Fwd: Last Call: <draft-ietf-tokbind-https-12.txt> (Token Binding over HTTP) to Proposed Standard from Mark Nottingham on 2018-02-26 (ietf-http-wg@w3.org from January to March 2018)

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 26 Feb 2018 14:50:02 -0800
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <32659E86-92AE-4BB6-A253-11750084F00D@mnot.net>

FYI, and for review. I know at least one or two folks here have participated in this work, but it would be good to have a few more eyes on it.

Cheers,


> Begin forwarded message:
> 
> From: The IESG <iesg-secretary@ietf.org>
> Subject: Last Call: <draft-ietf-tokbind-https-12.txt> (Token Binding over HTTP) to Proposed Standard
> Date: 26 February 2018 at 8:38:34 am GMT-8
> To: "IETF-Announce" <ietf-announce@ietf.org>
> Cc: ve7jtb@ve7jtb.com, ekr@rtfm.com, unbearable@ietf.org, tokbind-chairs@ietf.org, draft-ietf-tokbind-https@ietf.org
> Reply-To: ietf@ietf.org
> Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/vbG52lB8awRhw3zsrba4B6-aBwY>
> 
> 
> The IESG has received a request from the Token Binding WG (tokbind) to
> consider the following document: - 'Token Binding over HTTP'
>  <draft-ietf-tokbind-https-12.txt> as Proposed Standard
> 
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2018-03-12. Exceptionally, comments may be
> sent to iesg@ietf.org instead. In either case, please retain the beginning of
> the Subject line to allow automated sorting.
> 
> Abstract
> 
> 
>   This document describes a collection of mechanisms that allow HTTP
>   servers to cryptographically bind security tokens (such as cookies
>   and OAuth tokens) to TLS connections.
> 
>   We describe both first-party and federated scenarios.  In a first-
>   party scenario, an HTTP server is able to cryptographically bind the
>   security tokens it issues to a client, and which the client
>   subsequently returns to the server, to the TLS connection between the
>   client and server.  Such bound security tokens are protected from
>   misuse since the server can generally detect if they are replayed
>   inappropriately, e.g., over other TLS connections.
> 
>   Federated token bindings, on the other hand, allow servers to
>   cryptographically bind security tokens to a TLS connection that the
>   client has with a different server than the one issuing the token.
> 
>   This Internet-Draft is a companion document to The Token Binding
>   Protocol.
> 
> 
> 
> 
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/
> 
> IESG discussion can be tracked via
> https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ballot/
> 
> 
> No IPR declarations have been submitted directly on this I-D.
> 
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 26 February 2018 22:50:30 UTC