Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Vladimir Dzhuvinov <vladimir@connect2id.com> Thu, 27 October 2016 02:43 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A856C129974 for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 19:43:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pbfu9XkIENid for <oauth@ietfa.amsl.com>; Wed, 26 Oct 2016 19:43:31 -0700 (PDT)
Received: from p3plsmtpa06-05.prod.phx3.secureserver.net (p3plsmtpa06-05.prod.phx3.secureserver.net [173.201.192.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54E10129560 for <oauth@ietf.org>; Wed, 26 Oct 2016 19:43:31 -0700 (PDT)
Received: from [192.168.1.10] ([79.100.136.247]) by :SMTPAUTH: with SMTP id zaefbJHgwNPPszaegb7uGO; Wed, 26 Oct 2016 19:43:00 -0700
To: Brian Campbell <bcampbell@pingidentity.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com> <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <853d5445-72e4-a1fb-b89c-919864f051f6@connect2id.com>
Date: Thu, 27 Oct 2016 05:42:57 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms080506020103030800010909"
X-CMAE-Envelope: MS4wfMerM6TXDbcUjEoX9KKn+FiarPUoxZ4yely5ymwBhDwT+wXGuAjfZExKMRbl/JBCvJ91dAnVJg4/7qMaAGzfKvnxj8a0mFvfXPpnoo1/RPV+scqq1mmg QXBjngoo1vag50Zn01ugq5lBKAtzuF4nSHBRAD/zUEEzfs4YMEm+WToZEe2Vp8T3loJ/4rIaJvB2l9tNvOPD2HkJi/B4X048qRVAfaCQpSt+NpacJ/1etz+h 6GflkNovql/Kd4Br/P4hv69EVu8lN9wO1wwU/bwJ/o908NR7MbYn4X/y2YdO2Bgv
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/61FCfjkV3gETDJrHjHkvKJFJO9g>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 02:43:34 -0000
I see. Do you reckon the AS could simply probe the likely cert places for containing the client_id? My reasoning is that there aren't that many places where you could stick the client_id (let me know if I'm wrong). If the AS is in doubt it will respond with invalid_client. I'm starting to think this can work quite well. No extra meta param will be needed (of which we have enough already). On 22/10/16 01:51, Brian Campbell wrote: > I did consider something like that but stopped short of putting it in the > -00 document. I'm not convinced that some metadata around it would really > contribute to interop one way or the other. I also wanted to get the basic > concept written down before going too far into the weeds. But I'd be open > to adding something along those lines in future revisions, if there's some > consensus that it'd be useful. > > On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <vladimir@connect2id.com >> wrote: >> Superb, I welcome that! >> >> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls- >> client-auth-00#section-5.2 : >> >> My concern is that the choice of how to bind the client identity is left >> to implementers, and that may eventually become an interop problem. >> Have you considered some kind of an open ended enumeration of the possible >> binding methods, and giving them some identifiers or names, so that AS / >> OPs can advertise them in their metadata, and clients register accordingly? >> >> For example: >> >> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match", >> "subject_public_key_info_match" ] >> >> >> Cheers, >> >> Vladimir >> >> On 10/10/16 23:59, John Bradley wrote: >> >> At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented >> mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it. >> >> The Banks want to use it for some server to server API use cases being driven by new open banking regulation. >> >> The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery. >> >> The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between. >> >> I hope that this is non controversial and the WG can adopt it quickly. >> >> Regards >> John B. >> >> >> >> >> >> Begin forwarded message: >> >> From: internet-drafts@ietf.org >> Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt >> Date: October 10, 2016 at 5:44:39 PM GMT-3 >> To: "Brian Campbell" <brian.d.campbell@gmail.com> <brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <ve7jtb@ve7jtb.com> >> >> >> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt >> has been successfully submitted by John Bradley and posted to the >> IETF repository. >> >> Name: draft-campbell-oauth-tls-client-auth >> Revision: 00 >> Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients >> Document date: 2016-10-10 >> Group: Individual Submission >> Pages: 5 >> URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt >> Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/ >> Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00 >> >> >> Abstract: >> This document describes X.509 certificates as OAuth client >> credentials using Transport Layer Security (TLS) mutual >> authentication as a mechanism for client authentication to the >> authorization server's token endpoint. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> >> >> >> _______________________________________________ >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >>
- [OAUTH-WG] Fwd: New Version Notification for draf… John Bradley
- Re: [OAUTH-WG] [Openid-specs-fapi] Fwd: New Versi… Preibisch, Sascha H
- Re: [OAUTH-WG] Fwd: New Version Notification for … Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Jim Manico
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Jim Manico
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt (IDM)
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt (IDM)
- Re: [OAUTH-WG] New Version Notification for draft… Vladimir Dzhuvinov
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] Fwd: New Version Notification for … Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Samuel Erdtman
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico