The "secret-token" URI Scheme
draft-nottingham-how-did-that-get-into-the-repo-02
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2021-01-28
|
02 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2020-11-17
|
02 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2020-10-29
|
02 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2020-10-22
|
02 | Tero Kivinen | Closed request for Last Call review by SECDIR with state 'Overtaken by Events' |
2020-10-22
|
02 | Tero Kivinen | Assignment of request for Last Call review by SECDIR to Dacheng Zhang was marked no-response |
2020-10-21
|
02 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2020-10-21
|
02 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2020-10-21
|
02 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2020-10-21
|
02 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2020-10-21
|
02 | (System) | RFC Editor state changed to EDIT |
2020-10-21
|
02 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2020-10-21
|
02 | (System) | Announcement was received by RFC Editor |
2020-10-21
|
02 | (System) | IANA Action state changed to In Progress |
2020-10-21
|
02 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2020-10-21
|
02 | Amy Vezza | IESG has approved the document |
2020-10-21
|
02 | Amy Vezza | Closed "Approve" ballot |
2020-10-21
|
02 | Amy Vezza | Ballot approval text was generated |
2020-10-20
|
02 | Murray Kucherawy | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup |
2020-10-18
|
02 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2020-10-18
|
02 | Mark Nottingham | New version available: draft-nottingham-how-did-that-get-into-the-repo-02.txt |
2020-10-18
|
02 | (System) | New version accepted (logged-in submitter: Mark Nottingham) |
2020-10-18
|
02 | Mark Nottingham | Uploaded new revision |
2020-04-09
|
01 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Revised I-D Needed from Approved-announcement to be sent |
2020-04-09
|
01 | Cindy Morgan | IESG state changed to Approved-announcement to be sent from IESG Evaluation |
2020-04-08
|
01 | Benjamin Kaduk | [Ballot comment] Section 1 Per the comment in the shepherd writeup, RFC 6750 has a passable definition of "bearer token". Section 2 Perhaps an example … [Ballot comment] Section 1 Per the comment in the shepherd writeup, RFC 6750 has a passable definition of "bearer token". Section 2 Perhaps an example Authorization header field (a la RFC 6750) would demonstrate the "required for later access" aspect? Section 4 The token ABNF rule allows tokens as small as one character. This is not recommended practice; applications should evaluate their requirements for entropy and issue tokens correspondingly. I feel like we have some more concrete guidelines regarding token entropy floating around. BCP 106 is the obvious candidate, though its emphasis is different than I would prefer. I guess Section 8 is tolerable. If it is difficult to correctly handle secret material, or unclear as to what the appropriate handling is, users might choose to obfuscate their secret tokens in order to evade detection (for example, removing the URI scheme for storage). Clear guidelines and helpful tools are good mitigations here. What would those "clear guidelines" be? |
2020-04-08
|
01 | Benjamin Kaduk | [Ballot Position Update] New position, No Objection, has been recorded for Benjamin Kaduk |
2020-04-08
|
01 | Alissa Cooper | [Ballot comment] Section 4: "prevent accidental disclosure" seems a little strong. Perhaps "reduce the incidence of accidental disclosure" would be better. |
2020-04-08
|
01 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2020-04-08
|
01 | Roman Danyliw | [Ballot comment] Section 1. Typo. s/ike CSRF/like CSRF/ Section 4. Easy to find tokens will cut both ways. This URI scheme would make it trivial … [Ballot comment] Section 1. Typo. s/ike CSRF/like CSRF/ Section 4. Easy to find tokens will cut both ways. This URI scheme would make it trivial (with likely an acceptable false positive rate) for a CI system to trigger on the presence of a token in a repo. It would also be worth mentioning that adoption of this scheme would also further lower the bar for attackers when scanning for these tokens too – even less semantic parsing of source code would be required. |
2020-04-08
|
01 | Roman Danyliw | [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw |
2020-04-08
|
01 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2020-04-08
|
01 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2020-04-08
|
01 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded for Magnus Westerlund |
2020-04-07
|
01 | Martin Vigoureux | [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux |
2020-04-06
|
01 | Robert Wilton | [Ballot comment] It's not clear to me whether or not this will truly help, but I don't see it causing any harm to the internet, … [Ballot comment] It's not clear to me whether or not this will truly help, but I don't see it causing any harm to the internet, and I think that it is good to try to mitigate against folk who either accidentally commit security tokens or deliberately commit them without any awareness of the consequences. |
2020-04-06
|
01 | Robert Wilton | Ballot comment text updated for Robert Wilton |
2020-04-06
|
01 | Robert Wilton | [Ballot comment] It's not clear to me whether or not this will truly help, but I don't see it is causing any harm to the … [Ballot comment] It's not clear to me whether or not this will truly help, but I don't see it is causing any harm to the internet, and I think that it is good to try to mitigate against folks who either accidentally commit security tokens or deliberately commit them without any awareness of the consequences. |
2020-04-06
|
01 | Robert Wilton | [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton |
2020-04-04
|
01 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2020-03-27
|
01 | Barry Leiba | [Ballot Position Update] New position, Yes, has been recorded for Barry Leiba |
2020-03-27
|
01 | Cindy Morgan | Placed on agenda for telechat - 2020-04-09 |
2020-03-27
|
01 | Murray Kucherawy | IESG state changed to IESG Evaluation from Waiting for Writeup |
2020-03-27
|
01 | Murray Kucherawy | Ballot has been issued |
2020-03-27
|
01 | Murray Kucherawy | [Ballot Position Update] New position, Yes, has been recorded for Murray Kucherawy |
2020-03-27
|
01 | Murray Kucherawy | Created "Approve" ballot |
2020-03-27
|
01 | Murray Kucherawy | Ballot writeup was changed |
2020-03-27
|
01 | Murray Kucherawy | Ballot approval text was changed |
2020-03-25
|
01 | Alexey Melnikov | Shepherding AD changed to Murray Kucherawy |
2020-03-12
|
01 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2020-03-09
|
01 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2020-03-09
|
01 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-nottingham-how-did-that-get-into-the-repo-01. If any part of this review is inaccurate, please let … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-nottingham-how-did-that-get-into-the-repo-01. If any part of this review is inaccurate, please let us know. The IANA Functions Operator understands that, upon approval of this document, there is a single action which we must complete. In the Uniform Resource Identifier (URI) Schemes registry located at: https://www.iana.org/assignments/uri-schemes/ a new registration will be made as follows: URI Scheme: secret-token Template: [ TBD-at-Registration ] Description: secret-token Status: provisional Well-known URI Support: Reference: [ RFC-to-be ] Notes: The IANA Functions Operator understands that this is the only action required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed. Thank you, Sabrina Tanamal Senior IANA Services Specialist |
2020-03-08
|
01 | Jouni Korhonen | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Jouni Korhonen. Sent review to list. |
2020-03-04
|
01 | Alexey Melnikov | Note field has been cleared |
2020-03-04
|
01 | Alexey Melnikov | Notification list changed to superuser@gmail.com, Alexey Melnikov <alexey.melnikov@isode.com> from superuser@gmail.com |
2020-03-04
|
01 | Alexey Melnikov | Document shepherd changed to Alexey Melnikov |
2020-03-04
|
01 | Alexey Melnikov | Due to me finishing my IESG term during the Vancouver IETF, I will become the document shepherd and Murray will become the responsible AD. |
2020-03-04
|
01 | Alexey Melnikov | Notification list changed to superuser@gmail.com |
2020-02-20
|
01 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Dacheng Zhang |
2020-02-20
|
01 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Dacheng Zhang |
2020-02-18
|
01 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tim Wicinski |
2020-02-18
|
01 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Tim Wicinski |
2020-02-13
|
01 | Jean Mahoney | Request for Last Call review by GENART is assigned to Jouni Korhonen |
2020-02-13
|
01 | Jean Mahoney | Request for Last Call review by GENART is assigned to Jouni Korhonen |
2020-02-13
|
01 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2020-02-13
|
01 | Amy Vezza | The following Last Call announcement was sent out (ends 2020-03-12): From: The IESG To: IETF-Announce CC: alexey.melnikov@isode.com, superuser@gmail.com, draft-nottingham-how-did-that-get-into-the-repo@ietf.org Reply-To: last-call@ietf.org Sender: Subject: … The following Last Call announcement was sent out (ends 2020-03-12): From: The IESG To: IETF-Announce CC: alexey.melnikov@isode.com, superuser@gmail.com, draft-nottingham-how-did-that-get-into-the-repo@ietf.org Reply-To: last-call@ietf.org Sender: Subject: Last Call: (The secret-token URI Scheme) to Informational RFC The IESG has received a request from an individual submitter to consider the following document: - 'The secret-token URI Scheme' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2020-03-12. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document registers the "secret-token" URI scheme, to aid in the identification of authentication tokens. The file can be obtained via https://datatracker.ietf.org/doc/draft-nottingham-how-did-that-get-into-the-repo/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-nottingham-how-did-that-get-into-the-repo/ballot/ No IPR declarations have been submitted directly on this I-D. |
2020-02-13
|
01 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2020-02-13
|
01 | Alexey Melnikov | Last call was requested |
2020-02-13
|
01 | Alexey Melnikov | Last call announcement was generated |
2020-02-13
|
01 | Alexey Melnikov | Ballot approval text was generated |
2020-02-13
|
01 | Alexey Melnikov | Ballot writeup was generated |
2020-02-13
|
01 | Alexey Melnikov | I was actually waiting for the shepherd write-up. I didn't set the datatracker state correctly. |
2020-02-13
|
01 | Alexey Melnikov | IESG state changed to Last Call Requested from AD Evaluation |
2020-02-12
|
01 | Murray Kucherawy | 1. Summary Murray Kucherawy is the document shepherd. Alexey Melnikov is the responsible Area Director. This document registers the "secret-token" URI scheme, to aid … 1. Summary Murray Kucherawy is the document shepherd. Alexey Melnikov is the responsible Area Director. This document registers the "secret-token" URI scheme, to aid in the identification of authentication tokens. The document seeks informational status, which is appropriate as it does not specify a standards-track protocol and instead registers a URI scheme and describes its intended use. 2. Review and Consensus The document was discussed in the DISPATCH working group, where there was general support for the idea but no support for the notion of creating a working group around it. DISPATCH recommended Area Director sponsorship and Alexey volunteered. 3. Intellectual Property The author affirms compliance with BCPs 78 and 79. No undeclared IPR claims are known. 4. Other Points This document is informational, and as such downward references are not a concern. The IANA Considerations section appears to be correct (with respect to RFC 7595) and complete. Provisional registrations are first come first served, so this does not require expert review. The document appears to be ready for publication. About the only suggestion I have personally is that the term "bearer token" might deserve a reference to a formal definition, or at least an example ("e.g., password" maybe?). No formal directorate reviews are required, other than the ones that will be triggered automatically anyway. There is some ABNF in the document but it appears to be correct and complete. Ship it! |
2019-04-24
|
01 | Alexey Melnikov | IESG state changed to AD Evaluation from Publication Requested |
2019-01-08
|
01 | Alexey Melnikov | Intended Status changed to Informational from Proposed Standard |
2018-11-06
|
01 | Mark Nottingham | New version available: draft-nottingham-how-did-that-get-into-the-repo-01.txt |
2018-11-06
|
01 | (System) | New version approved |
2018-11-06
|
01 | (System) | Request for posting confirmation emailed to previous authors: Mark Nottingham |
2018-11-06
|
01 | Mark Nottingham | Uploaded new revision |
2018-11-05
|
00 | Alexey Melnikov | Changed consensus to Yes from Unknown |
2018-11-05
|
00 | Alexey Melnikov | Assigned to Applications and Real-Time Area |
2018-11-05
|
00 | Alexey Melnikov | Note added 'Based on DISPATCH discussion: is this going to change to Informational?' |
2018-11-05
|
00 | Alexey Melnikov | Responsible AD changed to Alexey Melnikov |
2018-11-05
|
00 | Alexey Melnikov | Intended Status changed to Proposed Standard |
2018-11-05
|
00 | Alexey Melnikov | IESG process started in state Publication Requested |
2018-11-05
|
00 | Alexey Melnikov | Notification list changed to Murray Kucherawy <superuser@gmail.com> |
2018-11-05
|
00 | Alexey Melnikov | Document shepherd changed to Murray Kucherawy |
2018-11-05
|
00 | Alexey Melnikov | Stream changed to IETF from None |
2018-11-04
|
00 | Cullen Jennings | Added to session: IETF-103: dispatch Mon-0900 |
2018-08-15
|
00 | Mark Nottingham | New version available: draft-nottingham-how-did-that-get-into-the-repo-00.txt |
2018-08-15
|
00 | (System) | New version approved |
2018-08-15
|
00 | Mark Nottingham | Request for posting confirmation emailed to submitter and authors: Mark Nottingham |
2018-08-15
|
00 | Mark Nottingham | Uploaded new revision |