Referencing ETLD+1. from Eric Rescorla on 2018-05-10 (ietf-http-wg@w3.org from April to June 2018)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 10 May 2018 07:26:48 -0700
To: HTTP Working Group <ietf-http-wg@w3.org>, IETF Tokbind WG <unbearable@ietf.org>, Alissa Cooper <alissa@cooperw.in>
Message-ID: <CABcZeBOe7NrKYF6f-vi6HcETFM9w4Sav=0qjQQBCXXo_P+FO-g@mail.gmail.com>

Hi HTTP WG members,

https://tools.ietf.org/html/draft-ietf-tokbind-https-15 says:

   The scoping of Token Binding key pairs generated by Web browsers for
   use in first-party and federation use cases defined in this
   specification (Section 5), and intended for binding HTTP cookies,
   MUST be no wider than the granularity of "effective top-level domain
   (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
   pairs is no wider than the scope at which cookies can be set (see
   [RFC6265]), but MAY be more narrow if cookies are scoped more
   narrowly.

Alissa points out that somewhat surprisingly 6265 doesn't actually
say this. We obviously want the binding to be tied to eTLD+1, so
the question is really how we write this up. Could the HTTP WG provide
some guidance here?

-Ekr

Received on Thursday, 10 May 2018 14:28:03 UTC