Perhaps Mark or Mike West will have a better idea, but I think what you need is in the active 6265bis work: https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#storage-model 6265bis is making very slow (but steady) progress - taking a normative dependency on its completion would have, imo, a predictable consequence of blocking publication of token binding for quite a while. While there hasn't been a consensus call on the language in that section of 6265bis there is no controversy around it (other than the normal iterative vs declarative style questions)- so my advice would be to use it as a template for describing what you need and engaging the author and http wg for review and any updates that might be required. Sorry I don't have a better pointer at hand. Perhaps someone will come up with a normative source. -P On Thu, May 10, 2018 at 4:26 PM, Eric Rescorla <ekr@rtfm.com> wrote: > Hi HTTP WG members, > > https://tools.ietf.org/html/draft-ietf-tokbind-https-15 says: > > The scoping of Token Binding key pairs generated by Web browsers for > use in first-party and federation use cases defined in this > specification (Section 5), and intended for binding HTTP cookies, > MUST be no wider than the granularity of "effective top-level domain > (public suffix) + 1" (eTLD+1). I.e., the scope of Token Binding key > pairs is no wider than the scope at which cookies can be set (see > [RFC6265]), but MAY be more narrow if cookies are scoped more > narrowly. > > Alissa points out that somewhat surprisingly 6265 doesn't actually > say this. We obviously want the binding to be tied to eTLD+1, so > the question is really how we write this up. Could the HTTP WG provide > some guidance here? > > -Ekr > > >Received on Thursday, 10 May 2018 15:02:20 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:59 UTC