Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.txt

Justin Richer <jricher@mit.edu> Tue, 08 May 2018 20:12 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FEDF12EAB0 for <oauth@ietfa.amsl.com>; Tue, 8 May 2018 13:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ga9RNp_b91dn for <oauth@ietfa.amsl.com>; Tue, 8 May 2018 13:12:42 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12D5812E88A for <oauth@ietf.org>; Tue, 8 May 2018 13:12:41 -0700 (PDT)
X-AuditID: 12074424-089ff70000006e8f-72-5af204b614de
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id BD.D8.28303.7B402FA5; Tue, 8 May 2018 16:12:40 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w48KCYsw030501; Tue, 8 May 2018 16:12:36 -0400
Received: from [192.168.1.12] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w48KCWpa014657 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 May 2018 16:12:34 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <77961237-AEE4-44CA-8D31-85E52980F399@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B9EF0357-6CB2-49FC-953F-BD7174D0DF87"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 8 May 2018 16:12:32 -0400
In-Reply-To: <CA+k3eCSyEuVsG_ZC6N-vNN_D6if=bnbyYmyZQK+x3gPHpp5PMw@mail.gmail.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <152572323194.1316.16504160657904107453@ietfa.amsl.com> <CA+k3eCS6omRPisq_L7SR=_fHmE8o7KcOSD696UjM4KtW-a7NZw@mail.gmail.com> <CA+k3eCSyEuVsG_ZC6N-vNN_D6if=bnbyYmyZQK+x3gPHpp5PMw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrMKsWRmVeSWpSXmKPExsUixG6noruD5VOUwfQ9Qhar/99ktDj59hWb A5PHkiU/mTzuHr3IEsAUxWWTkpqTWZZapG+XwJVx4ekO1oKt1RU/OluYGxjfZ3YxcnJICJhI tN1sYuxi5OIQEljMJPHo32M2CGcDo8S062egnGtMEts+nmQEaWETUJWYvqaFCcTmFbCSeLKk mRXEZhZIkti77wMjRNxEYseVNnYQW1jAQWLegd1g9SwCKhLz/84Gi3MKBEp0L28CsjmAetUl 2k+6gIRFBPQlbj+dww6x9yKjRMONpcwQpypJ/N91hHkCI/8sJOtmIVkHEdeWWLbwNTOErSmx v3s5C6a4hkTnt4msCxjZVjHKpuRW6eYmZuYUpybrFicn5uWlFuma6+VmluilppRuYgSHtovK DsbuHu9DjAIcjEo8vBI7P0YJsSaWFVfmHmKU5GBSEuX1+QAU4kvKT6nMSCzOiC8qzUktPsQo wcGsJMKrLAuU401JrKxKLcqHSUlzsCiJ8wpu/hAlJJCeWJKanZpakFoEk5Xh4FCS4H3J/ClK SLAoNT21Ii0zpwQhzcTBCTKcB2j4FZAa3uKCxNzizHSI/ClGe45D76f0MHOcA5PHLk8Dkv9u 7u9lFmLJy89LlRLndQRpEwBpyyjNg5sMSlvu6+wsXjGKAz0qzKsATGJCPMCUBzf7FdBaJqC1 gg/eg6wtSURISTUw6l7Y+923p6nRK3Jl4aOv/RfbrvyTn1XN5n3cMIhVfJHu2YzEuYkvGxcf aY0qO5S0rTU61nR3+m/hgI7FP9pXrkiZdfXVEhltff+IP5OC1itk3z/4RX5/bTzDhxv2ebsu r30kI7IyQiX49GXZ4Pwd0q8/eLcdjC6+JpIfmtbxsqB9lUeAW/NzJZbijERDLeai4kQANPiT rDYDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BGxwAc3dHyRQ_3URa7tsUUbGAn4>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 20:12:45 -0000

I’ve reviewed the changes and it looks good to me. Thanks, Brian!

 — Justin

> On May 7, 2018, at 4:16 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> has *been* published 
> 
> sigh 
> 
> On Mon, May 7, 2018 at 2:14 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
> A new draft of the OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens specification has published with changes addressing review comments from Working Group Last Call. Thanks in particular to Justin Richer and Neil Madden for the detailed reviews. A summary of the changes (copied from the document history) is below.
> 
>    draft-ietf-oauth-mtls-08
> 
>    o  Incorporate clarifications and editorial improvements from Justin
>       Richer's WGLC review
>    o  Drop the use of the "sender constrained" terminology per WGLC
>       feedback from Neil Madden (including changing the metadata
>       parameters from mutual_tls_sender_constrained_access_tokens to
>       tls_client_certificate_bound_access_tokens)
>    o  Add a new security considerations section on X.509 parsing and
>       validation per WGLC feedback from Neil Madden and Benjamin Kaduk
>    o  Note that a server can terminate TLS at a load balancer, reverse
>       proxy, etc. but how the client certificate metadata is securely
>       communicated to the backend is out of scope per WGLC feedback
>    o  Note that revocation checking is at the discretion of the AS per
>       WGLC feedback
>    o  Editorial updates and clarifications
>    o  Update draft-ietf-oauth-discovery reference to -10 and draft-ietf-
>       oauth-token-binding to -06
>    o  Add folks involved in WGLC feedback to the acknowledgements list
> 
> 
> 
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> Date: Mon, May 7, 2018 at 2:00 PM
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.txt
> To: i-d-announce@ietf..org <mailto:i-d-announce@ietf.org>
> Cc: oauth@ietf.org <mailto:oauth@ietf.org>
> 
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
> 
>         Title           : OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
>         Authors         : Brian Campbell
>                           John Bradley
>                           Nat Sakimura
>                           Torsten Lodderstedt
>         Filename        : draft-ietf-oauth-mtls-08.txt
>         Pages           : 21
>         Date            : 2018-05-07
> 
> Abstract:
>    This document describes OAuth client authentication and certificate
>    bound access tokens using mutual Transport Layer Security (TLS)
>    authentication with X.509 certificates.  OAuth clients are provided a
>    mechanism for authentication to the authorization sever using mutual
>    TLS, based on either single certificates or public key infrastructure
>    (PKI).  OAuth authorization servers are provided a mechanism for
>    binding access tokens to a client's mutual TLS certificate, and OAuth
>    protected resources are provided a method for ensuring that such an
>    access token presented to it was issued to the client presenting the
>    token.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/>
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-08 <https://tools.ietf.org/html/draft-ietf-oauth-mtls-08>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-08 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-08>
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-08 <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-08>
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth