- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 26 Feb 2018 14:50:02 -0800
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <32659E86-92AE-4BB6-A253-11750084F00D@mnot.net>
FYI, and for review. I know at least one or two folks here have participated in this work, but it would be good to have a few more eyes on it. Cheers, > Begin forwarded message: > > From: The IESG <iesg-secretary@ietf.org> > Subject: Last Call: <draft-ietf-tokbind-https-12.txt> (Token Binding over HTTP) to Proposed Standard > Date: 26 February 2018 at 8:38:34 am GMT-8 > To: "IETF-Announce" <ietf-announce@ietf.org> > Cc: ve7jtb@ve7jtb.com, ekr@rtfm.com, unbearable@ietf.org, tokbind-chairs@ietf.org, draft-ietf-tokbind-https@ietf.org > Reply-To: ietf@ietf.org > Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/vbG52lB8awRhw3zsrba4B6-aBwY> > > > The IESG has received a request from the Token Binding WG (tokbind) to > consider the following document: - 'Token Binding over HTTP' > <draft-ietf-tokbind-https-12.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits final > comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2018-03-12. Exceptionally, comments may be > sent to iesg@ietf.org instead. In either case, please retain the beginning of > the Subject line to allow automated sorting. > > Abstract > > > This document describes a collection of mechanisms that allow HTTP > servers to cryptographically bind security tokens (such as cookies > and OAuth tokens) to TLS connections. > > We describe both first-party and federated scenarios. In a first- > party scenario, an HTTP server is able to cryptographically bind the > security tokens it issues to a client, and which the client > subsequently returns to the server, to the TLS connection between the > client and server. Such bound security tokens are protected from > misuse since the server can generally detect if they are replayed > inappropriately, e.g., over other TLS connections. > > Federated token bindings, on the other hand, allow servers to > cryptographically bind security tokens to a TLS connection that the > client has with a different server than the one issuing the token. > > This Internet-Draft is a companion document to The Token Binding > Protocol. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > > -- Mark Nottingham https://www.mnot.net/
Received on Monday, 26 February 2018 22:50:30 UTC