The document seems ready with two minor editorial nits: 1. The first sentence is as follows: Often, servers generate various security tokens (e.g. HTTP cookies, OAuth [RFC6749] tokens) If you reference the OAuth RFC, you should also reference the HTTP cookie RFC (RFC 6265) 2. The term "bound token" appears in section 2 without any definition. Perhaps add something like "An application token contained in a token binding message is called a bound token" Other than that, the document is well written and the security issues are dealt with well in sections 4 and 5 as well as the security considerations section (7).