Hi HTTP WG members, https://tools.ietf.org/html/draft-ietf-tokbind-https-15 says: The scoping of Token Binding key pairs generated by Web browsers for use in first-party and federation use cases defined in this specification (Section 5), and intended for binding HTTP cookies, MUST be no wider than the granularity of "effective top-level domain (public suffix) + 1" (eTLD+1). I.e., the scope of Token Binding key pairs is no wider than the scope at which cookies can be set (see [RFC6265]), but MAY be more narrow if cookies are scoped more narrowly. Alissa points out that somewhat surprisingly 6265 doesn't actually say this. We obviously want the binding to be tied to eTLD+1, so the question is really how we write this up. Could the HTTP WG provide some guidance here? -EkrReceived on Thursday, 10 May 2018 14:28:03 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:59 UTC