IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Justin Richer <jricher@mit.edu> Sun, 13 November 2016 05:24 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B110212949B for <oauth@ietfa.amsl.com>; Sat, 12 Nov 2016 21:24:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Level:
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdTEp-kDNyON for <oauth@ietfa.amsl.com>; Sat, 12 Nov 2016 21:24:38 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71234129459 for <oauth@ietf.org>; Sat, 12 Nov 2016 21:24:38 -0800 (PST)
X-AuditID: 1209190c-e73ff700000003f7-df-5827f91563aa
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E8.90.01015.519F7285; Sun, 13 Nov 2016 00:24:37 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id uAD5Oaij023060; Sun, 13 Nov 2016 00:24:36 -0500
Received: from dhcp-8693.meeting.ietf.org (dhcp-8693.meeting.ietf.org [31.133.134.147]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id uAD5OTID026833 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 13 Nov 2016 00:24:33 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_34D41132-2D7E-4DB0-9022-23C13F977550"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <5827F848.3060803@lodderstedt.net>
Date: Sun, 13 Nov 2016 14:24:29 +0900
Message-Id: <2164E521-236F-46FC-AAF1-D2EE80F29BA9@mit.edu>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <5827DE8A.4010807@lodderstedt.net> <4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu> <5827F848.3060803@lodderstedt.net>
To: Torsten Lodderstadt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIKsWRmVeSWpSXmKPExsUixG6nriv6Uz3CYMoxcYvV/28yWpx8+4rN 4vOtw6wWr449ZbFYffcvmwOrx5IlP5k8nu/sZ/I41tPP6nH36EUWj9u3N7IEsEZx2aSk5mSW pRbp2yVwZZyavJStYOU8xopN8/awNTBezu9i5OSQEDCRmNvxiLGLkYtDSKCNSeJZ50EmCGcj o8SW+zdYIZwrTBJ32x4wg7QwCyRI7Lm6nBXE5hXQk9i0/i0TiC0MFD/zqh3MZhNQlZi+pgXM 5hTQl5jx7wY7iM0CEj98jQ1kKLPARUaJ629aWCAGWUl8P/CfGWLbF0aJM3v7gI7i4BARMJT4 NScT4lZZiScnF7FMYOSfheSOWUjugIhrSyxb+JoZwjaQeNr5ihVTXF/izbs5TAsY2VYxyqbk VunmJmbmFKcm6xYnJ+blpRbpGurlZpbopaaUbmIExQanJM8OxjNvvA4xCnAwKvHwcmSqRwix JpYVV+YeYpTkYFIS5X2nAhTiS8pPqcxILM6ILyrNSS0+xCjBwawkwuv2HSjHm5JYWZValA+T kuZgURLn/e/2NVxIID2xJDU7NbUgtQgmK8PBoSTB+xykUbAoNT21Ii0zpwQhzcTBCTKcB2h4 Ndjw4oLE3OLMdIj8KUZdjje7Xj5gEmLJy89LlRLn3fAOqEgApCijNA9uDiilybe2TX7FKA70 ljAv8w+gKh5gOoSb9ApoCRPQkhlxKiBLShIRUlINjCfOHRdu9Cz/8PWz2Eu5WZIy3kfaeDe8 rY/TnJB5tu602tqsgMvnnWwDpZbvv8w6dXbDG5n/xbdeKQWYJt+xFhL0tPzJ1PP76keDhMR3 xW9FfpR/YefJ+qfXuVhQ5IXs/FqNstrgMzIPZyTMylNk2KzzqLShY5J/50XT8/9MVLM/3V55 1W7dYyWW4oxEQy3mouJEANmsoSZEAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1pIpudBtZIrGB5nhWGqGaYEthpM>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 05:24:41 -0000

As part of the client’s registered data model. At least, based on how our own implementation works (where we support client_secret_basic, private_key_jwt, etc), that’s where we’d check to see if the client was supposed to be using TLS auth or not.

We don’t let clients switch away from their registered auth mechanism.

 — Justin

> On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> Justin,
> 
> Am 13.11.2016 um 13:39 schrieb Justin Richer:
>> Torsten, I believe this is intended to be triggered by the tls_client_auth value specified in §3. 
> 
> in the token request?
> 
>> 
>> Nit on that section, the field name for the client metadata in RFC7591 is token_endpoint_auth_method, the _supported version is from the corresponding discovery document.
>> 
>>  — Justin
>> 
> Torsten.
>>> On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>> 
>>> Hi John and Brian,
>>> 
>>> thanks for writting this draft.
>>> 
>>> One question: how does the AS determine the authentication method is TLS authentication? I think you assume this is defined by the client-specific policy, independent of whether the client is registered automatically or manually. Would you mind to explicitely state this in the draft?
>>> 
>>> best regards,
>>> Torsten.
>>> 
>>> Am 11.10.2016 um 05:59 schrieb John Bradley:
>>>> At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented 
>>>> mutual TLS client authentication.   This is something that lots of people do in practice though we have never had a spec for it.
>>>> 
>>>> The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
>>>> 
>>>> The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
>>>> 
>>>> The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value,  or something in between.
>>>> 
>>>> I hope that this is non controversial and the WG can adopt it quickly.
>>>> 
>>>> Regards
>>>> John B.
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> Begin forwarded message:
>>>>> 
>>>>> From:  <mailto:internet-drafts@ietf.org>internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>>>> Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
>>>>> Date: October 10, 2016 at 5:44:39 PM GMT-3
>>>>> To: "Brian Campbell" <brian.d.campbell@gmail.com <mailto:brian.d.campbell@gmail.com>>, "John Bradley" <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
>>>>> 
>>>>> 
>>>>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>>>> has been successfully submitted by John Bradley and posted to the
>>>>> IETF repository.
>>>>> 
>>>>> Name:		draft-campbell-oauth-tls-client-auth
>>>>> Revision:	00
>>>>> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
>>>>> Document date:	2016-10-10
>>>>> Group:		Individual Submission
>>>>> Pages:		5
>>>>> URL:            https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
>>>>> Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/ <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
>>>>> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00 <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
>>>>> 
>>>>> 
>>>>> Abstract:
>>>>>   This document describes X.509 certificates as OAuth client
>>>>>   credentials using Transport Layer Security (TLS) mutual
>>>>>   authentication as a mechanism for client authentication to the
>>>>>   authorization server's token endpoint.
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Please note that it may take a couple of minutes from the time of submission
>>>>> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
>>>>> 
>>>>> The IETF Secretariat
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>

v2.23.0 | Report a Bug | By Email