implemented in Chrome 0RTT is not implemented in Chrome Facebook has also implemented 1RTT Tony Nadalin: It looks simple but I'm not sure if there will be interop problems or not Kyle: Facebook implemented 1RTT and it works fine Leif: We will ask for an early SecDir review Nick: 0RTT is expired - he hasn't had time lately to work on it It needs more implementation experience John Bradley: Is there a danger of people using TLS 1.3 0RTT with Token Binding and getting no security? Nick: There is guidance in the specs about this Andrei Popov: The keys are different so there's no danger ==== Vinod Anupam discussed Token Binding support in Fetch The PR https://github.com/whatwg/fetch/pull/325 has existed for a while The Fetch WG requires Web platform tests for new features Problematic because Python does not implement Token Binding yet and the Fetch tests are in Python They plan to create alternate tests for Fetch Token Binding Fetch describes how to use HTTP to fetch resources in a browser Most of the text is about how browsers use Token Binding in the contexts where they fetch data Brian Campbell asked for clarification about what the fetch support is trying to do Jeff Hodges said that the Fetch spec specifies algorithms used inside browsers Vinod: The Fetch spec does have a JavaScript fetch API There are additions to this API in the PR ==== Giridhar Mandyam presented on Attested TLS Token Binding - draft-mandyam-tokbind-attest-03 Proposes an extension to communicate attestation information for token bindings Looking for co-editors Trying to understand what attestation types should be supported Andrei: Attestation is very important The previous drafts lacked information about the formats of the attestation statements This has interoperable considerations The draft is missing critical information Microsoft is considering implementing attestations for Windows Giri: I agree. We went through this with the WebAuthn spec. I would take a similar approach to WebAuthn Andrei: Having one well-defined method would be a good start Tony: Microsoft has needs for TPM and Packed attestation formats Microsoft would work with Giri to flesh out his draft Vinod: I will look into what formats Google would want Leif: Want to see an updated individual draft that's fleshed out with additional editors