Token Binding is a new IETF protocol enabling strong cryptographic defenses against the use of stolen security tokens. This session will provide a technical overview of how Token Binding works and its application to session cookies and higher level protocols like OpenID Connect and OAuth. Bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.
Still believe it’s important
Needed to justify coming here
Slow process
Spring of 2016 at IETF 95 Buenos Aires where I got more serious about TB
From real job vs. pretend aspirational career
Protections a plenty but compromise still happens
Subdomain Takeovers (e.g. Uber in late 2017)
Some are critical of on HttpOnly b/c it is narrow but it does this one thing
Spring 2015 at IETF 92 Dallas
Inoculate against use by unauthorized party
IETF 100 in Singapore just one of the meetings involving this work
1st discussed in BA hotel room at IETF 95 April 2016
1st presented by Mike at Berlin IETF 96 July 2016
First floated the idea at IETF 97 Seoul in Nov 2016