IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Vladimir Dzhuvinov <vladimir@connect2id.com> Thu, 27 October 2016 02:43 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A856C129974 for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 19:43:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pbfu9XkIENid for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 19:43:31 -0700 (PDT)
Received: from p3plsmtpa06-05.prod.phx3.secureserver.net (p3plsmtpa06-05.prod.phx3.secureserver.net [173.201.192.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54E10129560 for <oauth@ietf.org>; Wed, 26 Oct 2016 19:43:31 -0700 (PDT)
Received: from [192.168.1.10] ([79.100.136.247]) by :SMTPAUTH: with SMTP id zaefbJHgwNPPszaegb7uGO; Wed, 26 Oct 2016 19:43:00 -0700
To: Brian Campbell <bcampbell@pingidentity.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
Date: Thu, 27 Oct 2016 05:42:57 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms080506020103030800010909"
X-CMAE-Envelope: MS4wfMerM6TXDbcUjEoX9KKn+FiarPUoxZ4yely5ymwBhDwT+wXGuAjfZExKMRbl/JBCvJ91dAnVJg4/7qMaAGzfKvnxj8a0mFvfXPpnoo1/RPV+scqq1mmg QXBjngoo1vag50Zn01ugq5lBKAtzuF4nSHBRAD/zUEEzfs4YMEm+WToZEe2Vp8T3loJ/4rIaJvB2l9tNvOPD2HkJi/B4X048qRVAfaCQpSt+NpacJ/1etz+h 6GflkNovql/Kd4Br/P4hv69EVu8lN9wO1wwU/bwJ/o908NR7MbYn4X/y2YdO2Bgv
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/61FCfjkV3gETDJrHjHkvKJFJO9g>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 02:43:34 -0000

I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).

On 22/10/16 01:51, Brian Campbell wrote:
> I did consider something like that but stopped short of putting it in the
> -00 document. I'm not convinced that some metadata around it would really
> contribute to interop one way or the other. I also wanted to get the basic
> concept written down before going too far into the weeds. But I'd be open
> to adding something along those lines in future revisions, if there's some
> consensus that it'd be useful.
>
> On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <vladimir@connect2id.com
>> wrote:
>> Superb, I welcome that!
>>
>> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
>> client-auth-00#section-5.2 :
>>
>> My concern is that the choice of how to bind the client identity is left
>> to implementers, and that may eventually become an interop problem.
>> Have you considered some kind of an open ended enumeration of the possible
>> binding methods, and giving them some identifiers or names, so that AS /
>> OPs can advertise them in their metadata, and clients register accordingly?
>>
>> For example:
>>
>> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
>> "subject_public_key_info_match" ]
>>
>>
>> Cheers,
>>
>> Vladimir
>>
>> On 10/10/16 23:59, John Bradley wrote:
>>
>> At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
>> mutual TLS client authentication.   This is something that lots of people do in practice though we have never had a spec for it.
>>
>> The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
>>
>> The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
>>
>> The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value,  or something in between.
>>
>> I hope that this is non controversial and the WG can adopt it quickly.
>>
>> Regards
>> John B.
>>
>>
>>
>>
>>
>> Begin forwarded message:
>>
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
>> Date: October 10, 2016 at 5:44:39 PM GMT-3
>> To: "Brian Campbell" <brian.d.campbell@gmail.com> <brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <ve7jtb@ve7jtb.com>
>>
>>
>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>> has been successfully submitted by John Bradley and posted to the
>> IETF repository.
>>
>> Name:		draft-campbell-oauth-tls-client-auth
>> Revision:	00
>> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
>> Document date:	2016-10-10
>> Group:		Individual Submission
>> Pages:		5
>> URL:            https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
>> Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
>> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
>>
>>
>> Abstract:
>>   This document describes X.509 certificates as OAuth client
>>   credentials using Transport Layer Security (TLS) mutual
>>   authentication as a mechanism for client authentication to the
>>   authorization server's token endpoint.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>

v2.23.0 | Report a Bug | By Email