Status of Origin Bound Certs?
Ted Lemon
Ryan Sleevi
Bcc chromium-dev
+net-dev
On May 27, 2015 7:11 PM, "Ted Lemon" <mel...@gmail.com> wrote:
>
> I notice at least on Chrome OS that there's a database of origin-bound certs that's got certs for various google sites and also ads.doubleclick.net.
Where did you see the name Origin Bound Certs? That's like two names ago - and they should have all been expunged in favor of channel ID (current) and they may change yet again.
> Unfortunately I'm having trouble tracking down a standard document that talks about this. Is this basically what's described on browserauth.net and documented at https://tools.ietf.org/html/draft-balfanz-tls-obc-01 ?
The current implementation is Channel ID ( https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 ), with undocumented changes, but that has a ton of performance and practical issues that it's going to be replaced by yet another thing ( https://tools.ietf.org/html/draft-ietf-tokbind-protocol-00 ), which solves some of the performance issues but still suffers some (many) of the operational issues.
> How does this relate (if at all) to the HTTP Origin Bound Authentication RFC that was published recently?
I assume you're talking about https://tools.ietf.org/html/rfc7486 , which is entirely unrelated and there are no plans to implement.
> Are there any server-side implementations that we can try this with? I assume they exist at google, but I don't have access to internal stuff, so I'm asking about stuff that's in the field, if anything.
There are patches to NSS and OpenSSL floating out there, but neither would I recommend, in part because we can't guarantee things won't change and break (they've already done that once, because of 3SHAKE, which hasn't been widely documented, and we're still expunging the notion of OBCs from the APIs nearly two years after we switched to Channel ID)
The Token Binding stuff is still very much in early phases, still very much in flux, and there hasn't been an Intent to Implement yet precisely because of that (and, of course, the issues that make these challenging to actually deploy outside of constrained, ideal environments).
My recommendation if you're interested in this space is to participate in https://datatracker.ietf.org/wg/tokbind/
Ted Lemon
Matt Mueller
Wow, thanks for the detailed response. I'm running Chrome OS stable at the moment, which probably explains the old name. I saw the tokbind working group being created, but failed to notice that it was about this--very cool. I will indeed participate, to the extent that it makes sense for me to do so. Thanks very much!
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/fb1b88eb-0d8f-4bb8-8323-d61fe2ae24ba%40chromium.org.