Token Binding for 0-RTT TLS 1.3 Connections

Document Type Expired Internet-Draft (tokbind WG)
Author Nick Harper 
Last updated 2018-11-08 (latest revision 2017-06-28)
Replaces draft-nharper-0-rtt-token-binding
Stream IETF
Intended RFC status Proposed Standard
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream WG state Dead WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired
Consensus Boilerplate Yes
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes how Token Binding can be used in the 0-RTT data of a TLS 1.3 connection. This involves a new TLS extension to negotiate and indicate the use of Token Binding in 0-RTT data. A TokenBindingMessage sent in 0-RTT data has different security properties than one sent after the TLS handshake has finished, which this document also describes.


Nick Harper (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)