equalsJeffH
commented
8 years ago this issue is relevant to all places in the spec where we mention "token binding".
Closed equalsJeffH closed 7 years ago
equalsJeffH
commented
8 years ago this issue is relevant to all places in the spec where we mention "token binding".
vijaybh
commented
8 years ago I would like to propose closing this. It seems the IETF TB is close enough to implementation that the added complexity in a new spec like WebAuthn would not be worth it.
equalsJeffH
commented
7 years ago OK - Token Binding is in WG Last Call, so I'm fine with this.
the webauthn spec presently cites only the work-in-progress IETF Token Binding specs for purposes of cryptographically binding to the underlying TLS channel. platform support for that spec will be forthcoming but not overnight (plus the spec is not finalized). there are other extant TLS channel binding mechanisms -- the Channel ID mech (impl'd in chrome) and the RFC5929 mechs. though RFC5929 tls-unique is proven insecure and is deprecated, tls-server-end-point remains at least conceptually viable and if there is support for it in the wild it should perhaps be cited (as an option) since token binding is only emergent.