The Token Binding Protocol Version 1.0
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: The IESG <firstname.lastname@example.org>, email@example.com, John Bradley <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Protocol Action: 'The Token Binding Protocol Version 1.0' to Proposed Standard (draft-ietf-tokbind-protocol-19.txt) The IESG has approved the following document: - 'The Token Binding Protocol Version 1.0' (draft-ietf-tokbind-protocol-19.txt) as Proposed Standard This document is the product of the Token Binding Working Group. The IESG contact persons are Benjamin Kaduk and Eric Rescorla. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-tokbind-protocol/
Technical Summary The Token Binding protocol allows client/server applications to create long-lived, uniquely identifiable TLS bindings spanning multiple TLS sessions and connections. Applications are then enabled to cryptographically bind security tokens to the TLS layer, preventing token export and replay attacks. To protect privacy, the Token Binding identifiers are only conveyed over TLS and can be reset by the user at any time. Working Group Summary This document achieved WG consensus and had one objection. Document Quality Multiple Implementations of Token Binding exist and have undergone informal interoperability testing. Google has token binding behind a feature flag in Chrome that is currently defaulted off. They have also implemented it in their reverse proxy infrastructure. They have also added support to the boringssl open source project. Microsoft added support in Windows 10 RS2 at the beginning of 2017 (later back ported to RS1) . Edge and IE use that platform support. It is also available to other applications via system API. There is also support in ADFS. https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding NGINX has an open source module https://github.com/google/ngx_token_binding Token Binding support for Apache https://github.com/google/ngx_token_binding Openssl patches in opensource https://github.com/google/token_bind Ping Identity has tested patches to Java and set up a test environment. https://www.ietf.org/mail-archive/web/unbearable/current/msg01332.html A useful slide share overview https://www.slideshare.net/Identiverse/beyond-bearer-token-binding-as-the-foundation-for-a-more-secure-web-cis-2017 Drafts using token binding exist in the OAuth work group and for OpenID Connect. Personnel John Bradley is the document shepherd and the responsible area director is Eric Rescorla.