Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-04.txt
Brian Campbell <bcampbell@pingidentity.com> Fri, 13 October 2017 16:32 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFEB0133080 for <oauth@ietfa.amsl.com>; Fri, 13 Oct 2017 09:32:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHToTkStQRUU for <oauth@ietfa.amsl.com>; Fri, 13 Oct 2017 09:32:17 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86DAD1330BF for <oauth@ietf.org>; Fri, 13 Oct 2017 09:32:16 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id n137so9587546iod.6 for <oauth@ietf.org>; Fri, 13 Oct 2017 09:32:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qnH3jWneGujgVUIq7hbPbSO0lmON1y3DRz0I81Fh7A8=; b=ArKwlIEsK9dy6DjMm4l/4OOeGjDN+du0bb8jA12QFoQ1rF8jpVBeNf4eWmumrCBdBf 4BTceT+3dHZsrtK2zKaufroKI2PK2B/QXLJApUM+EadelO+gFV9pLzJ2s8EGWgWzDUhL 516ZVR94Hxrdag6G9wI6En7K0tVgsl41JksVc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qnH3jWneGujgVUIq7hbPbSO0lmON1y3DRz0I81Fh7A8=; b=lgLQvT0hTjGQwZ5wYlAp4AhhP3amng2IveqRbMICU87WX9R0zHMLn8DFxlMyh0Mltg S5zU2SGg+bhynM979POL1EG2fsdRlYTe0GhHgO1hI/q50K1WkF+zPZ7ny6WNWcC4n4lw yEqo4Oi+SDvT7SCtVuiQDbJ0pk2nVnDN9jdn4wz2FBKBYTeeG8Er8g5+jRsmh7TApc/W /JESL7xOXzHhbMXr/Km1UViIVSoMw/4hKoxS9UDt345zGrCOcNXj64wIqUsSSU2NSBhz G8Ksk1d7pJLd5U7obKqgvJyijv6LPCwjF0gP+yAH8ujAn5fOSyU4JkP8Xd3kSMUkeT3t lODQ==
X-Gm-Message-State: AMCzsaWBywI0ctibycpVFd8MSvxQBPiKzdXqaA0sp1s+Af0X/9o6C43O CJ8MNm1alnqBY36dqK7LLlGoixKGfNCifyJYlJ1T3fSJWXrXt+tfhtTtOhSf4SlJPCTFHsyCbYY DVMUfHohJ/b2THTvS
X-Google-Smtp-Source: ABhQp+SCdam/QF3IidjrOlXJ/xfdgxZqfSAw4ociQxgvaC1DmtimdEpS5IQgdHyrP7Lr2GrIvBm7E98yJcSQtvNzjUo=
X-Received: by 10.107.232.3 with SMTP id f3mr2489330ioh.156.1507912335700; Fri, 13 Oct 2017 09:32:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.106.34 with HTTP; Fri, 13 Oct 2017 09:31:44 -0700 (PDT)
In-Reply-To: <83c305ab-4c3b-b16e-1385-7e0e3af6a556@connect2id.com>
References: <150784500346.16836.10053591552617872796@ietfa.amsl.com> <CA+k3eCSD73-djpiUOq3u+arXjsUQ=aZsiA8Xv2tUM6mSecwvdA@mail.gmail.com> <83c305ab-4c3b-b16e-1385-7e0e3af6a556@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 13 Oct 2017 10:31:44 -0600
Message-ID: <CA+k3eCTGPiMKSqDmAoRjzjG8fgiq2=HU5vbwyaSXkDJXTxMO2Q@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="f403043819f01f51d2055b703302"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FfztMN69tFhiMWImb4SdpmUv6x0>
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 16:32:20 -0000
Thanks for the review, Vladimir. And yes, sender-constrained access tokens should also work in a token exchange scenario. On Fri, Oct 13, 2017 at 3:18 AM, Vladimir Dzhuvinov <vladimir@connect2id.com > wrote: > Superb! Thanks for putting down everything that was discussed. I read the > new version and have zero comments about it. > > Will sender-constrained access tokens also work in a token exchange > scenario? > > (draft-ietf-oauth-token-exchange-09) > > Vladimir > > On 13/10/17 01:07, Brian Campbell wrote: > > I'm pleased to announce that a new draft of "Mutual TLS Profile for OAuth > 2.0" has been published. The changes, based on feedback and discussion on > this list over the last two months, are listed below. > > draft-ietf-oauth-mtls-04<https://tools.ietf.org/html/draft-ietf-oauth-mtls-04> <https://tools.ietf.org/html/draft-ietf-oauth-mtls-04> > > o Change the name of the 'Public Key method' to the more accurate > 'Self-Signed Certificate method' and also change the associated > authentication method metadata value to > "self_signed_tls_client_auth". > o Removed the "tls_client_auth_root_dn" client metadata field as > discussed in https://mailarchive.ietf.org/arch/msg/oauth/<https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc> <https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc> > swDV2y0be6o8czGKQi1eJV-g8qc<https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc> <https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc> > o Update draft-ietf-oauth-discovery<https://tools.ietf.org/html/draft-ietf-oauth-discovery> <https://tools.ietf.org/html/draft-ietf-oauth-discovery> reference to > -07 > o Clarify that MTLS client authentication isn't exclusive to the > token endpoint and can be used with other endpoints, e.g. RFC<https://tools.ietf.org/html/rfc7009> <https://tools.ietf.org/html/rfc7009> > 7009 <https://tools.ietf.org/html/rfc7009> <https://tools.ietf.org/html/rfc7009> revocation and 7662 > introspection, that utilize client > authentication as discussed in > https://mailarchive.ietf.org/arch/msg/oauth/<https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI> <https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI> > bZ6mft0G7D3ccebhOxnEYUv4puI<https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI> <https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI> > > o Reorganize the document somewhat in an attempt to more clearly > make a distinction between mTLS client authentication and > certificate bound access tokens as well as a more clear > delineation between the two (PKI/Public key) methods for client > authentication > o Editorial fixes and clarifications > > > ---------- Forwarded message ---------- > From: <internet-drafts@ietf.org> <internet-drafts@ietf.org> > Date: Thu, Oct 12, 2017 at 3:50 PM > Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-04.txt > To: i-d-announce@ietf.org > Cc: oauth@ietf.org > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : Mutual TLS Profile for OAuth 2.0 > Authors : Brian Campbell > John Bradley > Nat Sakimura > Torsten Lodderstedt > Filename : draft-ietf-oauth-mtls-04.txt > Pages : 18 > Date : 2017-10-12 > > Abstract: > This document describes Transport Layer Security (TLS) mutual > authentication using X.509 certificates as a mechanism for OAuth > client authentication to the authorization sever as well as for > certificate bound sender constrained access tokens. > > > The IETF datatracker status page for this draft is:https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/ > > There are also htmlized versions available at:https://tools.ietf.org/html/draft-ietf-oauth-mtls-04https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-04 > > A diff from the previous version is available at:https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-04 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at:ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-04.t… internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls… Brian Campbell
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Brian Campbell
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Takahiko Kawasaki
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-… Torsten Lodderstedt