W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Re: Referencing ETLD+1.

From: Patrick McManus <mcmanus@ducksong.com>
Date: Thu, 10 May 2018 15:01:53 +0000 (UTC)
Message-ID: <CAOdDvNrvkiQUgRZ=Ot00Zh4_iW=CNTVKeYTgoNuo7FvUYA-T3g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, IETF Tokbind WG <unbearable@ietf.org>, Alissa Cooper <alissa@cooperw.in>
Perhaps Mark or Mike West will have a better idea, but I think what you
need is in the active 6265bis work:
https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#storage-model

6265bis is making very slow (but steady) progress - taking a normative
dependency on its completion would have, imo, a predictable consequence of
blocking publication of token binding for quite a while. While there hasn't
been a consensus call on the language in that section of 6265bis there is
no controversy around it (other than the normal iterative vs declarative
style questions)- so my advice would be to use it as a template for
describing what you need and engaging the author and http wg for review and
any updates that might be required.

Sorry I don't have a better pointer at hand. Perhaps someone will come up
with a normative source.

-P




On Thu, May 10, 2018 at 4:26 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> Hi HTTP WG members,
>
> https://tools.ietf.org/html/draft-ietf-tokbind-https-15 says:
>
>    The scoping of Token Binding key pairs generated by Web browsers for
>    use in first-party and federation use cases defined in this
>    specification (Section 5), and intended for binding HTTP cookies,
>    MUST be no wider than the granularity of "effective top-level domain
>    (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
>    pairs is no wider than the scope at which cookies can be set (see
>    [RFC6265]), but MAY be more narrow if cookies are scoped more
>    narrowly.
>
> Alissa points out that somewhat surprisingly 6265 doesn't actually
> say this. We obviously want the binding to be tied to eTLD+1, so
> the question is really how we write this up. Could the HTTP WG provide
> some guidance here?
>
> -Ekr
>
>
>
Received on Thursday, 10 May 2018 15:02:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:20 UTC