draft-ietf-tokbind-negotiation-11.txt   draft-ietf-tokbind-negotiation-12.txt 
Internet Engineering Task Force A. Popov, Ed. Internet Engineering Task Force A. Popov, Ed.
Internet-Draft M. Nystroem Internet-Draft M. Nystroem
Intended status: Standards Track Microsoft Corp. Intended status: Standards Track Microsoft Corp.
Expires: October 14, 2018 D. Balfanz Expires: November 1, 2018 D. Balfanz
A. Langley A. Langley
Google Inc. Google Inc.
April 12, 2018 April 30, 2018
Transport Layer Security (TLS) Extension for Token Binding Protocol Transport Layer Security (TLS) Extension for Token Binding Protocol
Negotiation Negotiation
draft-ietf-tokbind-negotiation-11 draft-ietf-tokbind-negotiation-12
Abstract Abstract
This document specifies a Transport Layer Security (TLS) extension This document specifies a Transport Layer Security (TLS) extension
for the negotiation of Token Binding protocol version and key for the negotiation of Token Binding protocol version and key
parameters. parameters.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 14, 2018. This Internet-Draft will expire on November 1, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2
2. Token Binding Negotiation Client Hello Extension . . . . . . 2 2. Token Binding Negotiation Client Hello Extension . . . . . . 2
3. Token Binding Negotiation Server Hello Extension . . . . . . 3 3. Token Binding Negotiation Server Hello Extension . . . . . . 3
4. Negotiating Token Binding Protocol Version and Key Parameters 4 4. Negotiating Token Binding Protocol Version and Key Parameters 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6.1. Downgrade Attacks . . . . . . . . . . . . . . . . . . . . 6 6.1. Downgrade Attacks . . . . . . . . . . . . . . . . . . . . 6
6.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS 6.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS
Versions . . . . . . . . . . . . . . . . . . . . . . . . 6 Versions . . . . . . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
In order to use the Token Binding protocol In order to use the Token Binding protocol
[I-D.ietf-tokbind-protocol], the client and server need to agree on [I-D.ietf-tokbind-protocol], the client and server need to agree on
the Token Binding protocol version and the parameters (signature the Token Binding protocol version and the parameters (signature
algorithm, length) of the Token Binding key. This document specifies algorithm, length) of the Token Binding key. This document specifies
a new TLS [RFC5246] extension to accomplish this negotiation without a new TLS [RFC5246] extension to accomplish this negotiation without
skipping to change at page 3, line 24 skipping to change at page 3, line 24
} TokenBindingKeyParameters; } TokenBindingKeyParameters;
struct { struct {
TB_ProtocolVersion token_binding_version; TB_ProtocolVersion token_binding_version;
TokenBindingKeyParameters key_parameters_list<1..2^8-1> TokenBindingKeyParameters key_parameters_list<1..2^8-1>
} TokenBindingParameters; } TokenBindingParameters;
"token_binding_version" indicates the version of the Token Binding "token_binding_version" indicates the version of the Token Binding
protocol the client wishes to use during this connection. If the protocol the client wishes to use during this connection. If the
client supports multiple Token Binding protocol versions, it SHOULD client supports multiple Token Binding protocol versions, it SHOULD
indicate the latest (highest valued) version in indicate the latest supported version (the one with the highest
TokenBindingParameters.token_binding_version. TB_ProtocolVersion.major and TB_ProtocolVersion.minor) in
[I-D.ietf-tokbind-protocol] describes version {1, 0} of the protocol. TokenBindingParameters.token_binding_version. E.g. if the client
Please note that the server MAY select any lower protocol version, supports versions {1, 0} and {0, 13} of the Token Binding protocol,
see section Section 4 it SHOULD indicate version {1, 0}. Please note that the server MAY
"Negotiating Token Binding Protocol Version and Key Parameters" for select any lower protocol version, see Section 3
more details. "Token Binding Negotiation Server Hello Extension" for more details.
If the client does not support the Token Binding protocol version
selected by the server, then the connection proceeds without Token
Binding. [I-D.ietf-tokbind-protocol] describes version {1, 0} of the
protocol.
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: Prototype RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: Prototype
implementations of Token Binding drafts can indicate support of a implementations of Token Binding drafts can indicate support of a
specific draft version, e.g. {0, 1} or {0, 2}. specific draft version, e.g. {0, 1} or {0, 2}.
"key_parameters_list" contains the list of identifiers of the Token "key_parameters_list" contains the list of identifiers of the Token
Binding key parameters supported by the client, in descending order Binding key parameters supported by the client, in descending order
of preference. [I-D.ietf-tokbind-protocol] defines an initial set of of preference. [I-D.ietf-tokbind-protocol] defines an initial set of
identifiers for Token Binding key parameters. identifiers for Token Binding key parameters.
skipping to change at page 4, line 14 skipping to change at page 4, line 19
1. The server supports the Token Binding protocol version offered by 1. The server supports the Token Binding protocol version offered by
the client or a lower version. the client or a lower version.
2. The server finds acceptable Token Binding key parameters on the 2. The server finds acceptable Token Binding key parameters on the
client's list. client's list.
3. The server is also negotiating the Extended Master Secret 3. The server is also negotiating the Extended Master Secret
[RFC7627] and Renegotiation Indication [RFC5746] TLS extensions. [RFC7627] and Renegotiation Indication [RFC5746] TLS extensions.
This requirement applies when TLS 1.2 or an older TLS version is This requirement applies when TLS 1.2 or an older TLS version is
used (see section Section 6 "Security Considerations" below for used (see Section 6 "Security Considerations" below for more
more details). details).
The server will ignore any key parameters that it does not recognize. The server will ignore any key parameters that it does not recognize.
The "extension_data" field of the "token_binding" extension is The "extension_data" field of the "token_binding" extension is
structured the same as described above for the client structured the same as described above for the client
"extension_data". "extension_data".
"token_binding_version" contains the lower of: "token_binding_version" contains the lower of:
o the Token Binding protocol version offered by the client in the o the Token Binding protocol version offered by the client in the
"token_binding" extension and "token_binding" extension and
skipping to change at page 5, line 13 skipping to change at page 5, line 19
version advertised by the client. version advertised by the client.
3. "key_parameters_list" includes more than one Token Binding key 3. "key_parameters_list" includes more than one Token Binding key
parameters identifier. parameters identifier.
4. "key_parameters_list" includes an identifier that was not 4. "key_parameters_list" includes an identifier that was not
advertised by the client. advertised by the client.
5. TLS 1.2 or an older TLS version is used, but the Extended Master 5. TLS 1.2 or an older TLS version is used, but the Extended Master
Secret [RFC7627] and TLS Renegotiation Indication [RFC5746] Secret [RFC7627] and TLS Renegotiation Indication [RFC5746]
extensions are not negotiated (see section Section 6 extensions are not negotiated (see Section 6
"Security Considerations" below for more details). "Security Considerations" below for more details).
If the "token_binding" extension is included in the server hello and If the "token_binding" extension is included in the server hello and
the client supports the Token Binding protocol version selected by the client supports the Token Binding protocol version selected by
the server, it means that the version and key parameters have been the server, it means that the version and key parameters have been
negotiated between the client and the server and SHALL be definitive negotiated between the client and the server and SHALL be definitive
for the TLS connection. TLS 1.2 and earlier versions support for the TLS connection. TLS 1.2 and earlier versions support
renegotiation, allowing the client and server to renegotiate the renegotiation, allowing the client and server to renegotiate the
Token Binding protocol version and key parameters on the same Token Binding protocol version and key parameters on the same
connection. The client MUST use the negotiated key parameters in the connection. The client MUST use the negotiated key parameters in the
"provided_token_binding" as described in [I-D.ietf-tokbind-protocol]. "provided_token_binding" as described in [I-D.ietf-tokbind-protocol].
If the client does not support the Token Binding protocol version If the client does not support the Token Binding protocol version
selected by the server, then the connection proceeds without Token selected by the server, then the connection proceeds without Token
Binding. Binding. There is no requirement for the client to support any Token
Binding versions other than the one advertised in the client's
"token_binding" extension.
The Token Binding protocol version and key parameters are negotiated The Token Binding protocol version and key parameters are negotiated
for each TLS connection, which means that the client and server for each TLS connection, which means that the client and server
include their "token_binding" extensions both in the full TLS include their "token_binding" extensions both in the full TLS
handshake that establishes a new TLS session and in the subsequent handshake that establishes a new TLS session and in the subsequent
abbreviated TLS handshakes that resume the TLS session. abbreviated TLS handshakes that resume the TLS session.
5. IANA Considerations 5. IANA Considerations
This document updates the TLS "ExtensionType Values" registry. IANA This document updates the TLS "ExtensionType Values" registry. IANA
skipping to change at page 6, line 51 skipping to change at page 7, line 12
Leif Johansson. The area directors included Eric Rescorla, Kathleen Leif Johansson. The area directors included Eric Rescorla, Kathleen
Moriarty and Stephen Farrell. Moriarty and Stephen Farrell.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-tokbind-protocol] [I-D.ietf-tokbind-protocol]
Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J.
Hodges, "The Token Binding Protocol Version 1.0", draft- Hodges, "The Token Binding Protocol Version 1.0", draft-
ietf-tokbind-protocol-16 (work in progress), October 2017. ietf-tokbind-protocol-17 (work in progress), April 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
 End of changes. 10 change blocks. 
18 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/