[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02

Network Working Group                                          Johansson
Internet-Draft                                                        SU
Intended status: Standards Track                       November 18, 2007
Expires: May 21, 2008

                Channel bindings for HTTP+TLS transport

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on May 21, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Johansson                 Expires May 21, 2008                  [Page 1]

Internet-Draft               http-cbindings                November 2007


   This document specifies a channel concept for HTTP with TLS and a
   representation of that channel which can be used by protocols which
   use channel bindings to delegate session protection to lower layers.

Table of Contents

   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction and motivation  . . . . . . . . . . . . . . . . .  4
   3.  The HTTP+TLS Channel . . . . . . . . . . . . . . . . . . . . .  5
   4.  Discovery of the channel-bindings-proxy  . . . . . . . . . . .  6
   5.  The Channel-Bindings-Proxy header  . . . . . . . . . . . . . .  7
   6.  The Channel-Identifier header  . . . . . . . . . . . . . . . .  8
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   8.  Notes  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   10. Changes  . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     10.1.  01 to 02  . . . . . . . . . . . . . . . . . . . . . . . . 13
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     11.1.  Normative References  . . . . . . . . . . . . . . . . . . 14
     11.2.  Informative References  . . . . . . . . . . . . . . . . . 14
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
   Intellectual Property and Copyright Statements . . . . . . . . . . 16

Johansson                 Expires May 21, 2008                  [Page 2]

Internet-Draft               http-cbindings                November 2007

1.  Terminology

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT"
   and "MAY" that appear in this document are to be interpreted as
   described in [RFC2119]

Johansson                 Expires May 21, 2008                  [Page 3]

Internet-Draft               http-cbindings                November 2007

2.  Introduction and motivation

   For good or bad, several protocols use HTTP (or close approximations
   as in the case of [RFC2910]) as a transport mechanisms and often rely
   on [RFC2817] or [RFC2818] to provide security.  Common security
   requirements include authentication of the service, of the client and
   protection of the session.  It is not always appropriate to meet
   these requirements using the same technology.  For instance, the use
   of certificates to authenticate users may be inefficient in an
   enviroment where [RFC4120] is widely deployed while at the same time
   certificates may be suitable for authenticating the service.

   Channel bindings described in [RFC5056] provide a mechanism for
   delegating session protection to a secure channel at a lower layer.
   In this case the lower layer is HTTP with TLS either using [RFC2817]
   or [RFC2818].  This document specifies this channel concept in a form
   which makes it usable to upper layer protocols which can consume
   channel bindings.

Johansson                 Expires May 21, 2008                  [Page 4]

Internet-Draft               http-cbindings                November 2007

3.  The HTTP+TLS Channel

   In general an HTTP connection consists of a series of (non-proxied)
   HTTP connections between a client, through a series of client-proxies
   with a server.  The server may also use proxies (for instance
   concentrators) but that fact does not affect this specification.

   Each client/proxy in the chain either knows that the next hop is
   another proxy (by virtue of configuration or discovery) or has no
   knowledge of another proxy in which case the next hop in the chain by
   definition is the target endpoint or an imposter impersonating the
   target endpoint.

   The following figure illustrates the general case:

           C --> P0 --> P1 ===> SP --> S

   Here C is the client and S is the server.  In between, P0 and P1
   represents client proxies and SP represents a server SSL concentrator
   (i.e. a server proxy).  Both protected (TLS) and unprotected
   connections may occur.  In this figure the connection between P1 and
   SP has been emphasized for reasons which will be explained below.

   An HTTP+TLS channel is defined as an HTTP connection where at least
   the connection from the last client proxy to the target endpoint uses
   TLS either through [RFC2818] or [RFC2817].  The last client proxy is
   called the channel-binding-proxy and is given a special role in this
   specification.  Note that in the non-proxied case an HTTP+TLS channel
   is just a normal TLS-protected HTTP connection.  This document
   specifies a way to identify such channels for the purpouse of channel

   In the example case the connection representing the channel to be
   identified is the one illustrated by the second (===>) arrow from the
   left..  This is the link which leaves the client proxy chain and
   hence leaves the client trust domain.  The channel-binding-proxy in
   this case would be P1.

   In order to be used by protocols consuming channel bindings, an HTTP+
   TLS channel must be identified by a value which can be observed by
   the client or the channel-binding-proxy on behalf of the client.

   The identifier for the channel is defined to be the hash of the
   endpoint certificate using the digest algorithm from the certificate,
   also known as a certificate fingerprint.  In the non-proxied case the
   client has direct access to the endpoint certificate and can compute
   the fingerprint.  In the general case the channel-binding-proxy has
   access to the certifiate and is able to communicate it to the client.

Johansson                 Expires May 21, 2008                  [Page 5]

Internet-Draft               http-cbindings                November 2007

4.  Discovery of the channel-bindings-proxy

   It is desirable for a client to be able to discover the existence of
   a channel-bindings-proxy somewhere in its proxy-chain.  In order to
   accomplish this the client needs a method to inquire the the first
   proxy in the chain if it knows if there is a channel-binding-proxy in
   the chain.  By either forwarding the request or (if the proxy is a
   channel-bindings-proxy or has no knowledge about an upstream proxy)
   answering it the proxy can inform the client about the existence or
   absense of a channel-bindings-proxy in the chain.

   Unfortunately this client-request cannot be implemented using a
   request-header since there are no widely implemented request-headers
   which are handled by proxies except for the Proxy-Authentication and
   Proxy-Authorization headers which are not possible to reuse for this

   Instead the OPTIONS verb is used in the following way: The client
   sends an OPTIONS request for the Request-URI "*" as per [RFC2616]
   section 9.2 with Max-Forwards set to "0".  As specified in [RFC2616]
   a proxy is required to respond to this message itself rather than
   forward it upstream.  A proxy implementing this specification that is
   configured as a channel-bindings-proxy MUST include a Channel-
   Bindings-Proxy header (cf below) in the response.  Each proxy sitting
   between the client and the channel-bindings-proxy MUST re-issue any
   OPTIONS request received this awy and include any Channel-Identifier
   header received in the response-message to the client/proxy.  Upon
   receipt of the (final) response-message the client may (if the
   message contains a Channel-Bindings-Proxy header) assume that the
   proxy-chain contains a channel-bindings-proxy implementing this

   Note well that this mechanism does not violate the intent of the
   treatment of the Max-Forwards since the semantics of the Channel-
   Bindings-Proxy is that the proxy has knowledge about a channel-
   bindings-proxy somewhere in the proxy-chain (including the proxy

Johansson                 Expires May 21, 2008                  [Page 6]

Internet-Draft               http-cbindings                November 2007

5.  The Channel-Bindings-Proxy header

   Information about the channel-bindings-proxy used in the discovery
   process described above is represented by new the HTTP/1.1 header
   'Channel-Bindings-Proxy' which contains the hostname of the channel-

Johansson                 Expires May 21, 2008                  [Page 7]

Internet-Draft               http-cbindings                November 2007

6.  The Channel-Identifier header

   An HTTP+TLS channel is represented as a new HTTP/1.1 header 'Channel-
   Identifier' which contains the representation of the HTTP+TLS
   channel.  The 'Channel-Identifier' header has the following syntax in
   Augmented BNF defined in [RFC2616]:

   channel-identifier   = hash-function *(SP channel-value)
   hash-function        = token
   channel-value        = 2HEX *(":" 2HEX)
                        ; a hex-encoded sequence of bytes
                        ; separated by colons of length > 0

   The definitions of HEX, token and SP are taken from [RFC2616].

   An HTTP proxy implementing this specification MUST NOT modify the
   Channel-Identifier header unless explicitly configured to act as a
   channel-bindings-proxy.  A proxy configured as a channel-bindings-
   proxy MUST for each TLS-protected HTTP connection add the Channel-
   Identifier header to each received response-message.

   A client implementing this specification MUST NOT accept or use the
   Channel-Identifier header unless it has established that the proxy-
   chain ends in a channel-bindings-proxy.  Clients MUST support manual
   configuration for the existence of a channel-bindings-proxy and
   SHOULD support discovery as specified in the previous section.  Other
   mechanisms for discovering the existance of a channel-bindings-proxiy
   may be specified in the future.

   The client MUST NOT assume knowledge about which proxy is acting as
   the channel-bindings-proxy.  If the client does not have a proxy the
   client may compute the Channel-Identifier header value given direct
   access to the endpoint certificate.  The client MUST NOT compute or
   use the Channel-Identifier header value if it has a known proxy-chain
   which does not include a channel-bindings-proxy.

   When a client receives a reply message with a Channel-Identifier
   header the client may use this as input to an upper-layer
   authentication protocol which consumes channel-bindings.  This means
   that if the Channel-Identifier header changes the upper-layer
   protocol will detect this change as a man-in-the middle attack and
   the client MUST terminate the connection to the server.  Clients MAY
   cache channel-identifier/endpoint pairs.

   The first time a client communicates with a target endpoint it has no
   channel-identifier to bind authentication protocols to.  In several
   situations the first communication between a client and a server
   results in an authentication mechanism negotiation challange from the

Johansson                 Expires May 21, 2008                  [Page 8]

Internet-Draft               http-cbindings                November 2007

   server at which point the channel-binding-proxy (or the client
   itself) will have a channel-identifier to use for the first
   authentication mechanism challenge.

   If the client has a cached channel-identifier for an endpoint the
   client SHOULD include the Channel-Identifier header in each outgoing
   request.  This gives the channel-binding-proxy the oportunity to
   determine if response packets contain a forged channel-identifier and
   may decide to terminate such connections at the proxy.

Johansson                 Expires May 21, 2008                  [Page 9]

Internet-Draft               http-cbindings                November 2007

7.  Security Considerations

   There are several situations when the client has no knowledge of
   proxies intercepting traffic.  Such proxies are essentially man-in-
   the-middle attacks but are also in many cases implicitly part of the
   trust-domain of the client.  In the case when the hidden proxy sits
   between the client and the channel-bindings-proxy and does not alter
   the Channel-Identifier header it does not matter.  In deployments
   where the last client proxy does not support the channel-bindings-
   proxy feature it may be necessary to add another proxy outside this
   proxy which can act as the channel-bindings-proxy.

   The basic principle of the Channel-Bindings header is that it
   contains data which is either observed and verified or computed by a
   trusted proxy between the client and server.  By replacing this
   header value another proxy effectively moves the endpoint of the
   channel.  By using the header value as channel binding data for upper
   layer authentication protocols the client effectively trusts the
   proxy setting the value.

   It is very imporant that a proxy configured to act as a channel-
   bindings-proxy actually sets the Channel-Identifier header.  A rogue
   or non-functional channel-bindings-proxy which announces the channel-
   bindings-feature but fails to provide or even filter-out the header
   will make the client vulnerable to attack.  Clients mayll wish to use
   proxy authentication to identify trusted proxies.

Johansson                 Expires May 21, 2008                 [Page 10]

Internet-Draft               http-cbindings                November 2007

8.  Notes

   What about TLS mechs besides X.509?  This "only" requires finding
   something which corresponds to the certificate fingerprint: i.e
   something which can be computed by the client and the server together
   or observed independently by the client.

Johansson                 Expires May 21, 2008                 [Page 11]

Internet-Draft               http-cbindings                November 2007

9.  IANA Considerations

   Allocating the Channel-Identifier header.

Johansson                 Expires May 21, 2008                 [Page 12]

Internet-Draft               http-cbindings                November 2007

10.  Changes

10.1.  01 to 02

   Changed from ABNF to Augmented BNF to align with [RFC2616].

Johansson                 Expires May 21, 2008                 [Page 13]

Internet-Draft               http-cbindings                November 2007

11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC2817]  Khare, R. and S. Lawrence, "Upgrading to TLS Within
              HTTP/1.1", RFC 2817, May 2000.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC4234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 4234, October 2005.

   [RFC5056]  Williams, N., "On the Use of Channel Bindings to Secure
              Channels", RFC 5056, November 2007.

11.2.  Informative References

   [RFC2910]  Herriot, R., Butler, S., Moore, P., Turner, R., and J.
              Wenn, "Internet Printing Protocol/1.1: Encoding and
              Transport", RFC 2910, September 2000.

   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
              Kerberos Network Authentication Service (V5)", RFC 4120,
              July 2005.

Johansson                 Expires May 21, 2008                 [Page 14]

Internet-Draft               http-cbindings                November 2007

Author's Address

   Leif Johansson
   Stockholm university

   Email: leifj@it.su.se
   URI:   http://www.su.se/

Johansson                 Expires May 21, 2008                 [Page 15]

Internet-Draft               http-cbindings                November 2007

Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at


   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).

Johansson                 Expires May 21, 2008                 [Page 16]

Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/