RE: [Unbearable] IETF seeking feedback on proposed "Token Binding" Working Group

Hi Anne,

This is part of a starting point proposal for the new working group; we expect the documents to change. It's a great time to suggest revisions; please feel free to suggest your text. I've put the initial I-Ds on github for easier editing: https://github.com/TokenBinding/Internet-Drafts

Cheers,

Andrei

-----Original Message-----
From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Anne van Kesteren
Sent: Wednesday, February 11, 2015 4:19 AM
To: Arthur Barstow
Cc: public-webapps; unbearable@ietf.org; WebAppSec WG
Subject: Re: [Unbearable] IETF seeking feedback on proposed "Token Binding" Working Group

On Wed, Feb 11, 2015 at 1:10 PM, Arthur Barstow <art.barstow@gmail.com> wrote:
> WebApps - please note the draft spec includes a new XHR property 
> "withRefererTokenBindingID"
> <https://tools.ietf.org/html/draft-balfanz-https-token-binding-00#section-3.4>.
>
> If anyone has feedback about the proposal, please send it to the 
> unbearable @ ietf.org list. However, comments related to the XHR 
> aspect should be Cc/Bcc to public-webapps.

Relatively recently we decided not to extend XMLHttpRequest further and prioritize fetch().

Can we expect a more concrete proposal to revise either or is this it?

One problem with this proposal is that it does not use the Sec-* convention for headers so the header can be spoofed...


--
https://annevankesteren.nl/

_______________________________________________
Unbearable mailing list
Unbearable@ietf.org
https://www.ietf.org/mailman/listinfo/unbearable

Received on Thursday, 12 February 2015 17:40:54 UTC