Only one method to Token Bind AT rather than two?

Comments (23)

1. 

   Sascha Preibisch

   Adoption of FAPI may be hindered due to technical limitations vendors may have. With that I support alternative ways.

   • 2017-04-09T02:28:40+00:00
2. 

   Dave Tonge

   I agree - lets just refer to the token binding spec and accept both options.

   • 2017-04-26T13:50:18+00:00
3. 

   Nat Sakimura reporter

   Should just refer to TB spec and MTLS spec allowing options there.

   • 2017-04-26T14:13:43+00:00
4. 

   Tom Jones

   Has any one any experience with token binding in a production environment? It is my understanding that several large sites have off-loaded the TLS connection to machines that only perform TLS. In that case the TLS information is not available to any end-point.

   I think that token binding is not practical in large installations and needs to be removed.

   • 2017-05-06T16:02:49+00:00
5. 

   Nat Sakimura reporter

   I believe many of Google's cookies are actually token bound. Otherwise, I have not heard too much experience on it. It is for the future. Maybe John B. as the chair of TB WG can chime in.

   What is expected in reality is that those TLS terminating boxes to put the TBIDs in the forwarding http headers in one way or another. The same kind of things happens in the Client TLS authentication, too, which btw is widely supported of course.

   In IETF, I have proposed a purely JWS based one which does not require any intermediation by the middlebox and achieve end-to-end security. However, it has not yet been taken up, although, in the last meeting, I had a support from Tony that he has a use case for it.

   • 2017-05-06T18:45:57+00:00
6. 

   Nat Sakimura reporter

   • changed status to open

   • 2017-05-06T18:56:33+00:00
7. 

   Tom Jones

   I would like to hear more about Google's approach. My fear is you have created an architecture that cannot be decomposed for efficiency.

   • 2017-05-06T21:35:31+00:00
8. 

   John Bradley

   Token binding is as easily decoupled from the app as mutual TLS.

   The working group is working on a standard for communicating between the reverse proxy and the app, this is something that is not standardised for mutual TLS and each vender has a different format.

   Google has added token binding to there front end TLS terminators. NginX has added a module for token binding https://github.com/google/ngx_token_binding

   Facebook and Microsoft are in the process of adding it.

   For server to server mtls is OK but for mobile and browsers token binding is required to scale.

   John B.

   • 2017-05-09T08:37:02+00:00
9. 

   Tom Jones

   I am guessing this solution is for clients running in devices.

   What purpose, ie what threat is mitigated, by token binding for confidential clients?

   • 2017-05-09T15:20:05+00:00
10. 

    John Bradley

    Securing the access tokens.

    • 2017-05-09T15:35:14+00:00
11. 

    Tom Jones

    against what threat?

    • 2017-05-09T15:50:15+00:00
12. 

    John Bradley

    Token interception and replay by the RS.

    There are attacks where a client can be tricked into giving a access token to the wrong RS.

    • 2017-05-09T16:24:57+00:00
13. 

    Tom Jones

    So then what you are looking for is just a mac = message authentication code?

    ..Tom's phone

    • 2017-05-09T18:30:10+00:00
14. 

    Tom Jones

    i have always worried about mixing levels. So I think your approach sounds better. ..tom

    • 2017-05-09T20:20:07+00:00
15. 

    Tom Jones

    I should have added. Client (Mutual) TLS may be supported by browsers, etc. But AFAIK it is not used in general commerce because getting a cert for a user is so cumbersome. ..tom

    • 2017-05-09T20:20:08+00:00
16. 

    Nat Sakimura reporter

    • marked as critical

    • 2017-05-10T09:29:12+00:00
17. 

    Tom Jones

    need to document (or describe where the documentation exists) to rebuild a broken tls session that does not impact operations of a confidential client

    • 2017-05-10T15:00:01+00:00
18. 

    Nat Sakimura reporter

    The introduction of The Token Binding Protocol Version 1.0 draft 13 states:

    Token Bindings are long-lived, i.e., they encompass multiple TLS connections and TLS sessions between a given client and server.

    What happens for TB is:

    1. The client creates a key pair (for RSA or EC) per eTLD+1 and saves it.
    2. The client then creates Token Binding ID (TBID) from the public key.
    3. The client creates Token Binding Message (TBM) by signing EKM using the private key created in step 1 and combining it with TBID.
    4. The client sends TBM in Sec-Token-Binding HTTP header to the server with other HTTP payloads.
    5. The server validates the TBM in the Sec-Token-Binding header by using EKM that it got from the TLS.

    An article by Lepidum documents this well but it is in Japanese.

    • 2017-05-13T10:59:55+00:00
19. 

    Tom Jones

    Right - my question above is confusing. I do not question the value of token binding for a public client. My concern has always been the private client. Is this discussion limited to the removal of the phrase "then later use that key when the TLS connection to the protected resource is established"? That I support.

    • 2017-05-16T22:12:20+00:00
20. 

    Nat Sakimura reporter

    • changed status to closed

    So, as the discussion above, the "later" mode should be allowed and thus we keep the text as is. I am closing the ticket as the reporter.

    • 2017-05-28T15:11:53+00:00
21. 

    Nat Sakimura reporter

    • changed component to Part 2: Advanced

    • 2022-12-14T15:36:06+00:00
22. 

    Nat Sakimura reporter

    • changed component to FAPI 1 – Part 2: Advanced

    • 2022-12-14T15:36:41+00:00
23. 

    Nat Sakimura reporter

    • changed component to FAPI 1: Advanced

    • 2022-12-14T15:38:51+00:00
24. Log in to comment