TokenBinding/Internet-Drafts

Issues

• Use real examples in HTTPSTB

  #101 opened 7 years ago by balfanz
  1

• Cite RFC 2818

  #100 opened 7 years ago by balfanz
  0

• Explain necessity for signature on referred token binding

  #97 opened 7 years ago by balfanz
  1

• ramifications of longer EKMs

  #95 opened 7 years ago by b---c
  4

• Reconcile interactions between TBNEGO and TLS 1.3

  #98 opened 7 years ago by nharper
  1

• HTTPSTB: TODO remains wrt specifying sec-token-binding header field behavior

  #88 opened 8 years ago by equalsJeffH
  1

• HTTPSTB: TBPROTO: "token binding key" terminology ambiguity..

  #87 opened 8 years ago by equalsJeffH
  2

• out of sync reference in HTTPSTB to TBPROTO

  #91 opened 8 years ago by b---c
  0

• HTTPSTB: WGLC: web origin -> server or eTLD+1

  #85 opened 8 years ago by equalsJeffH
  2

• TBPROTO: TLS extension is not generic because the requirement is not generic

  #65 opened 8 years ago by martinthomson
  4

• HTTPSTB: Origin binding

  #69 opened 8 years ago by martinthomson
  2

• TBPROTO: Not using uncompressed point from X9.62

  #62 opened 8 years ago by martinthomson
  6

• TBPROTO: provide some examples

  #39 opened 8 years ago by b---c
  6

• HTTPSTB: explain why TB IDs are combined in one message, rather than sent in separate headers

  #26 opened 8 years ago by equalsJeffH
  4

• HTTPSTB: Clarify that clients are free to provide referred token bindings if necessary

  #79 opened 8 years ago by balfanz
  0

• HTTPSTB: Clarify that applications don't have to scope keys by eTLD+1

  #77 opened 8 years ago by balfanz
  1

• TBPROTO: TBNEGO: Clarifying Token Binding behavior with renegotiation

  #73 opened 8 years ago by equalsJeffH
  1

• TBPROTO: add threat model discussion wrt Token Binding for 0-RTT connections ?

  #74 opened 8 years ago by equalsJeffH
  1

• TBPROTO: EKM language is flawed (was: Clarifying Token Binding behavior with renegotiation)

  #75 opened 8 years ago by equalsJeffH
  1

• TBPROTO: Terminating connections

  #64 opened 8 years ago by martinthomson
  3

• TBPROTO: Clarify hazards of renegotiation wrt Token Binding

  #76 opened 8 years ago by equalsJeffH
  1

• HTTPSTB: MUST issue an unbound token -> MUST NOT issue a bound token?

  #59 opened 8 years ago by b---c
  1

• Are there two lengths for RSA?

  #60 opened 8 years ago by martinthomson
  1

• Token bindings of unknown types make later token bindings unusable

  #61 opened 8 years ago by martinthomson
  2

• SHOULD on linkability

  #63 opened 8 years ago by martinthomson
  1

• TokenBindingID select definition

  #66 opened 8 years ago by martinthomson
  1

• Clients that limit cookies

  #68 opened 8 years ago by martinthomson
  3

• HTTPSTB: clarify that browser sends referred TB even when eTLD+1 is the same

  #55 opened 8 years ago by b---c
  1

• What is signed?

  #67 opened 8 years ago by martinthomson
  4

• Clarify the use of SHA256 for PKCS and PSS padding. Define salt length for PSS.

  #70 opened 8 years ago by Andrei-Popov
  3

• HTTPSTB: Clarify that base64url encoding means no padding.

  #56 opened 8 years ago by balfanz
  3

• TBPROTO: add TB API guidance

  #53 opened 8 years ago by equalsJeffH
  0

• TBPROTO: add "TLS" to spec title

  #50 opened 8 years ago by equalsJeffH
  3

• HTTPSTB: add "TLS" to spec title?

  #51 opened 8 years ago by equalsJeffH
  2

• TBNEGO: right place for registration of key parameters?

  #41 opened 8 years ago by b---c
  1

• TBPROTO: Treating Token Binding ID as an opaque byte sequence

  #48 opened 8 years ago by equalsJeffH
  1

• HTTPSTB: use 'misuse' rather than 'theft' regarding theats to bound security tokens

  #45 opened 8 years ago by equalsJeffH
  0

• HTTPSTB: discuss scoping of token binding keys earlier in the document

  #33 opened 8 years ago by b---c
  3

• HTTPSTB: more explicitly state that referred token binding only sent on the redirect request

  #34 opened 8 years ago by b---c
  1

• HTTPSTB: use "same-site" rather than "first-party" terminology

  #44 opened 8 years ago by equalsJeffH
  3

• HTTPSTB: first-party sec token use cases

  #43 opened 8 years ago by equalsJeffH
  2

• HTTPSTB: add text to say that other federation mechanisms can be specified

  #25 opened 8 years ago by equalsJeffH
  1

• HTTPSTB: RP does not give "permission" to the client for RP TB ID sharing with IDP, it's a signal

  #28 opened 8 years ago by equalsJeffH
  1

• HTTPSTB: add text to say that it's not covering "IDP-first" federation

  #24 opened 8 years ago by equalsJeffH
  0

• HTTPSTB: different text re Triple Handshake Vulnerability than TBPROTO & TBNEGO

  #40 opened 8 years ago by b---c
  1

• HTTPSTB: make it URL-safe base64

  #27 opened 8 years ago by equalsJeffH
  2

• HTTPSTB: Add Acknowledgements

  #36 opened 8 years ago by b---c
  2

• HTTPSTB: distinct header for the referred Token Binding

  #35 opened 8 years ago by b---c
  3

• TBPROTO: ecdsap256 clarifications

  #38 opened 8 years ago by b---c
  2

• TBPROTO: add sec consideration about key separation between apps

  #29 opened 8 years ago by equalsJeffH
  2