[Unbearable] I-D Action: draft-ietf-tokbind-https-16.txt
internet-drafts@ietf.org Mon, 04 June 2018 04:28 UTC
Return-Path: <internet-drafts@ietf.org>
X-Original-To: unbearable@ietf.org
Delivered-To: unbearable@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 61F4E120227; Sun, 3 Jun 2018 21:28:13 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Cc: unbearable@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.81.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152808649334.20772.13130504133879770877@ietfa.amsl.com>
Date: Sun, 03 Jun 2018 21:28:13 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/NkvBWX2YIg-_IbvksKiNq7_KQ2c>
Subject: [Unbearable] I-D Action: draft-ietf-tokbind-https-16.txt
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2018 04:28:14 -0000
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Token Binding WG of the IETF.
Title : Token Binding over HTTP
Authors : Andrei Popov
Magnus Nyström
Dirk Balfanz
Adam Langley
Nick Harper
Jeff Hodges
Filename : draft-ietf-tokbind-https-16.txt
Pages : 25
Date : 2018-06-03
Abstract:
This document describes a collection of mechanisms that allow HTTP
servers to cryptographically bind security tokens (such as cookies
and OAuth tokens) to TLS connections.
We describe both first-party and federated scenarios. In a first-
party scenario, an HTTP server is able to cryptographically bind the
security tokens it issues to a client, and which the client
subsequently returns to the server, to the TLS connection between the
client and server. Such bound security tokens are protected from
misuse since the server can generally detect if they are replayed
inappropriately, e.g., over other TLS connections.
Federated token bindings, on the other hand, allow servers to
cryptographically bind security tokens to a TLS connection that the
client has with a different server than the one issuing the token.
This document is a companion document to The Token Binding Protocol.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-tokbind-https-16
https://datatracker.ietf.org/doc/html/draft-ietf-tokbind-https-16
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-tokbind-https-16
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
- [Unbearable] I-D Action: draft-ietf-tokbind-https… internet-drafts