A new Request for Comments is now available in online RFC libraries.
RFC 8473
Title: Token Binding over HTTP
Author: A. Popov,
M. Nystroem,
D. Balfanz, Ed.,
N. Harper,
J. Hodges
Status: Standards Track
Stream: IETF
Date: October 2018
Mailbox: andreipo@microsoft.com,
mnystrom@microsoft.com,
balfanz@google.com,
nharper@google.com,
Jeff.Hodges@KingsMountain.com
Pages: 25
Characters: 63182
Updates/Obsoletes/SeeAlso: None
I-D Tag: draft-ietf-tokbind-https-18.txt
URL: https://www.rfc-editor.org/info/rfc8473
DOI: 10.17487/RFC8473
This document describes a collection of mechanisms that allow HTTP
servers to cryptographically bind security tokens (such as cookies
and OAuth tokens) to TLS connections.
We describe both first-party and federated scenarios. In a first-
party scenario, an HTTP server is able to cryptographically bind the
security tokens that it issues to a client -- and that the client
subsequently returns to the server -- to the TLS connection between
the client and the server. Such bound security tokens are protected
from misuse, since the server can generally detect if they are
replayed inappropriately, e.g., over other TLS connections.
Federated Token Bindings, on the other hand, allow servers to
cryptographically bind security tokens to a TLS connection that the
client has with a different server than the one issuing the token.
This document is a companion document to "The Token Binding Protocol
Version 1.0" (RFC 8471).
This document is a product of the Token Binding Working Group of the IETF.
This is now a Proposed Standard.
STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements. Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the
standardization state and status of this protocol. Distribution of this
memo is unlimited.
This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
https://www.ietf.org/mailman/listinfo/ietf-announce
https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk
Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.
The RFC Editor Team
Association Management Solutions, LLC
