draft-ietf-tokbind-https-04.txt   draft-ietf-tokbind-https-05.txt 
skipping to change at page 1, line 14 skipping to change at page 1, line 14
Internet-Draft M. Nystroem Internet-Draft M. Nystroem
Intended status: Standards Track Microsoft Corp. Intended status: Standards Track Microsoft Corp.
Expires: January 8, 2017 D. Balfanz, Ed. Expires: January 8, 2017 D. Balfanz, Ed.
A. Langley A. Langley
Google Inc. Google Inc.
J. Hodges J. Hodges
Paypal Paypal
July 7, 2016 July 7, 2016
Token Binding over HTTP Token Binding over HTTP
draft-ietf-tokbind-https-04 draft-ietf-tokbind-https-05
Abstract Abstract
This document describes a collection of mechanisms that allow HTTP This document describes a collection of mechanisms that allow HTTP
servers to cryptographically bind authentication tokens (such as servers to cryptographically bind authentication tokens (such as
cookies and OAuth tokens) to TLS [RFC5246] connections. cookies and OAuth tokens) to TLS [RFC5246] connections.
We describe both _first-party_ and _federated_ scenarios. In a We describe both _first-party_ and _federated_ scenarios. In a
first-party scenario, an HTTP server is able to cryptographically first-party scenario, an HTTP server is able to cryptographically
bind the security tokens it issues to a client, and which the client bind the security tokens it issues to a client, and which the client
skipping to change at page 9, line 41 skipping to change at page 9, line 41
negotiate the parameters (signature algorithm, length) of the Token negotiate the parameters (signature algorithm, length) of the Token
Binding key. It is possible that the Token Binding ID used between Binding key. It is possible that the Token Binding ID used between
the client and the Token Consumer, and the Token Binding ID used the client and the Token Consumer, and the Token Binding ID used
between the client and Token Provider, use different key parameters. between the client and Token Provider, use different key parameters.
The client MUST use the key parameters negotiated with the Token The client MUST use the key parameters negotiated with the Token
Consumer in the referred_token_binding TokenBinding of the Consumer in the referred_token_binding TokenBinding of the
TokenBindingMessage, even if those key parameters are different from TokenBindingMessage, even if those key parameters are different from
the ones negotiated with the origin that the header field is sent to. the ones negotiated with the origin that the header field is sent to.
Token Providers SHOULD support all the Token Binding key parameters Token Providers SHOULD support all the Token Binding key parameters
specified in the [I-D.ietf-tokbind-negotiation]. If a token provider specified in the [I-D.ietf-tokbind-protocol]. If a token provider
does not support the key parameters specified in the does not support the key parameters specified in the
referred_token_binding TokenBinding in the TokenBindingMessage, it referred_token_binding TokenBinding in the TokenBindingMessage, it
MUST issue an unbound token. MUST issue an unbound token.
4.5. Federation Example 4.5. Federation Example
The diagram below shows a typical HTTP Redirect-based Web Browser SSO The diagram below shows a typical HTTP Redirect-based Web Browser SSO
Profile (no artifact, no callbacks), featuring binding of, e.g., a Profile (no artifact, no callbacks), featuring binding of, e.g., a
TLS Token Binding ID into an OpenID Connect "ID Token". TLS Token Binding ID into an OpenID Connect "ID Token".
skipping to change at page 16, line 46 skipping to change at page 16, line 46
Author/Change controller: IETF Author/Change controller: IETF
Specification document(s): this one Specification document(s): this one
[[TODO: possibly add further considerations wrt the behavior of the [[TODO: possibly add further considerations wrt the behavior of the
above header fields, per <https://tools.ietf.org/html/ above header fields, per <https://tools.ietf.org/html/
rfc7231#section-8.3>]] rfc7231#section-8.3>]]
8. Acknowledgements 8. Acknowledgements
This document incorporates comments and suggestions offered by Eric This document incorporates comments and suggestions offered by Eric
Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Bill Cox, Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony
Nick Harper, Brian Campbell and others. Nadalin, Michael Jones, Bill Cox, Nick Harper, Brian Campbell and
others.
9. References 9. References
9.1. Normative References 9.1. Normative References
[fetch-spec] [fetch-spec]
WhatWG, "Fetch", Living Standard , WhatWG, "Fetch", Living Standard ,
<https://fetch.spec.whatwg.org/>. <https://fetch.spec.whatwg.org/>.
[I-D.ietf-tokbind-negotiation] [I-D.ietf-tokbind-negotiation]
Popov, A., Nystrom, M., Balfanz, D., and A. Langley, Popov, A., Nystrom, M., Balfanz, D., and A. Langley,
"Transport Layer Security (TLS) Extension for Token "Transport Layer Security (TLS) Extension for Token
Binding Protocol Negotiation", draft-ietf-tokbind- Binding Protocol Negotiation", draft-ietf-tokbind-
negotiation-02 (work in progress), January 2016. negotiation-03 (work in progress), July 2016.
[I-D.ietf-tokbind-protocol] [I-D.ietf-tokbind-protocol]
Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J.
Hodges, "The Token Binding Protocol Version 1.0", draft- Hodges, "The Token Binding Protocol Version 1.0", draft-
ietf-tokbind-protocol-06 (work in progress), May 2016. ietf-tokbind-protocol-07 (work in progress), July 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864, Procedures for Message Header Fields", BCP 90, RFC 3864,
DOI 10.17487/RFC3864, September 2004, DOI 10.17487/RFC3864, September 2004,
<http://www.rfc-editor.org/info/rfc3864>. <http://www.rfc-editor.org/info/rfc3864>.
 End of changes. 5 change blocks. 
6 lines changed or deleted 7 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/