[OAUTH-WG] Re: Next steps for Attestation-Based Client Authentication
Judith Kahrer <judith.kahrer@curity.io> Wed, 20 May 2026 10:13 UTC
Return-Path: <judith.kahrer@curity.io>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 75E5BF177FAE for <oauth@mail2.ietf.org>; Wed, 20 May 2026 03:13:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779272010; bh=2D3H5NZa5zaTBHtstcCFfipwE4ezzCt54AYFUAUn2II=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=ScQZ2gXL9Gr+x/Acfq2SmNtx8oronocHklGmxFeIcAyzZ1aEXLQAkk3wTpXy3ohEA kz20Zj1eXqwJ74Pf6LEzAMQKKx2AzwNjoAUJLtsxiByCg6M8MtnVaCVhFe7nUjXhFH efVDXlUCqXsOeUtHRoAqRe9dk+1hnrdDLFC84X50=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=curity.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGMBZsVfvpc1 for <oauth@mail2.ietf.org>; Wed, 20 May 2026 03:13:29 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BAD67F177F85 for <oauth@ietf.org>; Wed, 20 May 2026 03:13:29 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-5a40cfab24dso6357528e87.2 for <oauth@ietf.org>; Wed, 20 May 2026 03:13:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779272008; cv=none; d=google.com; s=arc-20240605; b=elRseuQLoIUh6AumBofmkB/rd9aCICf2idPE3CG+r6sCuDyPnMY5AkV4G7XuN9cZZQ 3kqeqv7/ZBScvzIU4Z5fsIa7g/Ry6VeyziQ+Hx4lVkoFNsqDmdmK4QxiIywd5+8KSHm4 eXMmDBOHunc+V9zWvIM9hfhb8yoWD3vV9oXRV4RCksQ7z7IqipHU2pa/5C2N745BnMne 3aAA/8DlzXQgtmDHHqYB0nfCiMxQ3hZWBmvQZ3QDJE2Mcc+nTVo0J+u5A5sL/6LB60ay OZec0r9snRHi4Tw52eFioVsDvi6w+B8rAFrmVhtE/eIsarltdiDcNrIr32P+lpby990m i2/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=YXo1B78VVvHFreJ0fL/+tiIZPnLjtSgciWsYSfQky/E=; fh=5eucVY884V+jjwEKRBn0R74QNJSArNvyTf6Q1zW7fLM=; b=Psu0vqZmKD9pq0R6siog2rt+6wXu05G/svOmkZjj4ohpgFMQgrTLHqm+rtHCCd7tnG GEFxrqEBooDUZ+EQHLNBbX7cRAoBHGh+MWNI8RiA8Hnjm/1qHwNEAcvYzgDcKPdRQgCe JFijArCAS0ZeoFJTINsI8cl4PgeStZXx7eY8LzKfThIRsURmf5hV7YroVGpL5jbeIjiO PeD00YpHuUp5N5zrN3tN2z92mHMJHW/sdhiAyHQ3HDEk4XN0AFctjK3RjvW8qHVoOMtg B0i7ps1zpn7GH9BO9uHkPzboXliVqhRquXKxsK5c2cxxEHr89PAYQVEsV+TS782Ojlwd 95vg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity.io; s=google; t=1779272008; x=1779876808; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YXo1B78VVvHFreJ0fL/+tiIZPnLjtSgciWsYSfQky/E=; b=bb5SzY43C3rzQtkQYAsjyBxcr8bQTX2TTMJcMm+HA8UVPmTKA4/HrjQaGIOSoCOvu6 DgJnIlph46CtcyxYcwsx0hAT93kBjtfm3YpMFZSWjAcg+La/+1mSVVLg85R3NqZlPa1h +5w6j3tn1sybWZ94AofkbCb0zU+90TwHXK7xNca1k9nICgr4NAEA75+xxbr4YlEItd02 Gvrf0f1WOlLfpB/VbZhW42+vg1KDdpUaBL3JPGFtZ7MRunb9woDelGKYYM2tM4KCz/td KfUyKiHo1fKWkgeI0Nrtjpk962GD3rSH28eDTBuECgKAX7wIpIAbEBNdwWOroNK5PyW8 s1Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779272008; x=1779876808; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YXo1B78VVvHFreJ0fL/+tiIZPnLjtSgciWsYSfQky/E=; b=Rdrd1yrOtMl6UpIiMpM2L4hqPXCY0ODlkRb/zwb+XQetfOkkgeVsTviHZDYYK4uqsT 5h1TqFcQnOi3arLbFJkV5sEUG4NIittA+Ys+xBDecu7omChnlhhcXX3k8BAedDEoH/w/ obI+xDHnvcFrhKYCIFekJShuQX0UAwtFvngqdFkMRcxrqbTptI4nLSAyaKbI/AD86YTE UyIBHeq+wmoYJ15d8BTvu3FhqTVmg8e8uh7ItNzjJoQ7e5Zhgf/2/F/dN7YV9KDUohg8 B79yOxYvmSn/6bZ+IIVsbPM+kl1K67KEYJwZlm/fDoOBfxjTTwvHMq+ir8UuZlocfiUq v0vw==
X-Gm-Message-State: AOJu0Yzftp3SEsfBQdYsPtaHAlFraZiUbcxKw7r5G08NXSzXoSWLD5Cl Vw/hwYuL3OhXhzLctRBhjxMk8vwh5XPGnVYq/ZQhHW2ppPfN/cRc6qvitSnbe8am0tvFjTJBuwK lkDuhWcEuUnltoGFjs4qhUozeMywL/YDw04CeAhR9iQ==
X-Gm-Gg: Acq92OFMJGsEzOx+dF7os9m+jEXKvDmTBgW1GSj1GyR26fWNSTI+eAsZI+tEV+sXdu0 AaFACQ8xgn1kO6QVoFWZLVtmE03Zs5O9rLHzNvDUMsIDRTQiAai3qAgvB2/Kbx5G2CmwowAud3b aiSZgO/Jwg9pHfDX4McX4S0rN7Zuq3LwrKbgeUWX0wF5jGrmYjB7A3MO8xhiYRDMV3lC/hbercJ ju8xeiwwWBu6i1FUPVqhCqfKAZLKKCeBo85EQn2Rpufc/mIPdP693XQ/FLDSB/sx94z2GBprgzi jbOLrXa+m4M9AfzkMx8=
X-Received: by 2002:a05:6512:40ca:b0:5aa:fce:cc7a with SMTP id 2adb3069b0e04-5aa0fceccb7mr4875991e87.35.1779272008286; Wed, 20 May 2026 03:13:28 -0700 (PDT)
MIME-Version: 1.0
References: <79dff38d-f430-4011-94b4-b51c2ddf9846@posteo.de> <CAK7_QNRgD2dCwLbMsOCnjcDLVxXG3AVQKQ_d1TO7eNcwj3KN=Q@mail.gmail.com> <d4cfe424-ff8e-4142-96e0-37356c71d282@posteo.de>
In-Reply-To: <d4cfe424-ff8e-4142-96e0-37356c71d282@posteo.de>
From: Judith Kahrer <judith.kahrer@curity.io>
Date: Wed, 20 May 2026 12:13:12 +0200
X-Gm-Features: AVHnY4LhbDVCI5v8UwL86q-is4MvY3yBuDd16L_GA6zQvfOaC9sjDP4LPC952p4
Message-ID: <CAK7_QNQ-ePkuddJdDkODnBc5ebiJfo6HazkoTF18pnJD=qZJsQ@mail.gmail.com>
To: Paul Bastian <paul.bastian@posteo.de>
Content-Type: multipart/alternative; boundary="000000000000034ff506523d0cf6"
Message-ID-Hash: HKHCLYSL4TFCAPJOF7M46FMJU6LSCJ43
X-Message-ID-Hash: HKHCLYSL4TFCAPJOF7M46FMJU6LSCJ43
X-MailFrom: judith.kahrer@curity.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Next steps for Attestation-Based Client Authentication
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Cjy1P3eM1TFfFcSnXBbnIaygWSs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Paul, happy to read you largely agree on my points :) Regarding the challenge I put down a proposal for how the authorization server could request "additional security signals" from the client. I believe there are other proposals that target the resource server, though I don't remember which. I'll can dig that up if you find that helpful. On Wed, May 20, 2026 at 9:36 AM Paul Bastian <paul.bastian@posteo.de> wrote: > Hi Judith, > > thanks for your feedback! Further answers inline: > On 5/7/26 12:24, Judith Kahrer wrote: > > > > Hi Paul, > > I support the DPoP addition in the editor's draft. To be honest, I have > never been a big fan of the separate PoP-JWT but I have to admit that the > draft improved quite a lot since I looked at it the last time! > > Reading the draft again, it actually contains two mechanisms: > - On the one hand, it defines a new client authentication method for an > OAuth client (attest_jwt_client_auth) as indicated by the title. > - On the other hand, it describes a mechanism for "additional security > signals". > > Imo, the title of the document should reflect both - or you split them up > into two. > > Agreed. The question is if this is too late, because the existing name is > already heavily in use. A better name could be "Key-bound Client > Attestation" in my view. How do others in the working group feel about > renaming at that stage? > > > Is there a way for the resource server (or authorization server) to > challenge the client to provide additional security signals? I guess, they > could return an 'invalid_client_attestation' error, if the request was > missing an attestation. I think it would be good with more guidance on how > to inform the client to provide the attestation as additional security > signals if it is missing (in addition to e.g., the access token or client > credentials). The resource server could even publish its requirements in > its resource metadata document, e.g., with "client_attestation_required: > true". > > Agreed. We opened up > https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/195 > and will come up with a proposal. > > > I agree with the conversation in the minutes. Leave the details of the > attestation process out of scope. However, I suggest you list the > requirements as it currently is unclear what attestation means. What do you > expect an attester to validate at a bare minimum (i.e., client instance > controlling the key)? What makes the key-bound JWT a client attestation? > What information should/does the client attestation JWT convey? In section > 6.4 you mention: "[Sending additional security signals] may provide > additional assurance about the client's authenticity, integrity, state or > other information contained in the Client Attestation". Make it clear (as > part of the terminology?) that this is what you expect from an attester and > client attestation. Imo, the client's authenticity and integrity are key to > an attestation (without having to get into technical details...). > > Somewhat agreed. I think we don't want to say too much, as it's out of > scope, but we could add some more text in the direction you suggested. > > > +1 on the use case for platform-specific apps (so-called "native apps". I > prefer to avoid the term native to foster a more inclusive language). At > Curity we have implemented something very similar for our Hypermedia > Authentication API (HAAPI) quite some time ago to support mobile apps. I > can also picture a use-case where you use client attestation in DCR, for > example, to establish trust in the client (comparable to software > statement). > > Cheers, > Judith > > On Thu, May 7, 2026 at 12:11 AM Paul Bastian <paul.bastian@posteo.de> > wrote: > >> Hi all, >> >> on Monday we had the OAuth Interims call dedicated to Attestation-Based >> Client Authentication, see the minutes for details: >> https://datatracker.ietf.org/doc/minutes-interim-2026-oauth-01-202605041700/ >> >> As a follow-up, we want to bring the following points also to the mailing >> list to reach out to people that did not participate on the Interims call: >> >> - we presented the integration of the combined DPoP mode into the >> editor's draft, allowing to use a single key for both DPoP and >> Attestation-Based Client Authentication and re-use the DPoP Proof Header as >> a proof of possession for the Client Attestation JWT. We are looking for >> feedback on the current draft before making a new release >> - we discussed which which OAuth artefacts should explicitly be bound to >> the client instance and the client instance key of the client attestation >> JWT. Currently we have language for the refresh token and there are two >> open Github issues >> https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/56 >> and >> https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/114 >> that discuss whether auth code or other artifacts shall be bound to the >> client instance. If you have opinions on this, please respond in either >> issue or respond to this mail >> - we discussed whether explicit relationship to DCR should be mentioned, >> see >> https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/61. >> The feeling in the Interims call was to not include specific language >> - we discussed whether we should be more descriptive about the mechanisms >> how the client instance authenticates towards the client attester, see >> https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/107 >> . These steps are currently out-of-scope and the feeling in the interims >> call was to not include specific technologies >> - we discussed the AS/Client metadata for supported algorithms, see >> https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/170 >> . The proposal is to remove >> client_attestation_signing_alg_values_supported and >> client_attestation_pop_signing_alg_values_supported and rather re-use >> the existing token_endpoint_auth_signing_alg_values_supported. There was >> discussion whether client metadata makes sense, feedback is welcome. >> >> If you want to provide feedback, respond to this mail or post in the >> relevant Github issues. >> >> Best regards, >> Paul >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> >
- [OAUTH-WG] Next steps for Attestation-Based Clien… Paul Bastian
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Frederik Krogsdal Jacobsen
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Judith Kahrer
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Denis
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Mohamad Khalil Yossif
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Paul Bastian
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Denis
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Judith Kahrer
- [OAUTH-WG] Re: Next steps for Attestation-Based C… renatas
- [OAUTH-WG] Re: Next steps for Attestation-Based C… Kosuke Koiwai