W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Referencing ETLD+1.

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 10 May 2018 07:26:48 -0700
Message-ID: <CABcZeBOe7NrKYF6f-vi6HcETFM9w4Sav=0qjQQBCXXo_P+FO-g@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>, IETF Tokbind WG <unbearable@ietf.org>, Alissa Cooper <alissa@cooperw.in>
Hi HTTP WG members,

https://tools.ietf.org/html/draft-ietf-tokbind-https-15 says:

   The scoping of Token Binding key pairs generated by Web browsers for
   use in first-party and federation use cases defined in this
   specification (Section 5), and intended for binding HTTP cookies,
   MUST be no wider than the granularity of "effective top-level domain
   (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
   pairs is no wider than the scope at which cookies can be set (see
   [RFC6265]), but MAY be more narrow if cookies are scoped more
   narrowly.

Alissa points out that somewhat surprisingly 6265 doesn't actually
say this. We obviously want the binding to be tied to eTLD+1, so
the question is really how we write this up. Could the HTTP WG provide
some guidance here?

-Ekr
Received on Thursday, 10 May 2018 14:28:03 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:59 UTC