[Unbearable] Last Call: <draft-ietf-tokbind-https-12.txt> (Token Binding over HTTP) to Proposed Standard

The IESG <iesg-secretary@ietf.org> Mon, 26 February 2018 16:38 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: unbearable@ietf.org
Delivered-To: unbearable@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FA85124239; Mon, 26 Feb 2018 08:38:34 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: "IETF-Announce" <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.72.4
Auto-Submitted: auto-generated
Precedence: bulk
CC: ekr@rtfm.com, John Bradley <ve7jtb@ve7jtb.com>, draft-ietf-tokbind-https@ietf.org, unbearable@ietf.org, tokbind-chairs@ietf.org, ve7jtb@ve7jtb.com
Reply-To: ietf@ietf.org
Sender: <iesg-secretary@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <151966311458.31492.5879365590755267294.idtracker@ietfa.amsl.com>
Date: Mon, 26 Feb 2018 08:38:34 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/x60kn5ALdoelkrHjcpPrxApg5Sw>
Subject: [Unbearable] Last Call: <draft-ietf-tokbind-https-12.txt> (Token Binding over HTTP) to Proposed Standard
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2018 16:38:35 -0000

The IESG has received a request from the Token Binding WG (tokbind) to
consider the following document: - 'Token Binding over HTTP'
  <draft-ietf-tokbind-https-12.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2018-03-12. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


   This document describes a collection of mechanisms that allow HTTP
   servers to cryptographically bind security tokens (such as cookies
   and OAuth tokens) to TLS connections.

   We describe both first-party and federated scenarios.  In a first-
   party scenario, an HTTP server is able to cryptographically bind the
   security tokens it issues to a client, and which the client
   subsequently returns to the server, to the TLS connection between the
   client and server.  Such bound security tokens are protected from
   misuse since the server can generally detect if they are replayed
   inappropriately, e.g., over other TLS connections.

   Federated token bindings, on the other hand, allow servers to
   cryptographically bind security tokens to a TLS connection that the
   client has with a different server than the one issuing the token.

   This Internet-Draft is a companion document to The Token Binding
   Protocol.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/ballot/


No IPR declarations have been submitted directly on this I-D.