Re: Referencing ETLD+1.

Perhaps Mark or Mike West will have a better idea, but I think what you
need is in the active 6265bis work:
https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#storage-model

6265bis is making very slow (but steady) progress - taking a normative
dependency on its completion would have, imo, a predictable consequence of
blocking publication of token binding for quite a while. While there hasn't
been a consensus call on the language in that section of 6265bis there is
no controversy around it (other than the normal iterative vs declarative
style questions)- so my advice would be to use it as a template for
describing what you need and engaging the author and http wg for review and
any updates that might be required.

Sorry I don't have a better pointer at hand. Perhaps someone will come up
with a normative source.

-P




On Thu, May 10, 2018 at 4:26 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> Hi HTTP WG members,
>
> https://tools.ietf.org/html/draft-ietf-tokbind-https-15 says:
>
>    The scoping of Token Binding key pairs generated by Web browsers for
>    use in first-party and federation use cases defined in this
>    specification (Section 5), and intended for binding HTTP cookies,
>    MUST be no wider than the granularity of "effective top-level domain
>    (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
>    pairs is no wider than the scope at which cookies can be set (see
>    [RFC6265]), but MAY be more narrow if cookies are scoped more
>    narrowly.
>
> Alissa points out that somewhat surprisingly 6265 doesn't actually
> say this. We obviously want the binding to be tied to eTLD+1, so
> the question is really how we write this up. Could the HTTP WG provide
> some guidance here?
>
> -Ekr
>
>
>