|
392 | 392 | <t>The scoping of Token Binding key pairs generated by Web browsers for use in |
393 | 393 | first-party and federation use cases defined in this |
394 | 394 | specification (<xref target="federation"/>, below), and intended for |
395 | | - binding HTTP cookies, MUST be at the |
396 | | - granularity of "effective top-level domain (public suffix) + 1" (eTLD+1). |
| 395 | + binding HTTP cookies, MUST be no wider than the |
| 396 | + granularity of "effective top-level domain (public suffix) + 1" (eTLD+1). |
397 | 397 | I.e., at the same granularity at which cookies can be set |
398 | | - (see <xref target="RFC6265"/>).</t> |
| 398 | + (see <xref target="RFC6265"/>). |
| 399 | + Though, this scoping MAY be more narrow if cookies are scoped more narrowly.</t> |
399 | 400 |
|
400 | 401 | <t>Key pairs used to bind other application |
401 | 402 | tokens, such as OAuth tokens or Open ID Connect "ID Tokens", SHOULD generally |
|
485 | 486 | connection between the client and the Relying Party, thus |
486 | 487 | ensuring that only said client can use the identity token; the |
487 | 488 | Relying Party will compare the Token Binding ID (or a cryptographic |
488 | | - hash of it) in the identity token with the Token Binding ID of the |
| 489 | + hash of it) in the identity token with the Token Binding ID (or a hash |
| 490 | + thereof) of the |
489 | 491 | TLS connection between it and the client.</t> |
490 | 492 | <t>This is an example of a federation scenario, which more |
491 | 493 | generally can be described as follows: |
@@ -968,7 +970,7 @@ contexts. Other approaches are possible, but are outside the scope of this speci |
968 | 970 | the man-in-the-middle controls the redirect URL and can tamper with |
969 | 971 | any redirect URL issued by the Token Consumer (as well as with any |
970 | 972 | Javascript running in the origin of the Token Consumer). The goal of |
971 | | - the man-in-the-middle is to trick the Token Provider to issuing a token |
| 973 | + the man-in-the-middle is to trick the Token Provider into issuing a token |
972 | 974 | bound to its Token Binding ID, not to |
973 | 975 | the Token Binding ID of the legitimate client. To thwart this goal |
974 | 976 | of the man-in-the-middle, the client's referred Token Binding ID |
|
0 commit comments