- From: vanupam <notifications@github.com>
- Date: Tue, 03 Apr 2018 16:47:52 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 3 April 2018 16:48:23 UTC
vanupam commented on this pull request. > +The <a for=/>token-binding key store</a> is typically maintained alongside +the user agent's cookie store. + +<h4 id=getting-token-binding-key>Getting a Token Binding Key</h4> + +<p><dfn abstract-op export id=concept-get-token-binding-key>Get the token-binding key</dfn> +for an <a for=/>origin</a> <var>tokenBindingOrigin</var> and +<a for=/>token-binding key parameters</a> <var>tokenBindingKeyParameters</var>, +using the user agent's <a for=/>token-binding key store</a>, +by running these substeps: + +<ol> + <li><p>Let <var>keyDomainName</var> be null. + + <li><p>If <var>tokenBindingOrigin</var>'s <a for=origin>host</a> is an <a>IPv4 address</a> or an <a>IPv6 address</a>, + set <var>keyDomainName</var> to <var>tokenBindingOrigin</var>'s <a for=origin>host</a>. In principle, one can get a server cert for a public IP Address, have TB turned on, and use tokens bound to that IP address. I don't think we should explicitly disallow that. Thoughts? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/325#discussion_r178890154
Received on Tuesday, 3 April 2018 16:48:23 UTC