FIDO2 Token Binding protocol

[Rohaan Advani]

Hello all,

I am building a FIDO2 server and am currently passing all conformance tests. However, I am new to the FIDO community and am confused about the token binding protocol that FIDO2 server must implement. 

The W3C spec says: Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained. If Token Binding was used on that TLS connection, also verify that C.tokenBinding.id matches the base64url encoding of the Token Binding ID for the connection.

Currently, my implementation just checks clientData.tokenBinding.status is one of PRESENT, SUPPORTED or NOT_SUPPORTED, and also checks that tokenBinding.id is not null. 

How do you set up the token binding on the TLS connection? Does the server have to implement token binding negotiation? Are there any libraries that could help with this? Does FIDO2 interoperability test require TokenBinding implementation?

Any and all help is appreciated :)

Best,

Rohaan

[John Bradley]

This is a Apache module for token binding https://github.com/zmartzone/mod_token_binding

How you enable it will depend on your server.

This might help with some background https://hanszandbelt.wordpress.com/2016/07/13/token-binding-for-the-apache-webserver/

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c4fc1172-108f-411b-b4b9-921fd080cb4e%40fidoalliance.org.

[Fred Le Tamanoir]

Sadly, nobody cares about TLS Token Binding anymore, support was dropped from browsers. It seems browsers devs do not give a sh** about security.

--

[Rohaan Advani]

Is token binding then still a requirement for FIDO2 servers to implement?

Neither the conformance tool nor the simple browser-based interoperability tool are testing it...

On Wednesday, October 23, 2019 at 6:58:07 PM UTC-7, Fred Le Tamanoir wrote:

Sadly, nobody cares about TLS Token Binding anymore, support was dropped from browsers. It seems browsers devs do not give a sh** about security.

On Wed, Oct 23, 2019 at 9:53 PM Rohaan Advani <rad...@intertrust.com> wrote:

Hello all,

I am building a FIDO2 server and am currently passing all conformance tests. However, I am new to the FIDO community and am confused about the token binding protocol that FIDO2 server must implement. 

The W3C spec says: Verify that the value of C.tokenBinding.status matches the state of Token Binding for the TLS connection over which the assertion was obtained. If Token Binding was used on that TLS connection, also verify that C.tokenBinding.id matches the base64url encoding of the Token Binding ID for the connection.

Currently, my implementation just checks clientData.tokenBinding.status is one of PRESENT, SUPPORTED or NOT_SUPPORTED, and also checks that tokenBinding.id is not null. 

How do you set up the token binding on the TLS connection? Does the server have to implement token binding negotiation? Are there any libraries that could help with this? Does FIDO2 interoperability test require TokenBinding implementation?

Any and all help is appreciated :)

Best,

Rohaan

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido...@fidoalliance.org.