Token Binding over HTTP
RFC 8473
Internet Engineering Task Force (IETF) A. Popov
Request for Comments: 8473 M. Nystroem
Category: Standards Track Microsoft Corp.
ISSN: 2070-1721 D. Balfanz, Ed.
N. Harper
Google Inc.
J. Hodges
Kings Mountain Systems
October 2018
Token Binding over HTTP
Abstract
This document describes a collection of mechanisms that allow HTTP
servers to cryptographically bind security tokens (such as cookies
and OAuth tokens) to TLS connections.
We describe both first-party and federated scenarios. In a first-
party scenario, an HTTP server is able to cryptographically bind the
security tokens that it issues to a client -- and that the client
subsequently returns to the server -- to the TLS connection between
the client and the server. Such bound security tokens are protected
from misuse, since the server can generally detect if they are
replayed inappropriately, e.g., over other TLS connections.
Federated Token Bindings, on the other hand, allow servers to
cryptographically bind security tokens to a TLS connection that the
client has with a different server than the one issuing the token.
This document is a companion document to "The Token Binding Protocol
Version 1.0" (RFC 8471).
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8473.
Popov, et al. Standards Track [Page 1]
RFC 8473 Token Binding over HTTP October 2018
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. The Sec-Token-Binding HTTP Request Header Field . . . . . . . 4
2.1. HTTPS Token Binding Key-Pair Scoping . . . . . . . . . . 5
3. TLS Renegotiation . . . . . . . . . . . . . . . . . . . . . . 6
4. First-Party Use Cases . . . . . . . . . . . . . . . . . . . . 7
5. Federation Use Cases . . . . . . . . . . . . . . . . . . . . 7
5.1. Introduction . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Overview . . . . . . . . . . . . . . . . . . . . . . . . 8
5.3. HTTP Redirects . . . . . . . . . . . . . . . . . . . . . 10
5.4. Negotiated Key Parameters . . . . . . . . . . . . . . . . 12
5.5. Federation Example . . . . . . . . . . . . . . . . . . . 13
6. Implementation Considerations . . . . . . . . . . . . . . . . 15
7. Security Considerations . . . . . . . . . . . . . . . . . . . 16
7.1. Security Token Replay . . . . . . . . . . . . . . . . . . 16
7.2. Sensitivity of the Sec-Token-Binding Header . . . . . . . 16
7.3. Securing Federated Sign-On Protocols . . . . . . . . . . 17
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 20
8.1. Scoping of Token Binding Key Pairs . . . . . . . . . . . 20
8.2. Lifetime of Token Binding Key Pairs . . . . . . . . . . . 20
8.3. Correlation . . . . . . . . . . . . . . . . . . . . . . . 21
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
10.1. Normative References . . . . . . . . . . . . . . . . . . 22
10.2. Informative References . . . . . . . . . . . . . . . . . 23
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 25
Show full document text