* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Tokbind Status Pages

Token Binding (Concluded WG)
Sec Area: Roman Danyliw, Benjamin Kaduk | 2015-Mar-24 — 2021-Mar-22 

2019-03-27 charter

Token Binding (tokbind)


 Current Status: Active

     John Bradley <ve7jtb@ve7jtb.com>
     Leif Johansson <leifj@sunet.se>

 Security Area Directors:
     Roman Danyliw <rdd@cert.org>
     Benjamin Kaduk <kaduk@mit.edu>

 Security Area Advisor:
     Roman Danyliw <rdd@cert.org>

 Mailing Lists:
     General Discussion: unbearable@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/unbearable
     Archive:            https://mailarchive.ietf.org/arch/browse/unbearable/

Description of Working Group:

  Web services generate various security tokens (e.g. HTTP cookies, OAuth tokens, etc.) for web applications to access protected resources. Currently these are bearer tokens, i.e. any party in possession of such token gains access to the protected resource. Attackers export bearer tokens from client machines or from compromised network connections, present these bearer tokens to Web services, and impersonate authenticated users. Token Binding enables defense against such attacks by  cryptographically binding security tokens to a secret held by the client.

  The tasks of this working group are as follows:

  1. Specify the Token Binding protocol v1.0.
  2. Specify the use of the Token Binding protocol in combination with HTTPS.

  It is a goal of this working group to enable defense against attacks that involve unauthorized replay of security tokens. Other issues associated with the use of security tokens are out of scope. Another goal of this working group is to design the Token Binding protocol such that it would be also useable with application protocols other than HTTPS. Specifying alternative application protocols is not a primary goal.

  The main design objectives for the Token Binding protocol, in no particular order:

  1. Allow applications and services to prevent unauthorized replay of security tokens.
  2. Allow strong key protection, e.g. using hardware-bound keys.
  3. Support both first-party (server generates a token for later use with this server) and federation (server generates a token for use with another server) scenarios.
  4. Preserve user privacy.
  5. Make the Token Binding protocol useable in combination with a variety of application protocols.
  6. Allow the negotiation of the Token Binding protocol without additional round-trips.
  7. Allow the use of multiple cryptographic algorithms, so that a variety of secure    hardware modules with different cryptographic capabilities could be used with Token Binding.
  8. Propose Token Binding specification that can be implemented in Web browsers (but is not limited to them). E.g. Web browsers require that the same bound security token must be presentable over multiple TLS sessions and connections.

  The working group will use the following documents as a starting point for its work:

  - draft-popov-token-binding-00;
  - draft-balfanz-https-token-binding-00.

  This WG will collaborate with other IETF WGs, in particular with the TLS, HTTPbis and Oauth WGs and with the W3C webappsec WG.

Goals and Milestones:
  Mar 2015 - WG document for the Token Binding Protocol v1.0.
  Mar 2015 - WG document for HTTPS Token Binding.
  May 2015 - TLS extension for Token Binding as WG document
  Dec 2017 - HTTPS Token Binding to IESG.
  Dec 2017 - Token Binding Protocol v1.0 to IESG.

All charter page changes, including changes to draft-list, rfc-list and milestones:

Generated from PyHt script /wg/tokbind/charters.pyht Latest update: 24 Oct 2012 16:51 GMT -