Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
draft-ietf-tokbind-negotiation-14

Addendum: the ARTART review raises a point that I believe should be fixed or clarified in the document: https://datatracker.ietf.org/doc/review-ietf-tokbind-negotiation-12-artart-telechat-miller-2018-05-08/

Original Comments:

I would really like to see a non-normative mention of draft-ietf-tokbind-tls13
in here, to let readers know that a TLS 1.3 solution is in progress rather than
merely being excluded from scope.

I also think the Abstract is incomplete without mentioning the limitation of
this document's mechanism to TLS 1.2 and lower.

Thanks for this document. I am balloting "yes", but have a few comments:

- I support Alexey's DISCUSS. Additionally, do I understand the version negotiation to require the client to support all previous version from the one it initially advertises? If so, how would you deprecate a version at some time in the future?

- I shared some of the confusion about this being limited to TLS 1.2 and earlier. In particular, there is repeating language that to the effect of "For TLS 1.2 and earlier...", which seems strange for a draft that only supports 1.2 in the first place.

§1.1: Please consider using the 8174 boilerplate across the cluster. While I did not find lower case keywords in this draft, I did in the other two and it would be best to be consistent across all three.

§2: "[I-D.ietf-tokbind-protocol] describes version {1, 0} of the protocol.": While one might infer that version to be {1,0} give the name "Token Binding 1.0", I never saw it explicitly mentioned.

Editorial Comments:

§2: "Please note that the server MAY select any lower protocol version, see Section 3": comma splice

I agree with Adam and Warren's comments.

The point already made about version negotiation has a corollary
that if the client sends a dense list of versions, then the server
will know decisively that a specific version has (or has not) been
negotiated, and can rely on that at the application layer.  When the
client can receive an unsupported version back from the server, the
client will not use token binding and the server has to infer from
the client's application-layer traffic whether token binding is
expected to be in use.  (Whether or not this is a desired or useful
property to have is not necessarily clear.)


Section 4

   the client advertises, then the server MUST NOT include
   "token_binding" extension in the server hello.

Nit: """the "token_binding" extension"""


Section 6.1

   The Token Binding protocol version and key parameters are negotiated
   via "token_binding" extension within the TLS handshake. [...]

Nit: """the "token_binding" extension".  (Also at the end of this
paragraph.)

   [...] TLS prevents
   active attackers from modifying the messages of the TLS handshake,
   therefore it is not possible for the attacker to remove or modify the
   "token_binding" extension.

I wonder if we want to explicitly say *successful* TLS handshakes,
but given the context in the main protocol document it's probably
not necessary.