{"draft":"draft-ietf-tokbind-https-18","doc_id":"RFC8473","title":"Token Binding over HTTP","authors":["A. Popov","M. Nystroem","D. Balfanz, Ed.","N. Harper","J. Hodges"],"format":["ASCII","HTML"],"page_count":"25","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Token Binding","abstract":"This document describes a collection of mechanisms that allow HTTP\r\nservers to cryptographically bind security tokens (such as cookies\r\nand OAuth tokens) to TLS connections.\r\n\r\nWe describe both first-party and federated scenarios.  In a first-\r\nparty scenario, an HTTP server is able to cryptographically bind the\r\nsecurity tokens that it issues to a client -- and that the client\r\nsubsequently returns to the server -- to the TLS connection between\r\nthe client and the server.  Such bound security tokens are protected\r\nfrom misuse, since the server can generally detect if they are\r\nreplayed inappropriately, e.g., over other TLS connections.\r\n\r\nFederated Token Bindings, on the other hand, allow servers to\r\ncryptographically bind security tokens to a TLS connection that the\r\nclient has with a different server than the one issuing the token.\r\n\r\nThis document is a companion document to \"The Token Binding Protocol                   \r\nVersion 1.0\" (RFC 8471).","pub_date":"October 2018","keywords":["Cookie","TLS","OAuth","export","replay"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC8473","errata_url":null}