Re: Referencing ETLD+1.

A further refinement if you just want to define etld+1, (but I think you
need the previous one for 'how to bind cookies' - but that might just be a
distraction for you.)

"The term “public suffix” is defined in a note in Section 5.3 of [RFC6265]
as “a domain that is controlled by a public registry”, and are also know as
“effective top-level domains” (eTLDs). For example,’s public
suffix is com. User agents SHOULD use an up-to-date public suffix list,
such as the one maintained by Mozilla at [PSL]

An origin’s “registered domain” is the origin’s host’s public suffix plus
the label to its left. That is, for, the public
suffix is com, and the registered domain is This concept is
defined more rigorously in [PSL]
and is also know as “effective top-level domain plus one” (eTLD+1)."

On Thu, May 10, 2018 at 5:01 PM, Patrick McManus <>

> Perhaps Mark or Mike West will have a better idea, but I think what you
> need is in the active 6265bis work:
> extensions/draft-ietf-httpbis-rfc6265bis.html#storage-model
> 6265bis is making very slow (but steady) progress - taking a normative
> dependency on its completion would have, imo, a predictable consequence of
> blocking publication of token binding for quite a while. While there hasn't
> been a consensus call on the language in that section of 6265bis there is
> no controversy around it (other than the normal iterative vs declarative
> style questions)- so my advice would be to use it as a template for
> describing what you need and engaging the author and http wg for review and
> any updates that might be required.
> Sorry I don't have a better pointer at hand. Perhaps someone will come up
> with a normative source.
> -P
> On Thu, May 10, 2018 at 4:26 PM, Eric Rescorla <> wrote:
>> Hi HTTP WG members,
>> says:
>>    The scoping of Token Binding key pairs generated by Web browsers for
>>    use in first-party and federation use cases defined in this
>>    specification (Section 5), and intended for binding HTTP cookies,
>>    MUST be no wider than the granularity of "effective top-level domain
>>    (public suffix) + 1" (eTLD+1).  I.e., the scope of Token Binding key
>>    pairs is no wider than the scope at which cookies can be set (see
>>    [RFC6265]), but MAY be more narrow if cookies are scoped more
>>    narrowly.
>> Alissa points out that somewhat surprisingly 6265 doesn't actually
>> say this. We obviously want the binding to be tied to eTLD+1, so
>> the question is really how we write this up. Could the HTTP WG provide
>> some guidance here?
>> -Ekr

Received on Thursday, 10 May 2018 15:20:26 UTC