Referencing ETLD+1.

Hi HTTP WG members, says:

   The scoping of Token Binding key pairs generated by Web browsers for
   use in first-party and federation use cases defined in this
   specification (Section 5), and intended for binding HTTP cookies,
   MUST be no wider than the granularity of "effective top-level domain
   (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
   pairs is no wider than the scope at which cookies can be set (see
   [RFC6265]), but MAY be more narrow if cookies are scoped more

Alissa points out that somewhat surprisingly 6265 doesn't actually
say this. We obviously want the binding to be tied to eTLD+1, so
the question is really how we write this up. Could the HTTP WG provide
some guidance here?


Received on Thursday, 10 May 2018 14:28:03 UTC