Search RFCs
RFC 8473
Token Binding over HTTP,October 2018
- File formats:
- Status:
- PROPOSED STANDARD
- Authors:
- A. Popov
M. Nystroem
D. Balfanz, Ed.
N. Harper
J. Hodges - Stream:
- IETF
- Source:
- tokbind (sec)
Cite this RFC:TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC8473
Discuss this RFC: Send questions or comments to the mailing listunbearable@ietf.org
Other actions:Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 8473
Abstract
This document describes a collection of mechanisms that allow HTTPservers to cryptographically bind security tokens (such as cookiesand OAuth tokens) to TLS connections.
We describe both first-party and federated scenarios. In a first-party scenario, an HTTP server is able to cryptographically bind thesecurity tokens that it issues to a client -- and that the clientsubsequently returns to the server -- to the TLS connection betweenthe client and the server. Such bound security tokens are protectedfrom misuse, since the server can generally detect if they arereplayed inappropriately, e.g., over other TLS connections.
Federated Token Bindings, on the other hand, allow servers tocryptographically bind security tokens to a TLS connection that theclient has with a different server than the one issuing the token.
This document is a companion document to "The Token Binding Protocol Version 1.0" (RFC 8471).
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.