IETF seeking feedback on proposed "Token Binding" Working Group

[ Bcc: WebApps, WebAppSec, Web Security IG; Reply-to: unbearable @ ]

Hi All,

Below is an e-mail from Stephen Farrell regarding a proposed "Token 
Binding" Working Group at the IETF. Stephen is interested in feedback 
regarding the proposed group:

* Home: <>
* Draft spec: 
* List archive: 

The Draft charter includes:

Web services generate various security tokens (e.g. HTTP cookies, OAuth 
tokens, etc.) for web applications to access protected resources. 
Currently these are bearer tokens, i.e. any party in possession of such 
token gains access to the protected resource. Attackers export bearer 
tokens from client machines or from compromised network connections, 
present these bearer tokens to Web services, and impersonate 
authenticated users. Token Binding enables defense against such attacks 
by cryptographically binding security tokens to a secret held by the client.

The tasks of this working group are as follows:

1. Specify the Token Binding protocol v1.0.
2. Specify the use of the Token Binding protocol in combination with HTTPS.


WebAppSec, Web Security IG - this is mainly an FYI for you.

WebApps - please note the draft spec includes a new XHR property 

If anyone has feedback about the proposal, please send it to the 
unbearable @ list. However, comments related to the XHR aspect 
should be Cc/Bcc to public-webapps.

-Thanks, AB

> On 6 Feb 2015, at 8:40 am, Stephen Farrell<>  wrote:
> Hi Mark & W3C folks,
> (I'm cc'ing various W3C folks I know in case one of you just know
> the answer and can save us some iterations, apologies to the others
> of you:-)
> We're starting the chartering process for a WG aiming to do better
> than bearer tokens. [1] As of now, it looks like that has a good
> chance of getting into some or all browsers which is great. We'll
> see what else turns up during the chartering process as usual, and
> please do comment on that also as usual.
> One thing I noted is that the current draft [2] for part of this
> work proposes (in section 3.4 [3]) a small change to XHR, so I
> wanted to bring that up with you and see if you think that's a
> thing that'll need to be addressed during chartering or if it's
> ok to handle later (in whatever is the right manner) after we've
> chartered an IETF WG. Or maybe it's something that's already done
> or bring done in W3C.
> The informal IESG evaluation of this charter is set for Feb 19th,
> so if we could figure it out by then that'd be great. If not,
> we've another couple of weeks of external review when we can get
> it done, but I'd prefer be quick if we can.
> And in case it helps, I think the simplest way to handle this if
> the change turns out to be needed in the end, would be for the
> relevant folks to just keep chatting and ideally get that XHR
> change tee'd up in W3C. In the meantime, the IETF spec could say
> something like "if you did change XHR in such-and-such a way then..."
> just so's we don't get in one another's way. Or maybe some other
> plan is better.
> Anyway, please let me know who's the right W3C person to keep
> in the loop on this and hopefully let's sort it out in the next
> week or so.
> Cheers,
> Stephen.
> [1]
> [2]
> [3]

Received on Wednesday, 11 February 2015 12:01:06 UTC