Token Binding over HTTP
RFC 8473, “Token Binding over HTTP”, is a Proposed Standard document published in October 2018 by A. Popov, M. Nystroem, D. Balfanz, N. Harper, J. Hodges. The canonical text is published by the RFC Editor.
Abstract
This document describes a collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections.
We describe both first-party and federated scenarios. In a first- party scenario, an HTTP server is able to cryptographically bind the security tokens that it issues to a client -- and that the client subsequently returns to the server -- to the TLS connection between the client and the server. Such bound security tokens are protected from misuse, since the server can generally detect if they are replayed inappropriately, e.g., over other TLS connections.
Federated Token Bindings, on the other hand, allow servers to cryptographically bind security tokens to a TLS connection that the client has with a different server than the one issuing the token.
This document is a companion document to "The Token Binding Protocol Version 1.0" (RFC 8471).
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 8473 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 8472 Transport Layer Security Extension for Token Binding Protocol Negotiation
- RFC 8474 IMAP Extension for Object Identifiers
- RFC 8471 The Token Binding Protocol Version 1.0
- RFC 8475 Using Conditional Router Advertisements for Enterprise Multihoming
- RFC 8470 Using Early Data in HTTP
- RFC 8476 Signaling Maximum SID Depth Using OSPF
- RFC 8469 Recommendation to Use the Ethernet Control Word
- RFC 8477 Report from the Internet of Things Semantic Interoperability Workshop 2016