--- 1/draft-ietf-tokbind-https-04.txt 2016-07-07 14:16:07.658315676 -0700 +++ 2/draft-ietf-tokbind-https-05.txt 2016-07-07 14:16:07.702316776 -0700 @@ -3,21 +3,21 @@ Internet-Draft M. Nystroem Intended status: Standards Track Microsoft Corp. Expires: January 8, 2017 D. Balfanz, Ed. A. Langley Google Inc. J. Hodges Paypal July 7, 2016 Token Binding over HTTP - draft-ietf-tokbind-https-04 + draft-ietf-tokbind-https-05 Abstract This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind authentication tokens (such as cookies and OAuth tokens) to TLS [RFC5246] connections. We describe both _first-party_ and _federated_ scenarios. In a first-party scenario, an HTTP server is able to cryptographically bind the security tokens it issues to a client, and which the client @@ -408,21 +408,21 @@ negotiate the parameters (signature algorithm, length) of the Token Binding key. It is possible that the Token Binding ID used between the client and the Token Consumer, and the Token Binding ID used between the client and Token Provider, use different key parameters. The client MUST use the key parameters negotiated with the Token Consumer in the referred_token_binding TokenBinding of the TokenBindingMessage, even if those key parameters are different from the ones negotiated with the origin that the header field is sent to. Token Providers SHOULD support all the Token Binding key parameters - specified in the [I-D.ietf-tokbind-negotiation]. If a token provider + specified in the [I-D.ietf-tokbind-protocol]. If a token provider does not support the key parameters specified in the referred_token_binding TokenBinding in the TokenBindingMessage, it MUST issue an unbound token. 4.5. Federation Example The diagram below shows a typical HTTP Redirect-based Web Browser SSO Profile (no artifact, no callbacks), featuring binding of, e.g., a TLS Token Binding ID into an OpenID Connect "ID Token". @@ -748,41 +748,42 @@ Author/Change controller: IETF Specification document(s): this one [[TODO: possibly add further considerations wrt the behavior of the above header fields, per ]] 8. Acknowledgements This document incorporates comments and suggestions offered by Eric - Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Bill Cox, - Nick Harper, Brian Campbell and others. + Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony + Nadalin, Michael Jones, Bill Cox, Nick Harper, Brian Campbell and + others. 9. References 9.1. Normative References [fetch-spec] WhatWG, "Fetch", Living Standard , . [I-D.ietf-tokbind-negotiation] Popov, A., Nystrom, M., Balfanz, D., and A. Langley, "Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation", draft-ietf-tokbind- - negotiation-02 (work in progress), January 2016. + negotiation-03 (work in progress), July 2016. [I-D.ietf-tokbind-protocol] Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. Hodges, "The Token Binding Protocol Version 1.0", draft- - ietf-tokbind-protocol-06 (work in progress), May 2016. + ietf-tokbind-protocol-07 (work in progress), July 2016. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration Procedures for Message Header Fields", BCP 90, RFC 3864, DOI 10.17487/RFC3864, September 2004, .