[Unbearable] Referencing ETLD+1.
Eric Rescorla <ekr@rtfm.com> Thu, 10 May 2018 14:27 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C3912EAE0 for <unbearable@ietfa.amsl.com>; Thu, 10 May 2018 07:27:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xr1dFj5WVUVi for <unbearable@ietfa.amsl.com>; Thu, 10 May 2018 07:27:29 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65DFF12EAD0 for <unbearable@ietf.org>; Thu, 10 May 2018 07:27:29 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id y15-v6so1899306oia.13 for <unbearable@ietf.org>; Thu, 10 May 2018 07:27:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=+sP8D9kn4L+rzfCFXAI3RgXzxHvFgBvI9Ecn/EsaOAw=; b=jvUpMq/cSkA7o6DJtbFhojPD9iogU/4Aay9b92Cjv4uNmMrwzPSQk6CM/vHLredsXE KJ/S0mh2H2V3J6OfhTKGyq/GQ+zSVKtLrV25zheIl5npAAcTb+frQ6PzPRCUuxhXyXve 71tgC8EY/4RmdnIeCsXpy3alAYEWw/fK6LULkKY+E6F4f2bPan0cdcdSXUw6SFRgR0uz TngTkTyhpk11hCTrask76eIxvHvD8gsdwlWSa3WEsUD9SrqgeOavEZ0XSyUTDG/268Of ab4IbCL7Oy75hAyMuuVXrTCJDe3L12UA3HqkNMg+z3+3GG9LXLZc3g/939OCZUnAJkAq MhXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+sP8D9kn4L+rzfCFXAI3RgXzxHvFgBvI9Ecn/EsaOAw=; b=sWRwE4gW660qRA+Z3n+uKGzGS8mLbAei5rEzYQV1R0mDmbui2Hj3LJUQmfSopAnDxL 6AgZalbtVqhs6Gtp+nI9gc8SFLzA4BeFDOL4iR1rMJvpMc95/6grndY3CjGCllx1kVMU F2q7YBwyh2SFHCOjSUmd46iTE5DNLOWNf7kmknWzkymMJduQyNA/LZo7u/5cx50Y3+ZV KKL/mMX4PYFv5+X4FOrsBwRrzLAHZ4IUmBQQO1BBkUpJM7+mfU0M0gxBoxDXwxw1PlKu dKyuAk7aEPrEbhKWVo63CYl8iD1cDVN010StuFXCHWgtM3s4M41llnWpwlW3bkgL6aKM Oogw==
X-Gm-Message-State: ALKqPwfO26nmK2/utNV+cMPLLl/xEj+IKGMMRuB8F7rLBazjSrbROiKL ZOIIfj5pBepwmFKxtF1oVD/FOjUk3w6xHIv9ms2apA==
X-Google-Smtp-Source: AB8JxZrV3K7LHLVEdAk4GgwneLqdi4yyGyBJb4ItLBGvfkDjaKqb35Yj+ox7V1U1W7J5DGJM6IOIZ0WIAg+8PcRRksc=
X-Received: by 2002:aca:5405:: with SMTP id i5-v6mr945972oib.262.1525962448750; Thu, 10 May 2018 07:27:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 10 May 2018 07:26:48 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 10 May 2018 07:26:48 -0700
Message-ID: <CABcZeBOe7NrKYF6f-vi6HcETFM9w4Sav=0qjQQBCXXo_P+FO-g@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>, IETF Tokbind WG <unbearable@ietf.org>, Alissa Cooper <alissa@cooperw.in>
Content-Type: multipart/alternative; boundary="000000000000b31592056bdad115"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/1KZrhZZSbvDePnwO77CjoCu8gEw>
Subject: [Unbearable] Referencing ETLD+1.
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 14:27:31 -0000
Hi HTTP WG members, https://tools.ietf.org/html/draft-ietf-tokbind-https-15 says: The scoping of Token Binding key pairs generated by Web browsers for use in first-party and federation use cases defined in this specification (Section 5), and intended for binding HTTP cookies, MUST be no wider than the granularity of "effective top-level domain (public suffix) + 1" (eTLD+1). I.e., the scope of Token Binding key pairs is no wider than the scope at which cookies can be set (see [RFC6265]), but MAY be more narrow if cookies are scoped more narrowly. Alissa points out that somewhat surprisingly 6265 doesn't actually say this. We obviously want the binding to be tied to eTLD+1, so the question is really how we write this up. Could the HTTP WG provide some guidance here? -Ekr
- [Unbearable] Referencing ETLD+1. Eric Rescorla
- Re: [Unbearable] Referencing ETLD+1. Richard Gibson