Re: [whatwg/fetch] Update Fetch to support Token Binding. (#325) from vanupam on 2017-03-21 (public-webapps-github@w3.org from March 2017)

From: vanupam <notifications@github.com>
Date: Tue, 21 Mar 2017 14:59:12 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/325/review/28250041@github.com>

vanupam commented on this pull request.



> +  highest supported <a for=/>Token Binding</a> protocol version and supported cryptographic
+  algorithms and parameters (the
+  <dfn export id=concept-token-binding-key-parameters>token binding key parameters</dfn>) in a
+  <code>token_binding</code> Client Hello Extension, as described in
+  <a href="https://tools.ietf.org/html/draft-ietf-tokbind-negotiation#section-2">section 2</a>
+  of the Token Binding Negotiation spec [[!TOKBIND-NEGOTIATION]].
+  If Token Binding Negotiation succeeds, indicating client-server agreement on protocol version
+  and <a for=/>token binding key parameters</a>, update metadata for the TLS connection with the
+  results of the negotiation.
+
+  <p class="note no-backref">
+  The user agent will use <a for=/>Token Binding</a> for any <a for=/>request</a> sent over
+  a TLS connection for which Token Binding Negotiation was successful.
+  Since <a for=/>Token Binding</a> is used only when <var>credentials</var> is true, such a
+  connection will not be pooled with connections that have <var>credentials</var> is
+  false.

A TLS connection with credentials=false will not have token-binding turned on (so behaves as before)

A TLS connection with credentials=true will either have token-binding turned on (if both UA and server agree) or turned off (if either of them do not support token-binding). If it is off, everything works as before.  If it is on, the UA will use keys -that it maintains- to simply add a TB request header - which is benign.

Connections pool on origin+credentials as usual.
HTTP/2 requests can coalesce as usual.

Behavior will change only when the server-side wants to use this new security mechanism - the server can choose to bind some/all cookies, check that cookies are correctly bound etc.

Please let me know if I can clarify further.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/325#discussion_r107286658

Received on Tuesday, 21 March 2017 22:00:11 UTC