Re: Referencing ETLD+1.

Perhaps Mark or Mike West will have a better idea, but I think what you
need is in the active 6265bis work:

6265bis is making very slow (but steady) progress - taking a normative
dependency on its completion would have, imo, a predictable consequence of
blocking publication of token binding for quite a while. While there hasn't
been a consensus call on the language in that section of 6265bis there is
no controversy around it (other than the normal iterative vs declarative
style questions)- so my advice would be to use it as a template for
describing what you need and engaging the author and http wg for review and
any updates that might be required.

Sorry I don't have a better pointer at hand. Perhaps someone will come up
with a normative source.


On Thu, May 10, 2018 at 4:26 PM, Eric Rescorla <> wrote:

> Hi HTTP WG members,
> says:
>    The scoping of Token Binding key pairs generated by Web browsers for
>    use in first-party and federation use cases defined in this
>    specification (Section 5), and intended for binding HTTP cookies,
>    MUST be no wider than the granularity of "effective top-level domain
>    (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
>    pairs is no wider than the scope at which cookies can be set (see
>    [RFC6265]), but MAY be more narrow if cookies are scoped more
>    narrowly.
> Alissa points out that somewhat surprisingly 6265 doesn't actually
> say this. We obviously want the binding to be tied to eTLD+1, so
> the question is really how we write this up. Could the HTTP WG provide
> some guidance here?
> -Ekr

Received on Thursday, 10 May 2018 15:02:20 UTC