https token binding tls termination brian campbell ietf
play

HTTPS Token Binding & TLS Termination Brian Campbell IETF 97 - PowerPoint PPT Presentation

HTTPS Token Binding & TLS Termination Brian Campbell IETF 97 Seoul November 2016 1 Situation l Very common in HTTPS application deployments to have TLS terminated by a reverse proxy sitting in front of the actual application l For


  1. HTTPS Token Binding & TLS Termination Brian Campbell IETF 97 Seoul November 2016 1

  2. Situation l Very common in HTTPS application deployments to have TLS ‘terminated’ by a reverse proxy sitting in front of the actual application l For applications in such deployments to take advantage of token binding, some information needs to be communicated from the TLS layer to the application l In the absence of a standard means of conveying the appropriate token binding information, different implementations will do it differently l Terrible for interoperability l A boon to unneeded complexity l Improved opportunity to get things wrong 2

  3. Proposed Solution l Work to standardize something in this WG! l Hopefully not controversial 3

  4. Two General Approaches 1 l The TLS terminator validates the Token Binding Message and passes it (or some variation) along to the application More work for the TLS layer l Easier reconciliation of supported key parameters l 2 l The application validates the Token Binding Message with sufficient info provided as headers by the TLS terminator EKM, the negotiated key parameters l Hard to terminate the connection with the client l Not sure how renegotiation would work l l Miscellaneous thoughts What about version? l TLS terminator must sanitize headers either way l Only one level of proxying supported l Applications likely need configuration l 4

  5. So... l Does the WG think this is work worth pursuing? l Feedback on the approach l Write a draft l Me l You? l IETF magic happens! 5

Recommend


More recommend