- From: vanupam <notifications@github.com>
- Date: Tue, 21 Mar 2017 14:27:22 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 21 March 2017 21:28:05 UTC
vanupam commented on this pull request. > @@ -2172,6 +2243,201 @@ exploits pertain to those <a for=request>types</a>. Also, considering "<code>ima compatible with deployed content. +<h3 id=token-binding>Token Binding</h3> + +<p>In order to protect security tokens like cookies and OAuth tokens, user agents and servers can +use a technique known as <dfn export id=concept-token-binding>Token Binding</dfn> to +cryptographically associate a given token with a secret +(a <dfn export id=concept-token-binding-key>token binding key</dfn>) known only to a specific +user agent. This association mitigates the risk that attackers can steal the token and use it +themselves, as they will not be able to easily replicate the user agent's secret, +and therefore cannot replicate the cryptographic binding of the token. + +<p>The technique is described in +detail in [[TOKBIND-NEGOTIATION]], [[TOKBIND-PROTOCOL]], and [[TOKBIND-HTTPS]]. Updated. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/325#discussion_r107280026
Received on Tuesday, 21 March 2017 21:28:05 UTC