summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8473.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc8473.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc8473.txt')
-rw-r--r--doc/rfc/rfc8473.txt1403
1 files changed, 1403 insertions, 0 deletions
diff --git a/doc/rfc/rfc8473.txt b/doc/rfc/rfc8473.txt
new file mode 100644
index 0000000..963ba29
--- /dev/null
+++ b/doc/rfc/rfc8473.txt
@@ -0,0 +1,1403 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) A. Popov
+Request for Comments: 8473 M. Nystroem
+Category: Standards Track Microsoft Corp.
+ISSN: 2070-1721 D. Balfanz, Ed.
+ N. Harper
+ Google Inc.
+ J. Hodges
+ Kings Mountain Systems
+ October 2018
+
+
+ Token Binding over HTTP
+
+Abstract
+
+ This document describes a collection of mechanisms that allow HTTP
+ servers to cryptographically bind security tokens (such as cookies
+ and OAuth tokens) to TLS connections.
+
+ We describe both first-party and federated scenarios. In a first-
+ party scenario, an HTTP server is able to cryptographically bind the
+ security tokens that it issues to a client -- and that the client
+ subsequently returns to the server -- to the TLS connection between
+ the client and the server. Such bound security tokens are protected
+ from misuse, since the server can generally detect if they are
+ replayed inappropriately, e.g., over other TLS connections.
+
+ Federated Token Bindings, on the other hand, allow servers to
+ cryptographically bind security tokens to a TLS connection that the
+ client has with a different server than the one issuing the token.
+
+ This document is a companion document to "The Token Binding Protocol
+ Version 1.0" (RFC 8471).
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc8473.
+
+
+
+
+Popov, et al. Standards Track [Page 1]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+Copyright Notice
+
+ Copyright (c) 2018 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
+ 2. The Sec-Token-Binding HTTP Request Header Field . . . . . . . 4
+ 2.1. HTTPS Token Binding Key-Pair Scoping . . . . . . . . . . 5
+ 3. TLS Renegotiation . . . . . . . . . . . . . . . . . . . . . . 6
+ 4. First-Party Use Cases . . . . . . . . . . . . . . . . . . . . 7
+ 5. Federation Use Cases . . . . . . . . . . . . . . . . . . . . 7
+ 5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 7
+ 5.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 5.3. HTTP Redirects . . . . . . . . . . . . . . . . . . . . . 10
+ 5.4. Negotiated Key Parameters . . . . . . . . . . . . . . . . 12
+ 5.5. Federation Example . . . . . . . . . . . . . . . . . . . 13
+ 6. Implementation Considerations . . . . . . . . . . . . . . . . 15
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16
+ 7.1. Security Token Replay . . . . . . . . . . . . . . . . . . 16
+ 7.2. Sensitivity of the Sec-Token-Binding Header . . . . . . . 16
+ 7.3. Securing Federated Sign-On Protocols . . . . . . . . . . 17
+ 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 20
+ 8.1. Scoping of Token Binding Key Pairs . . . . . . . . . . . 20
+ 8.2. Lifetime of Token Binding Key Pairs . . . . . . . . . . . 20
+ 8.3. Correlation . . . . . . . . . . . . . . . . . . . . . . . 21
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . 22
+ 10.2. Informative References . . . . . . . . . . . . . . . . . 23
+ Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 25
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 2]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+1. Introduction
+
+ The Token Binding protocol [RFC8471] defines a Token Binding ID for a
+ TLS connection between a client and a server. The Token Binding ID
+ of a TLS connection is constructed using the public key of a
+ private-public key pair. The client proves possession of the
+ corresponding private key. This Token Binding key pair is
+ long-lived. That is, subsequent TLS connections between the same
+ client and server have the same Token Binding ID, unless specifically
+ reset, e.g., by the user. When issuing a security token (e.g., an
+ HTTP cookie or an OAuth token [RFC6749]) to a client, the server can
+ include the Token Binding ID in the token, thus cryptographically
+ binding the token to TLS connections between that particular client
+ and server, and inoculating the token against abuse (reuse, attempted
+ impersonation, etc.) by attackers.
+
+ While the Token Binding protocol [RFC8471] defines a message format
+ for establishing a Token Binding ID, it does not specify how this
+ message is embedded in higher-level protocols. The purpose of this
+ specification is to define how TokenBindingMessages are embedded in
+ HTTP (both versions 1.1 [RFC7230] and 2 [RFC7540]). Note that
+ TokenBindingMessages are only defined if the underlying transport
+ uses TLS. This means that Token Binding over HTTP is only defined
+ when HTTP is layered on top of TLS (commonly referred to as HTTPS
+ [RFC2818]).
+
+ HTTP clients establish a Token Binding ID with a server by including
+ a special HTTP header field in HTTP requests. The HTTP header field
+ value is a base64url-encoded TokenBindingMessage.
+
+ A TokenBindingMessage allows a client to establish multiple Token
+ Binding IDs with the server by including multiple TokenBinding
+ structures. By default, a client will establish a Provided Token
+ Binding ID with the server, indicating a Token Binding ID that the
+ client will persistently use with the server. Under certain
+ conditions, the client can also include a Referred Token Binding ID
+ in the TokenBindingMessage, indicating a Token Binding ID that the
+ client is using with a different server than the one that the
+ TokenBindingMessage is sent to. This is useful in federation
+ scenarios.
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+
+
+Popov, et al. Standards Track [Page 3]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+2. The Sec-Token-Binding HTTP Request Header Field
+
+ Once a client and server have negotiated the Token Binding protocol
+ with HTTP/1.1 or HTTP/2 (see [RFC8471] and [RFC8472]), clients MUST
+ include a Sec-Token-Binding header field in their HTTP requests and
+ MUST include only one such header field per HTTP request. Also, the
+ Sec-Token-Binding header field MUST NOT be included in HTTP
+ responses. The ABNF of the Sec-Token-Binding header field is (per
+ the style of [RFC7230]; see also Section 8.3 of [RFC7231]):
+
+ Sec-Token-Binding = EncodedTokenBindingMessage
+
+ The header field name is Sec-Token-Binding, and its single value,
+ EncodedTokenBindingMessage, is a base64url encoding of a single
+ TokenBindingMessage, as defined in [RFC8471]. The base64url encoding
+ uses the URL and filename safe character set described in Section 5
+ of [RFC4648], with all trailing padding characters (i.e., "=")
+ omitted and without the inclusion of any line breaks, whitespace, or
+ other additional characters.
+
+ For example:
+
+ Sec-Token-Binding: AIkAAgBBQFzK4_bhAqLDwRQxqJWte33d7hZ0hZWHwk-miKPg4E\
+ 9fcgs7gBPoz-9RfuDfN9WCw6keHEw1ZPQMGs9CxpuHm-YAQM_j\
+ aOwwej6a-cQBGU7CJpUHOvXG4VvjNq8jDsvta9Y8_bPEPj25Gg\
+ mKiPjhJEtZA6mJ_9SNifLvVBTi7fR9wSAAAA
+
+ (Note that the backslashes and line breaks are provided to ease
+ readability; they are not part of the actual encoded message.)
+
+ If the server receives more than one Sec-Token-Binding header field
+ in an HTTP request, then the server MUST reject the message with a
+ 400 (Bad Request) HTTP status code. Additionally, the
+ Sec-Token-Binding header field:
+
+ o SHOULD NOT be stored by origin servers on PUT requests,
+
+ o MAY be listed by a server in a Vary response header field, and
+
+ o MUST NOT be used in HTTP trailers.
+
+ The TokenBindingMessage MUST contain exactly one TokenBinding
+ structure with a TokenBindingType value of provided_token_binding,
+ which MUST be signed with the Token Binding private key used by the
+ client for connections between itself and the server that the HTTP
+ request is sent to (clients use different Token Binding key pairs for
+ different servers; see Section 2.1 below). The Token Binding ID
+
+
+
+
+Popov, et al. Standards Track [Page 4]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ established by this TokenBinding is called a "Provided Token
+ Binding ID".
+
+ The TokenBindingMessage MAY also contain exactly one TokenBinding
+ structure with a TokenBindingType value of referred_token_binding, as
+ specified in Section 5.3. In addition to the latter, or rather than
+ the latter, the TokenBindingMessage MAY contain other TokenBinding
+ structures. This is specific to the use case in question; such use
+ cases are outside the scope of this specification.
+
+ A TokenBindingMessage is validated by the server as described in
+ Section 4.2 ("Server Processing Rules") of [RFC8471]. If validation
+ fails and a Token Binding is rejected, any associated bound tokens
+ MUST also be rejected by the server. HTTP requests containing
+ invalid tokens MUST be rejected. In this case, the server
+ application MAY return HTTP status code 400 (Bad Request) or proceed
+ with an application-specific "invalid token" response (e.g.,
+ directing the client to re-authenticate and present a different
+ token), or terminate the connection.
+
+ In HTTP/2, the client SHOULD use header compression [RFC7541] to
+ avoid the overhead of repeating the same header field in subsequent
+ HTTP requests.
+
+2.1. HTTPS Token Binding Key-Pair Scoping
+
+ HTTPS is used in conjunction with various application protocols and
+ application contexts, in various ways. For example, general-purpose
+ web browsing is one such HTTP-based application context. Within that
+ context, HTTP cookies [RFC6265] are typically utilized for state
+ management, including client authentication. A related, though
+ distinct, example of other HTTP-based application contexts is where
+ OAuth tokens [RFC6749] are utilized to manage authorization for
+ third-party application access to resources. The token-scoping rules
+ of these two examples can differ: the scoping rules for cookies are
+ concisely specified in [RFC6265], whereas OAuth is a framework and
+ defines various token types with various scopings, some of which are
+ determined by the encompassing application.
+
+ The scoping of Token Binding key pairs generated by web browsers for
+ the purpose of binding HTTP cookies MUST be no wider than the
+ granularity of a "registered domain" (also known as "effective
+ top-level domain + 1", or "eTLD+1"). An origin's "registered domain"
+ is the origin's host's public suffix plus the label to its left
+ (where the term "public suffix" is defined in the "NOTE:" paragraph
+ in Section 5.3 of [RFC6265] as "a domain that is controlled by a
+ public registry"). For example, for "https://www.example.com", the
+ public suffix (eTLD) is "com", and the registered domain (eTLD+1) is
+
+
+
+Popov, et al. Standards Track [Page 5]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ "example.com". User Agents SHOULD use an up-to-date public suffix
+ list, such as the one maintained by Mozilla [PSL].
+
+ This means that in practice the scope of a Token Binding key pair is
+ no larger than the scope of a cookie allowed by a web browser. If a
+ web browser restricts cookies to a narrower scope than registered
+ domains, the scope of Token Binding key pairs MAY also be narrower.
+ This applies to the use of Token Binding key pairs in first-party use
+ cases, as well as in federation use cases defined in this
+ specification (Section 5).
+
+ Key pairs used to bind other application tokens, such as OAuth tokens
+ or "OpenID Connect" ID Tokens [OpenID.Core], SHOULD adhere to the
+ above eTLD+1 scoping requirement for those tokens being employed in
+ first-party or federation scenarios. Applications other than web
+ browsers MAY use different key-pair scoping rules. See also
+ Section 8.1 below.
+
+ Scoping rules for other HTTP-based application contexts are outside
+ the scope of this specification.
+
+3. TLS Renegotiation
+
+ Token Binding over HTTP/1.1 [RFC7230] can be performed in combination
+ with TLS renegotiation. In this case, renegotiation MUST only occur
+ between a client's HTTP request and the server's response, the client
+ MUST NOT send any pipelined requests, and the client MUST NOT
+ initiate renegotiation. (That is, the client may only send a
+ renegotiation ClientHello in response to the server's HelloRequest.)
+ These conditions ensure that both the client and the server can
+ clearly identify which TLS Exported Keying Material value [RFC5705]
+ to use when generating or verifying the TokenBindingMessage. This
+ also prevents a TokenBindingMessage from being split across TLS
+ renegotiation boundaries due to TLS message fragmentation; see
+ Section 6.2.1 of [RFC5246].
+
+ (Note: This document deals with TLS 1.2 and therefore refers to
+ RFC 5246 (which has been obsoleted by RFC 8446); [TOKENBIND-TLS13]
+ addresses Token Binding in TLS 1.3.)
+
+
+
+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 6]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+4. First-Party Use Cases
+
+ In a first-party use case (also known as a "same-site" use case), an
+ HTTP server issues a security token such as a cookie (or similar) to
+ a client and expects the client to return the security token at a
+ later time, e.g., in order to authenticate. Binding the security
+ token to the TLS connection between the client and the server
+ protects the security token from misuse, since the server can detect
+ if the security token is replayed inappropriately, e.g., over other
+ TLS connections.
+
+ See Section 5 of [RFC8471] for general guidance regarding the binding
+ of security tokens and their subsequent validation.
+
+5. Federation Use Cases
+
+5.1. Introduction
+
+ For privacy reasons, clients use different Token Binding key pairs to
+ establish Provided Token Binding IDs with different servers. As a
+ result, a server cannot bind a security token (such as an OAuth token
+ or an OpenID Connect ID Token [OpenID.Core]) to a TLS connection that
+ the client has with a different server. This is, however, a common
+ requirement in federation scenarios: for example, an Identity
+ Provider may wish to issue an identity token to a client and
+ cryptographically bind that token to the TLS connection between the
+ client and a Relying Party.
+
+ In this section, we describe mechanisms to achieve this. The common
+ idea among these mechanisms is that a server (called the "Token
+ Consumer" in this document) signals to the client that it should
+ reveal the Provided Token Binding ID that is used between the client
+ and itself to another server (called the "Token Provider" in this
+ document). Also common across the mechanisms is how the Token
+ Binding ID is revealed to the Token Provider: the client uses the
+ Token Binding protocol [RFC8471] and includes a TokenBinding
+ structure in the Sec-Token-Binding HTTP header field defined above.
+ What differs between the various mechanisms is how the Token Consumer
+ signals to the client that it should reveal the Token Binding ID to
+ the Token Provider. Below, we specify one such mechanism, which is
+ suitable for redirect-based interactions between Token Consumers and
+ Token Providers.
+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 7]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ Client Token Consumer Token Provider
+ +--------+ +----+ +-----+
+ | Client | | TC | | TP |
+ +--------+ +----+ +-----+
+ | | |
+ | | |
+ | | |
+ | Client interacts w/TC | |
+ | using TokenBindingID TBID1: | |
+ | TBMSG[[provided_token_binding,| |
+ | TBID1, signature]] | |
+ |------------------------------>| |
+ | | |
+ | Client interacts w/TP |
+ | using TokenBindingID TBID2: |
+ | TBMSG[[provided_token_binding, |
+ | TBID2, signature]] |
+ |----------------------------------------------------->|
+ | |
+ | | |
+ | TC signals permission to | |
+ | reveal TBID1 to TP | |
+ |<------------------------------| |
+ | | |
+ | |
+ | Client interacts w/TP |
+ | using TokenBindingID TBID1 and TBID2: |
+ | TBMSG[[provided_token_binding, |
+ | TBID2, signature], |
+ | [referred_token_binding, |
+ | TBID1, signature]] |
+ |----------------------------------------------------->|
+ | |
+ | | |
+ | | |
+
+5.2. Overview
+
+ In a federated sign-on protocol, an Identity Provider issues an
+ identity token to a client, which sends the identity token to a
+ Relying Party to authenticate itself. Examples of this include
+ OpenID Connect (in which the identity token is called an "ID Token")
+ and the Security Assertion Markup Language (SAML)
+ [OASIS.saml-core-2.0-os] (in which the identity token is a SAML
+ assertion).
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 8]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ To better protect the security of the identity token, the Identity
+ Provider may wish to bind the identity token to the TLS connection
+ between the client and the Relying Party, thus ensuring that only
+ said client can use the identity token. The Relying Party will
+ compare the Token Binding ID (or a cryptographic hash of it) in the
+ identity token with the Token Binding ID (or a hash thereof) of the
+ TLS connection between this Relying Party and the client.
+
+ This is an example of a federation scenario, which more generally can
+ be described as follows:
+
+ o A Token Consumer causes the client to issue a token request to the
+ Token Provider. The goal is for the client to obtain a token and
+ then use it with the Token Consumer.
+
+ o The client delivers the token request to the Token Provider.
+
+ o The Token Provider issues the token. The token is issued for the
+ specific Token Consumer who requested it (thus preventing
+ malicious Token Consumers from using tokens with other Token
+ Consumers). The token is, however, typically a bearer token,
+ meaning that any client can use it with the Token Consumer -- not
+ just the client to which it was issued.
+
+ o Therefore, in the previous step, the Token Provider may want to
+ include in the token the Token Binding ID (or a cryptographic hash
+ of it) that the client uses when communicating with the Token
+ Consumer, thus binding the token to the client's Token Binding key
+ pair. The client proves possession of the private key when
+ communicating with the Token Consumer through the Token Binding
+ protocol [RFC8471] and uses the corresponding public key of this
+ key pair as a component of the Token Binding ID. Comparing the
+ Token Binding ID from the token to the Token Binding ID
+ established with the client allows the Token Consumer to verify
+ that the token was sent to it by the legitimate client.
+
+ o To allow the Token Provider to include the Token Binding ID in the
+ token, the Token Binding ID between the client and the Token
+ Consumer must therefore be communicated to the Token Provider
+ along with the token request. Communicating a Token Binding ID
+ involves proving possession of a private key and is described in
+ the Token Binding protocol [RFC8471].
+
+ The client will perform this last operation only if the Token
+ Consumer requests the client to do so.
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 9]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ Below, we specify how Token Consumers can signal this request in
+ redirect-based federation protocols. Note that this assumes that the
+ federated sign-on flow starts at the Token Consumer or, at the very
+ least, includes a redirect from the Token Consumer to the Token
+ Provider. It is outside the scope of this document to specify
+ similar mechanisms for flows that do not include such redirects.
+
+5.3. HTTP Redirects
+
+ When a Token Consumer redirects the client to a Token Provider as a
+ means to deliver the token request, it SHOULD include an
+ Include-Referred-Token-Binding-ID HTTP response header field in its
+ HTTP response. The ABNF of the Include-Referred-Token-Binding-ID
+ header is (per the style of [RFC7230]; see also Section 8.3 of
+ [RFC7231]):
+
+ Include-Referred-Token-Binding-ID = "true"
+
+ Where the header field name is "Include-Referred-Token-Binding-ID"
+ and the field value of "true" is case insensitive. For example:
+
+ Include-Referred-Token-Binding-ID: true
+
+ Including this response header field signals to the client that it
+ should reveal, to the Token Provider, the Token Binding ID used
+ between itself and the Token Consumer. In the absence of this
+ response header field, the client will not disclose any information
+ about the Token Binding used between the client and the Token
+ Consumer to the Token Provider.
+
+ As illustrated in Section 5.5, when a client receives this header
+ field, it should take the TokenBindingID [RFC8471] of the provided
+ TokenBinding from the referrer and create a referred TokenBinding
+ with it to include in the TokenBindingMessage in the redirect
+ request. In other words, the Token Binding message in the redirect
+ request to the Token Provider now includes one provided binding and
+ one referred binding, the latter constructed from the binding between
+ the client and the Token Consumer.
+
+ When a client receives the Include-Referred-Token-Binding-ID header,
+ it includes the referred Token Binding even if both the Token
+ Provider and the Token Consumer fall under the same eTLD+1 and the
+ provided and Referred Token Binding IDs are the same.
+
+ The referred Token Binding is sent only in the initial request
+ resulting from the HTTP response that included the
+ Include-Referred-Token-Binding-ID header. Should the response to
+ that initial request be a further redirect, the original referred
+
+
+
+Popov, et al. Standards Track [Page 10]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ Token Binding is no longer included in subsequent requests. (A new
+ referred Token Binding may be included if the redirecting endpoint
+ itself responded with an Include-Referred-Token-Binding-ID response
+ header.)
+
+ If the Include-Referred-Token-Binding-ID header field is
+ received in response to a request that did not include the
+ Sec-Token-Binding header field, the client MUST ignore the
+ Include-Referred-Token-Binding-ID header field.
+
+ This header field only has meaning if the HTTP status code is a
+ redirection code (300-399) and MUST be ignored by the client for any
+ other status codes. As described in Section 2, if the client
+ supports the Token Binding protocol and has negotiated the Token
+ Binding protocol with both the Token Consumer and the Token Provider,
+ it sends the Sec-Token-Binding header field to the Token Provider
+ with each HTTP request.
+
+ The TokenBindingMessage included in the redirect request to the Token
+ Provider SHOULD contain a TokenBinding with a TokenBindingType value
+ of referred_token_binding. If included, this TokenBinding MUST be
+ signed with the Token Binding private key used by the client for
+ connections between itself and the Token Consumer (more specifically,
+ the server that issued the Include-Referred-Token-Binding-ID response
+ header field). The Token Binding ID established by this TokenBinding
+ is called a "Referred Token Binding ID".
+
+ As described above, the TokenBindingMessage MUST additionally contain
+ a Provided Token Binding ID, i.e., a TokenBinding structure with a
+ TokenBindingType value of provided_token_binding, which MUST be
+ signed with the Token Binding private key used by the client for
+ connections between itself and the Token Provider (more specifically,
+ the server that the token request is being sent to).
+
+ If, for some deployment-specific reason, the initial Token Provider
+ ("TP1") needs to redirect the client to another Token Provider
+ ("TP2") rather than directly back to the Token Consumer, it can be
+ accommodated using the header fields defined in this specification in
+ the following fashion ("the redirect-chain approach"):
+
+ Initially, the client is redirected to TP1 by the Token Consumer
+ ("TC"), as described above. Upon receiving a client's request
+ that contains a TokenBindingMessage that in turn contains both
+ provided and referred TokenBindings (for TP1 and TC,
+ respectively), TP1 responds to the client with a redirect response
+ that (1) contains the Include-Referred-Token-Binding-ID header
+ field and (2) directs the client to send a request to TP2. This
+ causes the client to follow the same pattern and send a request
+
+
+
+Popov, et al. Standards Track [Page 11]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ containing a TokenBindingMessage that contains both provided and
+ referred TokenBindings (for TP2 and TP1, respectively) to TP2.
+ Note that this pattern can continue to additional Token Providers.
+ In this case, TP2 issues a security token, bound to the client's
+ TokenBinding with TP1, and sends a redirect response to the client
+ pointing to TP1. TP1 in turn constructs a security token for the
+ Token Consumer, bound to the TC's referred TokenBinding that had
+ been conveyed earlier, and sends a redirect response pointing to
+ the TC, containing the bound security token, to the client.
+
+ The above is intended as only a non-normative example. Details are
+ specific to deployment contexts. Other approaches are possible but
+ are outside the scope of this specification.
+
+5.4. Negotiated Key Parameters
+
+ The TLS extension for Token Binding protocol negotiation [RFC8472]
+ allows the server and client to negotiate the parameters (signature
+ algorithm, length) of the Token Binding key pair. It is possible
+ that the Token Binding ID used between the client and the Token
+ Consumer, and the Token Binding ID used between the client and the
+ Token Provider, use different key parameters. The client MUST use
+ the key parameters negotiated with the Token Consumer in the
+ referred_token_binding TokenBinding of the TokenBindingMessage, even
+ if those key parameters are different from the ones negotiated with
+ the server that the header field is sent to.
+
+ Token Providers SHOULD support all the Token Binding key parameters
+ specified in [RFC8471]. If a Token Provider does not support the key
+ parameters specified in the referred_token_binding TokenBinding in
+ the TokenBindingMessage, it MUST NOT issue a bound token.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 12]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+5.5. Federation Example
+
+ The diagram below shows a typical HTTP redirect-based web browser
+ single sign-on (SSO) profile (Section 4.1 of
+ [OASIS.saml-prof-2.0-os]) (no artifact, no callbacks), featuring the
+ binding of, for example, a TLS Token Binding ID into an OpenID
+ Connect ID Token.
+
+ Legend:
+
+ +------------+------------------------------------------------------+
+ | EKM: | TLS Exported Keying Material [RFC5705] |
+ | | |
+ | {EKMn}Ksm: | EKM for server "n", signed by the private key of |
+ | | TBID "m", where "n" must represent the server |
+ | | receiving the ETBMSG. If a conveyed TB's type is |
+ | | provided_token_binding, then m = n, else if TB's |
+ | | type is referred_token_binding, then m != n. For |
+ | | example, see step 1b in the diagram below. |
+ | | |
+ | ETBMSG: | "Sec-Token-Binding" HTTP header field conveying an |
+ | | EncodedTokenBindingMessage, in turn conveying |
+ | | TokenBinding (TB)struct(s), e.g., ETBMSG[[TB]] or |
+ | | ETBMSG[[TB1],[TB2]] |
+ | | |
+ | ID Token: | the ID Token in OpenID Connect. It is the semantic |
+ | | equivalent of a SAML "authentication assertion". |
+ | | "ID Token w/TBIDn" denotes a "token bound" ID Token |
+ | | containing TBIDn. |
+ | | |
+ | Ks and Kp: | private (aka secret) key and public key, |
+ | | respectively, of the client-side Token Binding key |
+ | | pair |
+ | | |
+ | OIDC: | OpenID Connect |
+ | | |
+ | TB: | TokenBinding struct containing a signed EKM, TBID, |
+ | | and TB type, e.g., |
+ | | [{EKM1}Ks1,TBID1,provided_token_binding] |
+ | | |
+ | TBIDn: | Token Binding ID for client and server n's token- |
+ | | bound TLS association. TBIDn contains Kpn. |
+ +------------+------------------------------------------------------+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 13]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+Client, aka Token Consumer, aka Token Provider, aka
+User Agent OpenID Client, OpenID Provider,
+ OIDC Relying Party, OIDC Provider,
+ SAML Relying Party SAML Identity Provider
+ [ server "1" ] [ server "2" ]
++--------+ +----+ +-----+
+| Client | | TC | | TP |
++--------+ +----+ +-----+
+ | | |
+ | | |
+ | | |
+ | 0. Client interacts w/TC | |
+ | over HTTPS, establishes Ks1 and Kp1, TBID1 |
+ | ETBMSG[[{EKM1}Ks1,TBID1,provided_token_binding]] |
+ |------------------------------>| |
+ | | |
+ | | |
+ | | |
+ | 1a. OIDC ID Token request, aka| |
+ | "Authentication Request", conveyed with |
+ | an HTTP response header field of |
+ | Include-Referred-Token-Binding-ID:true. |
+ | Any security-relevant cookies | |
+ | should contain TBID1. | |
+ +<- - - - - - - - - - - - - - - - | |
+ . | (redirect to TP via 301, 302, | |
+ . | 303, 307, or 308) | |
+ . | | |
+ +------------------------------------------------------->|
+ | 1b. opens HTTPS w/TP, |
+ | establishes Ks2, Kp2, TBID2; |
+ | sends a GET or POST with |
+ | ETBMSG[[{EKM2}Ks2,TBID2,provided_token_binding], |
+ | [{EKM2}Ks1,TBID1,referred_token_binding]] |
+ | as well as the ID Token request |
+ | | |
+ | | |
+ | | |
+ | 2. user authentication (if applicable; |
+ | methods vary; particulars are out of scope) |
+ |<====================================================>|
+ | (TP generates ID Token for TC containing TBID1; may |
+ | also set cookie(s) containing TBID2 and/or TBID1; |
+ | details vary; particulars are out of scope) |
+ | | |
+ | | |
+
+
+
+
+
+Popov, et al. Standards Track [Page 14]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ | | |
+ | 3a. ID Token containing Kp1, issued for TC, |
+ | conveyed via OIDC "Authentication Response" |
+ +<- - - - - - - - - - - - - - - - - - - - - - - - - - - -|
+ . | (redirect to TC) | |
+ . | | |
+ . | | |
+ +-------------------------------->| |
+ | 3b. HTTPS GET or POST with |
+ | ETBMSG[[{EKM1}Ks1,TBID1,provided_token_binding]] |
+ | conveying an Authentication Response containing |
+ | an ID Token w/TBID1, issued for TC |
+ | | |
+ | | |
+ | | |
+ | 4. user is signed on; any security-relevant cookie(s)|
+ | that is set SHOULD contain TBID1 |
+ |<------------------------------| |
+ | | |
+ | | |
+
+6. Implementation Considerations
+
+ HTTPS-based applications may have multi-party use cases other than,
+ or in addition to, the HTTP redirect-based signaling and conveyance
+ of referred Token Bindings, as presented above in Section 5.3.
+
+ Thus, Token Binding implementations should provide APIs for such
+ applications to generate Token Binding messages containing Token
+ Binding IDs of various application-specified Token Binding types, to
+ be conveyed by the Sec-Token-Binding header field.
+
+ However, Token Binding implementations MUST only convey Token Binding
+ IDs to servers if signaled to do so by an application. Signaling
+ mechanisms other than the Include-Referred-Token-Binding-ID HTTP
+ response header field are possible, but these mechanisms are outside
+ the scope of this specification.
+
+ NOTE: See Section 8 ("Privacy Considerations") for privacy guidance
+ regarding the use of this functionality.
+
+
+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 15]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+7. Security Considerations
+
+7.1. Security Token Replay
+
+ The goal of the federated Token Binding mechanisms is to prevent
+ attackers from exporting and replaying tokens used in protocols
+ between the client and the Token Consumer, thereby impersonating
+ legitimate users and gaining access to protected resources. Although
+ bound tokens can still be replayed by any malware present in clients
+ (which may be undetectable to a server), in order to export bound
+ tokens to other machines and successfully replay them, attackers also
+ need to export the corresponding Token Binding private keys. Token
+ Binding private keys are therefore high-value assets and SHOULD be
+ strongly protected, ideally by generating them in a hardware security
+ module that prevents key export.
+
+ This consideration is a special case of the scenario described in
+ Section 7.1 ("Security Token Replay") of [RFC8471].
+
+7.2. Sensitivity of the Sec-Token-Binding Header
+
+ The purpose of the Token Binding protocol is to convince the server
+ that the client that initiated the TLS connection controls a certain
+ key pair. For the server to correctly draw this conclusion after
+ processing the Sec-Token-Binding header field, certain secrecy and
+ integrity requirements must be met.
+
+ For example, the client must keep its Token Binding private key
+ secret. If the private key is not secret, then another actor in the
+ system could create a valid Token Binding header field and thereby
+ impersonate the client. This can render the main purpose of the
+ protocol -- to bind bearer tokens to certain clients -- moot.
+ Consider, for example, an attacker who obtained (perhaps through a
+ network intrusion) an authentication cookie that a client uses with a
+ certain server. Consider further that the server bound that cookie
+ to the client's Token Binding ID precisely to thwart misuse of the
+ cookie. If the attacker were to come into possession of the client's
+ private key, they could then establish a TLS connection with the
+ server and craft a Sec-Token-Binding header field that matches the
+ binding present in the cookie, thus successfully authenticating as
+ the client and gaining access to the client's data at the server.
+ The Token Binding protocol, in this case, did not successfully bind
+ the cookie to the client.
+
+ Likewise, we need integrity protection of the Sec-Token-Binding
+ header field. A client should not be tricked into sending to a
+ server a Sec-Token-Binding header field that contains Token Bindings
+ signed with any Token Binding keys that the client does not control.
+
+
+
+Popov, et al. Standards Track [Page 16]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ Consider an attacker A that somehow has knowledge of the Exported
+ Keying Material (EKM) for a TLS connection between a client C and a
+ server S. (While that is somewhat unlikely, it is also not entirely
+ out of the question, since the client might not treat the EKM as a
+ secret -- after all, a pre-image-resistant hash function has been
+ applied to the TLS master secret, making it impossible for someone
+ knowing the EKM to recover the TLS master secret. Such
+ considerations might lead some clients to not treat the EKM as a
+ secret.) Such an attacker A could craft a Sec-Token-Binding header
+ field with A's key pair over C's EKM. If the attacker could now
+ trick C into sending such a header field to S, it would appear to S
+ as if C controls a certain key pair, when in fact it does not (the
+ attacker A controls the key pair).
+
+ If A has a pre-existing relationship with S (e.g., perhaps has an
+ account on S), it now appears to the server S as if A is connecting
+ to it, even though it is really C. (If the server S does not simply
+ use Token Binding IDs to identify clients but also uses bound
+ authentication cookies, then A would also have to trick C into
+ sending one of A's cookies to S, which it can do through a variety of
+ means -- inserting cookies through JavaScript APIs, setting cookies
+ through related-domain attacks, etc.) In other words, in this
+ scenario, A can trick C into logging into A's account on S. This
+ could lead to a loss of privacy for C, since A presumably has some
+ other way to also access the account and can thus indirectly observe
+ C's behavior (for example, if S has a feature that lets account
+ holders see their activity history on S).
+
+ Therefore, we need to protect the integrity of the Sec-Token-Binding
+ header field. One eTLD+1 should not be able to set the
+ Sec-Token-Binding header field (through a Document Object Model (DOM)
+ API [W3C.REC-DOM-Level-3-Core-20040407] or otherwise) that the User
+ Agent uses with another eTLD+1. Employing the "Sec-" header field
+ prefix helps to meet this requirement by denoting the header field
+ name as a "forbidden header name"; see [fetch-spec].
+
+7.3. Securing Federated Sign-On Protocols
+
+ As explained above, in a federated sign-on scenario, a client will
+ prove possession of two different Token Binding private keys to a
+ Token Provider: one private key corresponds to the "provided" Token
+ Binding ID (which the client normally uses with the Token Provider),
+ and the other is the Token Binding private key corresponding to the
+ "referred" Token Binding ID (which the client normally uses with the
+ Token Consumer). The Token Provider is expected to issue a token
+ that is bound to the Referred Token Binding ID.
+
+
+
+
+
+Popov, et al. Standards Track [Page 17]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ Both proofs (that of the provided Token Binding private key and that
+ of the referred Token Binding private key) are necessary. To show
+ this, consider the following scenario:
+
+ o The client has an authentication token with the Token Provider
+ that is bound to the client's Token Binding ID used with that
+ Token Provider.
+
+ o The client wants to establish a secure (i.e., free of men-in-the-
+ middle) authenticated session with the Token Consumer but has not
+ yet done so (in other words, we are about to run the federated
+ sign-on protocol).
+
+ o A man-in-the-middle is allowed to intercept the connection between
+ the client and the Token Consumer or between the client and the
+ Token Provider (or both).
+
+ The goal is to detect the presence of the man-in-the-middle in these
+ scenarios.
+
+ First, consider a man-in-the-middle between the client and the Token
+ Provider. Recall that we assume that the client possesses a bound
+ authentication token (e.g., cookie) for the Token Provider. The
+ man-in-the-middle can intercept and modify any message sent by the
+ client to the Token Provider and any message sent by the Token
+ Provider to the client. (This means, among other things, that the
+ man-in-the-middle controls the JavaScript running at the client in
+ the origin of the Token Provider.) It is not, however, in possession
+ of the client's Token Binding private key. Therefore, it can choose
+ to either (1) replace the Token Binding ID in requests from the
+ client to the Token Provider and create a Sec-Token-Binding header
+ field that matches the TLS connection between the man-in-the-middle
+ and the Token Provider or (2) leave the Sec-Token-Binding header
+ field unchanged. If it chooses the latter, the signature in the
+ Token Binding message (created by the original client on the EKM for
+ the connection between the client and the man-in-the-middle) will not
+ match a signature on the EKM between the man-in-the-middle and the
+ Token Provider. If it chooses the former (and creates its own
+ signature, using its own Token Binding private key, over the EKM for
+ the connection between itself, the man-in-the-middle, and the Token
+ Provider), then the Token Binding message will match the connection
+ between the man-in-the-middle and the Token Provider, but the Token
+ Binding ID in the message will not match the Token Binding ID that
+ the client's authentication token is bound to. Either way, the
+ man-in-the-middle is detected by the Token Provider, but only if the
+ proof of possession of the provided Token Binding private key is
+ required in the protocol (as is done above).
+
+
+
+
+Popov, et al. Standards Track [Page 18]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ Next, consider the presence of a man-in-the-middle between the client
+ and the Token Consumer. That man-in-the-middle can intercept and
+ modify any message sent by the client to the Token Consumer and any
+ message sent by the Token Consumer to the client. The Token Consumer
+ is the party that redirects the client to the Token Provider. In
+ this case, the man-in-the-middle controls the redirect URL and can
+ tamper with any redirect URL issued by the Token Consumer (as well as
+ with any JavaScript running in the origin of the Token Consumer).
+ The goal of the man-in-the-middle is to trick the Token Provider into
+ issuing a token bound to its Token Binding ID and not to the Token
+ Binding ID of the legitimate client. To thwart this goal of the
+ man-in-the-middle, the client's Referred Token Binding ID must be
+ communicated to the Token Provider in a manner that cannot be
+ affected by the man-in-the-middle (who, as mentioned above, can
+ modify redirect URLs and JavaScript at the client). Including the
+ referred TokenBinding structure in the Sec-Token-Binding header field
+ (as opposed to, say, including the Referred Token Binding ID in an
+ application-level message as part of the redirect URL) is one way to
+ assure that the man-in-the-middle between the client and the Token
+ Consumer cannot affect the communication of the Referred Token
+ Binding ID to the Token Provider.
+
+ Therefore, the Sec-Token-Binding header field in the federated
+ sign-on use case contains both a proof of possession of the provided
+ Token Binding key and a proof of possession of the referred Token
+ Binding key.
+
+ Note that the presence of Token Binding does not relieve the Token
+ Provider and Token Consumer from performing various checks to ensure
+ the security of clients during the use of federated sign-on
+ protocols. These include the following:
+
+ o The Token Provider should not issue tokens to Token Consumers that
+ have been shown to act maliciously. To aid in this, the
+ federation protocol should identify the Token Consumer to the
+ Token Provider (e.g., through OAuth client IDs or similar
+ mechanisms), and the Token Provider should ensure that tokens are
+ indeed issued to the Token Consumer identified in the token
+ request (e.g., by verifying that the redirect URI is associated
+ with the OAuth client ID).
+
+
+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 19]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ o The Token Consumer should verify that the tokens were issued for
+ it and not for some other Token Consumer. To aid in this, the
+ federation protocol should include an audience parameter in the
+ token response or apply equivalent mechanisms (the implicit OAuth
+ flow requires Token Consumers to identify themselves when they
+ exchange OAuth authorization codes for OAuth refresh tokens,
+ leaving it up to the Token Provider to verify that the OAuth
+ authorization was delivered to the correct Token Consumer).
+
+8. Privacy Considerations
+
+8.1. Scoping of Token Binding Key Pairs
+
+ Clients use different Token Binding key pairs for different servers,
+ so as to not allow Token Binding to become a tracking tool across
+ different servers. However, the scoping of the Token Binding key
+ pairs to servers varies according to the scoping rules of the
+ application protocol (Section 4.1 of [RFC8471]).
+
+ In the case of HTTP cookies, servers may use Token Binding to secure
+ their cookies. These cookies can be attached to any subdomain of
+ effective top-level domains (eTLDs), and clients therefore should use
+ the same Token Binding key pair across such subdomains. This will
+ ensure that any server capable of receiving the cookie will see the
+ same Token Binding ID from the client and thus be able to verify the
+ Token Binding of the cookie. See Section 2.1 above.
+
+ If the client application is not a web browser, it may have
+ additional knowledge about the relationship between different
+ servers. For example, the client application might be aware of the
+ fact that two servers play the roles of Relying Party and Identity
+ Provider, respectively, in a federated sign-on protocol and that they
+ therefore share the identity of the user. In such cases, it is
+ permissible to use different Token Binding key-pair scoping rules,
+ such as using the same Token Binding key pair for both the Relying
+ Party and the Identity Provider. Absent such special knowledge,
+ conservative key-pair scoping rules should be used, assuring that
+ clients use different Token Binding key pairs with different servers.
+
+8.2. Lifetime of Token Binding Key Pairs
+
+ Token Binding key pairs do not have an expiration time. This means
+ that they can potentially be used by a server to track a user for an
+ extended period of time (similar to a long-lived cookie). HTTPS
+ clients such as web User Agents SHOULD therefore provide a user
+ interface for discarding Token Binding key pairs (similar to the
+ controls provided for deleting cookies).
+
+
+
+
+Popov, et al. Standards Track [Page 20]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ If a User Agent provides modes such as private browsing mode in which
+ the user is promised that browsing state such as cookies are
+ discarded after the session is over, the User Agent MUST also discard
+ Token Binding key pairs from such modes after the session is over.
+ Generally speaking, users should be given the same level of control
+ over the lifetime of Token Binding key pairs as they have over
+ cookies or other potential tracking mechanisms.
+
+8.3. Correlation
+
+ An application's various communicating endpoints that receive Token
+ Binding IDs for TLS connections other than their own obtain
+ information about the application's other TLS connections. (In this
+ context, "an application" is a combination of client-side and
+ server-side components, communicating over HTTPS, where the client
+ side may be web-browser-based, native-application-based, or both.)
+ These other Token Binding IDs can serve as correlation handles for
+ the endpoints of the other connections. If the receiving endpoints
+ are otherwise aware of these other connections, then no additional
+ information is being exposed. For instance, if in a redirect-based
+ federation protocol the Identity Provider and Relying Party already
+ possess URLs for one another, then also having Token Binding IDs for
+ these connections does not provide additional correlation
+ information. If not, by providing the other Token Binding IDs,
+ additional information is then exposed that can be used to correlate
+ the other endpoints. In such cases, a privacy analysis of enabled
+ correlations and their potential privacy impacts should be performed
+ as part of the application design decisions of how, and whether, to
+ utilize Token Binding.
+
+ Also, Token Binding implementations must take care to only reveal
+ Token Binding IDs to other endpoints if signaled to do so by the
+ application associated with a Token Binding ID; see Section 6
+ ("Implementation Considerations").
+
+ Finally, care should be taken to ensure that unrelated applications
+ do not obtain information about each other's Token Bindings. For
+ instance, a Token Binding implementation shared between multiple
+ applications on a given system should prevent unrelated applications
+ from obtaining each other's Token Binding information. This may be
+ accomplished by using techniques such as application isolation and
+ key segregation, depending upon system capabilities.
+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 21]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+9. IANA Considerations
+
+ Below is the Internet Assigned Numbers Authority (IANA) "Permanent
+ Message Header Field Names" registration information per [RFC3864].
+
+ Header Field name: Sec-Token-Binding
+ Protocol: HTTP
+ Status: standard
+ Reference: This document
+
+ Header Field name: Include-Referred-Token-Binding-ID
+ Protocol: HTTP
+ Status: standard
+ Reference: This document
+
+10. References
+
+10.1. Normative References
+
+ [PSL] Mozilla, "Public Suffix List",
+ <https://publicsuffix.org/>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
+ DOI 10.17487/RFC2818, May 2000,
+ <https://www.rfc-editor.org/info/rfc2818>.
+
+ [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
+ Procedures for Message Header Fields", BCP 90, RFC 3864,
+ DOI 10.17487/RFC3864, September 2004,
+ <https://www.rfc-editor.org/info/rfc3864>.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
+ <https://www.rfc-editor.org/info/rfc4648>.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246,
+ DOI 10.17487/RFC5246, August 2008,
+ <https://www.rfc-editor.org/info/rfc5246>.
+
+ [RFC5705] Rescorla, E., "Keying Material Exporters for Transport
+ Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705,
+ March 2010, <https://www.rfc-editor.org/info/rfc5705>.
+
+
+
+Popov, et al. Standards Track [Page 22]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
+ DOI 10.17487/RFC6265, April 2011,
+ <https://www.rfc-editor.org/info/rfc6265>.
+
+ [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
+ Protocol (HTTP/1.1): Message Syntax and Routing",
+ RFC 7230, DOI 10.17487/RFC7230, June 2014,
+ <https://www.rfc-editor.org/info/rfc7230>.
+
+ [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
+ Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
+ DOI 10.17487/RFC7231, June 2014,
+ <https://www.rfc-editor.org/info/rfc7231>.
+
+ [RFC7541] Peon, R. and H. Ruellan, "HPACK: Header Compression for
+ HTTP/2", RFC 7541, DOI 10.17487/RFC7541, May 2015,
+ <https://www.rfc-editor.org/info/rfc7541>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8471] Popov, A., Ed., Nystroem, M., Balfanz, D., and J. Hodges,
+ "The Token Binding Protocol Version 1.0", RFC 8471,
+ DOI 10.17487/RFC8471, October 2018,
+ <https://www.rfc-editor.org/info/rfc8471>.
+
+ [RFC8472] Popov, A., Ed., Nystroem, M., and D. Balfanz, "Transport
+ Layer Security (TLS) Extension for Token Binding Protocol
+ Negotiation", RFC 8472, DOI 10.17487/RFC8472, October
+ 2018, <https://www.rfc-editor.org/info/rfc8472>.
+
+10.2. Informative References
+
+ [fetch-spec]
+ WhatWG, "Fetch", Living Standard,
+ <https://fetch.spec.whatwg.org/>.
+
+ [OASIS.saml-core-2.0-os]
+ Cantor, S., Kemp, J., Philpott, R., and E. Maler,
+ "Assertions and Protocols for the OASIS Security Assertion
+ Markup Language (SAML) V2.0", OASIS Standard
+ saml-core-2.0-os, March 2005, <http://docs.oasis-open.org/
+ security/saml/v2.0/saml-core-2.0-os.pdf>.
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 23]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+ [OASIS.saml-prof-2.0-os]
+ Hughes, J., Ed., Cantor, S., Ed., Hodges, J., Ed., Hirsch,
+ F., Ed., Mishra, P., Ed., Philpott, R., Ed., and E. Maler,
+ Ed., "Profiles for the OASIS Security Assertion Markup
+ Language (SAML) V2.0", OASIS Standard
+ OASIS.saml-profiles-2.0-os, March 2005,
+ <http://docs.oasis-open.org/security/
+ saml/v2.0/saml-profiles-2.0-os.pdf>.
+
+ [OpenID.Core]
+ Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
+ C. Mortimore, "OpenID Connect Core 1.0 incorporating
+ errata set 1", November 2014,
+ <http://openid.net/specs/openid-connect-core-1_0.html>.
+
+ [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
+ RFC 6749, DOI 10.17487/RFC6749, October 2012,
+ <https://www.rfc-editor.org/info/rfc6749>.
+
+ [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
+ Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
+ DOI 10.17487/RFC7540, May 2015,
+ <https://www.rfc-editor.org/info/rfc7540>.
+
+ [TOKENBIND-TLS13]
+ Harper, N., "Token Binding for Transport Layer Security
+ (TLS) Version 1.3 Connections", Work in Progress,
+ draft-ietf-tokbind-tls13-01, May 2018.
+
+ [W3C.REC-DOM-Level-3-Core-20040407]
+ Le Hors, A., Ed., Le Hegaret, P., Ed., Wood, L., Ed.,
+ Nicol, G., Ed., Robie, J., Ed., Champion, M., Ed., and S.
+ Byrne, Ed., "Document Object Model (DOM) Level 3 Core
+ Specification", World Wide Web Consortium Recommendation
+ REC-DOM-Level-3-Core-20040407, April 2004,
+ <https://www.w3.org/TR/2004/
+ REC-DOM-Level-3-Core-20040407>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 24]
+
+RFC 8473 Token Binding over HTTP October 2018
+
+
+Acknowledgements
+
+ This document incorporates comments and suggestions offered by Eric
+ Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony
+ Nadalin, Michael B. Jones, Bill Cox, Brian Campbell, and others.
+
+ This document was produced under the chairmanship of John Bradley and
+ Leif Johansson. The area directors included Eric Rescorla, Kathleen
+ Moriarty, and Stephen Farrell.
+
+Authors' Addresses
+
+ Andrei Popov
+ Microsoft Corp.
+ United States of America
+
+ Email: andreipo@microsoft.com
+
+
+ Magnus Nystroem
+ Microsoft Corp.
+ United States of America
+
+ Email: mnystrom@microsoft.com
+
+
+ Dirk Balfanz (editor)
+ Google Inc.
+ United States of America
+
+ Email: balfanz@google.com
+
+
+ Nick Harper
+ Google Inc.
+ United States of America
+
+ Email: nharper@google.com
+
+
+ Jeff Hodges
+ Kings Mountain Systems
+ United States of America
+
+ Email: Jeff.Hodges@KingsMountain.com
+
+
+
+
+
+
+Popov, et al. Standards Track [Page 25]
+