Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

[Brian Campbell <bcampbell@pingidentity.com>]

Thanks. Will do.

On Thu, Apr 19, 2018 at 8:57 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> I would go ahead and put them in.  The blog post might get some
> pushback, but I think there's plenty of precedent for academic
> papers.
>
> -Ben
>
> On Wed, Apr 18, 2018 at 09:34:23AM -0600, Brian Campbell wrote:
> > Thanks for the text, Neil. And the nit on the text, Ben. I'll include it
> in
> > the next draft.
> >
> > Ben, bit of a procedural question for you: can or should I include those
> > references (https://www.cryptologie.net/article/374/common-x509-
> certificate-
> > validationcreation-pitfalls/ & http://www.cs.utexas.edu/~
> > shmat/shmat_ccs12.pdf) that Neil had with the text in the draft as
> > informational? Or? I'm honestly not sure if it's okay to cite a blog post
> > or university paper.
> >
> >
> > <https://www.cryptologie.net/article/374/common-x509-certificate-
> validationcreation-pitfalls/>
> >
> >
> >
> >
> > On Tue, Apr 17, 2018 at 8:13 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> >
> > > Picking nits, but maybe "established and well-tested X.509 library
> > > (such as one used by an established TLS library)", noting that TLS
> > > 1.3 has added a new protocol feature that allows for TLS and X.509
> > > library capabilities to be separately indicated (as would be needed
> > > if they were organizationally separate).
> > >
> > > -Ben
> > >
> > > On Tue, Apr 17, 2018 at 10:48:04AM +0100, Neil Madden wrote:
> > > > OK, here’s a stab at a new security considerations section on X.509
> > > parsing and validation:
> > > >
> > > > ---
> > > > 5.3 X.509 Certificate Parsing and Validation Complexity
> > > >
> > > > Parsing and validation of X.509 certificates and certificate chains
> is
> > > complex and implementation mistakes have previously exposed security
> > > vulnerabilities. Complexities of validation include (but are not
> limited
> > > to) [1][2][3]:
> > > > - checking of Basic Constraints, basic and extended Key Usage
> > > constraints, validity periods, and critical extensions;
> > > > - handling of null-terminator bytes and non-canonical string
> > > representations in subject names;
> > > > - handling of wildcard patterns in subject names;
> > > > - recursive verification of certificate chains and checking
> certificate
> > > revocation.
> > > > For these reasons, implementors SHOULD use an established and
> > > well-tested TLS library for validation of X.509 certificate chains and
> > > SHOULD NOT attempt to write their own X.509 certificate validation
> > > procedures.
> > > >
> > > > [1] https://www.cryptologie.net/article/374/common-x509-certificate-
> > > validationcreation-pitfalls/ <https://www.cryptologie.net/
> > > article/374/common-x509-certificate-validationcreation-pitfalls/>
> > > > [2] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf <
> > > http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf>
> > > > [3] https://tools.ietf.org/html/rfc5280 <
> https://tools.ietf.org/html/
> > > rfc5280>
> > > >
> > > > ---
> > > >
> > > > NB - this blog post [1] is the best concise summary of attacks I
> could
> > > find. Most of these attacks have been published as Black Hat talks and
> I
> > > can’t seem to find definitive references or good survey papers (beyond
> [2],
> > > which is a little older).
> > > >
> > > > Let me know what you think,
> > > >
> > > > Neil
> > > >
> > > >
> > > > > On 12 Apr 2018, at 20:42, Brian Campbell <
> bcampbell@pingidentity.com>
> > > wrote:
> > > > >
> > > > > Thanks Neil.
> > > > >
> > > > > Other than the potential metadata changes, which I'd like more WG
> > > input on and may raise in a new thread, I think I've got enough to make
> > > updates addressing your comments.  But please do send text for that
> > > Security Considerations bit, if you come up with something.
> > > > >
> > > > > On Thu, Apr 12, 2018 at 3:03 AM, Neil Madden <
> > > neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote:
> > > > > Hi Brian,
> > > > >
> > > > > Thanks for the detailed responses. Comments in line below (marked
> with
> > > ***).
> > > > >
> > > > > Neil
> > > > >
> > > > > On Wednesday, Apr 11, 2018 at 9:47 pm, Brian Campbell <
> > > bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
> > > > > Thanks for the review and feedback, Neil. I apologize for my being
> > > slow to respond. As I said to Justin recently <
> > > https://mailarchive.ietf.org/arch/msg/oauth/cNmk8fSuxp37L-
> z8Rvr6_EnyCug>,
> > > I've been away from things for a while. Also there's a lot here to get
> > > through so took me some time.
> > > > >
> > > > > It looks like John touched on some of your comments but not all.
> I'll
> > > try and reply to them as best I can inline below.
> > > > >
> > > > >
> > > > > On Thu, Mar 29, 2018 at 9:18 AM, Neil Madden <
> > > neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote:
> > > > > Hi,
> > > > >
> > > > > I have reviewed this draft and have a number of comments, below.
> > > ForgeRock have not yet implemented this draft, but there is interest in
> > > implementing it at some point. (Disclaimer: We have no firm
> commitments on
> > > this at the moment, I do not speak for ForgeRock, etc).
> > > > >
> > > > > 1. https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#
> section-3.1 <
> > > https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-3.1>
> defines
> > > a new confirmation method “x5t#S256”. However, there is already a
> > > confirmation method “jwk” that can contain a JSON Web Key, which
> itself can
> > > contain a “x5t#S526” claim with exactly the same syntax and semantics.
> The
> > > draft proposes:
> > > > >
> > > > >         { “cnf”: { “x5t#S256”: “…” } }
> > > > >
> > > > > but you can already do:
> > > > >
> > > > >         { “cnf”: { “jwk”: { … , “x5t#S256”: “…” } } }
> > > > >
> > > > > If the intent is just to save some space and avoid the mandatory
> > > fields of the existing JWK types, maybe this would be better addressed
> by
> > > defining a new JWK type which only has a thumbprint? e.g., { “kty”:
> “x5t”,
> > > “x5t#S256”: “…” }.
> > > > >
> > > > > The intent of the x5t#S256 confirmation method was to be space
> > > efficient and straightforward while utilizing the framework and
> registry
> > > that RFC 7800 gives.  Even a new JWK type like that would still use
> more
> > > space. And I'd argue that the new confirmation method is considerably
> more
> > > straightforward than registering a new JWK type (and the implications
> that
> > > would have on JWK implementations in general) in order to use the
> existing
> > > "jwk" confirmation method.
> > > > >
> > > > > ***
> > > > > OK, that is reasonable. Given that the draft says SHOULD rather
> than
> > > MUST for using this confirmation key method, I think it is currently
> > > allowed to use either representation.
> > > > >
> > > > >
> > > > >
> > > > > 2. I find the naming “mutual TLS” and “mTLS” a bit of a misnomer:
> it’s
> > > really only the client authentication that we are interested here, and
> the
> > > fact that the server also authenticates with a certificate is not
> hugely
> > > relevant to this particular spec (although it is to the overall
> security of
> > > OAuth). Also, TLS defines non-certificate based authentication
> mechanisms
> > > (e.g. TLS-SRP extension for password authenticated key exchange, PSK
> for
> > > pre-shared key authentication) and even non-X.509 certificate types (
> > > https://www.iana.org/assignments/tls-extensiontype-
> > > values/tls-extensiontype-values.xhtml#tls-extensiontype-values-3 <
> > > https://www.iana.org/assignments/tls-extensiontype-
> > > values/tls-extensiontype-values.xhtml#tls-extensiontype-values-3>).
> I’d
> > > prefer that the draft explicitly referred to “X.509 Client Certificate
> > > Authentication” rather than mutual TLS, and changed identifiers like
> > > ‘tls_client_auth’ (https://tools.ietf.org/html/
> draft-ietf-oauth-mtls-07#
> > > section-2.1.1 <https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#
> > > section-2.1.1>) to something more explicit like
> > > ‘tls_x509_pki_client_auth’.
> > > > >
> > > > > This is especially confusing in section 3 on sender constrained
> access
> > > tokens, as there are two different servers involved: the AS and the
> > > protected resource server, but there is no “mutual” authentication
> between
> > > them, only between each of them and the client.
> > > > >
> > > > > Choosing names and terminology is difficult and the "right"
> wording is
> > > often subjective. I believe that the current wording sufficiently
> conveys
> > > what is going on in the draft to most readers. Most readers thus far
> seem
> > > to agree. There is some text now that does say that the mutual auth in
> the
> > > draft is in fact X.509 client cert authn but, in the next revision,
> I'll
> > > look for other opportunities where it could be stated more clearly.
> > > > >
> > > > > *** Thanks.
> > > > >
> > > > >
> > > > >
> > > > > 3. The draft links to the TLS 1.2 RFC, while the original OAuth 2.0
> > > RFC only specifies TLS 1.0. Is the intention that TLS 1.2+ is
> required? The
> > > wording in Section 5.1 doesn’t seem clear if this could also be used
> with
> > > TLS 1.0 or 1.1, or whether it is only referring to future TLS versions.
> > > > >
> > > > > The reference to BCP 195 (which unfortunately the original OAuth
> 2.0
> > > RFC doesn't have because it didn't exist then) is meant to account for
> > > changing versions and recommendations around TLS. Currently that BCP
> says
> > > TLS 1.2 is a must and suggests against 1.1 & 1.0 but doesn't outright
> > > prohibit them.
> > > > >
> > > > > *** OK, that seems good to me.
> > > > >
> > > > >
> > > > >
> > > > > 4. It might be useful to have a discussion for implementors of
> whether
> > > TLS session resumption (and PSK in TLS 1.3) and/or renegotiation
> impact the
> > > use of client certificates, if at all?
> > > > >
> > > > > That might well be useful but I don't myself know what it would
> say.
> > > I've (maybe naively) figured those are deployment details that will
> just
> > > work out. Perhaps you could propose some text around such a discussion
> that
> > > the WG could consider?
> > > > >
> > > > >  ***
> > > > > To be honest, when I raised this it was because I didn’t really
> know
> > > what the implications were. I’ve done some reading around and I think
> it
> > > should all just work - both session resumption and PSK-based resumption
> > > preserve the original client and server authentication context so we
> can
> > > assume that any presented client cert is still valid for the resumed
> > > session. So I think we can leave out any discussion of this and assume
> it
> > > works as expected.
> > > > >
> > > > >
> > > > >
> > > > > 5. Section 3 defines sender-constrained access tokens in terms of
> the
> > > confirmation key claims (e.g., RFC 7800 for JWT). However, the OAuth
> 2.0
> > > Pop Architecture draft defines sender constraint and key confirmation
> as
> > > different things (https://tools.ietf.org/html/draft-ietf-oauth-pop-
> > > architecture-08#section-6.2 <https://tools.ietf.org/html/
> > > draft-ietf-oauth-pop-architecture-08#section-6.2>). The draft should
> > > decide which of those it is implementing and if sender constraint is
> > > intended, then reusing the confirmation key claims seems misleading. (I
> > > think this mTLS draft is doing key confirmation so should drop the
> language
> > > about sender constrained tokens).
> > > > >
> > > > > I will say again that choosing names and terminology is
> difficult...
> > > > >
> > > > > Although I must admit that I started using "sender constrained"
> > > somewhat indiscriminately at first and it's just sort of stuck. At the
> time
> > > I was trying to incorporate bits of draft-sakimura-oauth-jpop in a way
> that
> > > might help bring on and keep the authors of that draft onboard with
> this
> > > mtls draft. In retrospect it looks like I did that part wrong anyway.
> But
> > > that was the thinking at the time and the history, for whatever it's
> worth.
> > > More recently, Nat was requesting that "sender constrained" be
> included in
> > > the title. So there's that too.
> > > > >
> > > > > In defense of my mistake, however, if there's a line between
> "sender
> > > constrained" and "key confirmation" tokens, it's a bit of a fuzzy
> line. And
> > > I'd argue that what this draft is doing pretty close to the line.
> > > > >
> > > > > But ultimately I think you are right that what this mtls draft is
> > > doing with access tokens is more accurately described with the key
> > > confirmation term.
> > > > >
> > > > > So, yes, the draft should probably drop (or at least minimize) the
> > > language about sender constrained. I'll do that in the next draft
> version,
> > > barring big objections from the WG.
> > > > >
> > > > > The tricky thing with making that change is that there a client and
> > > server metadata parameters with the name "mutual_tls_sender_
> constrained_access_tokens"
> > > that should probably also change. But that would be a breaking change
> (of
> > > sorts anyway), which shouldn't be taken lightly at this stage. I feel
> that
> > > some explicit okays from the WG are needed before doing so (rough
> consensus
> > > stye) . Any WG members want to weigh in here and help get a "sense of
> the
> > > group" concerning changing those metadata names?
> > > > >
> > > > > *** Thanks. I agree this might cause compatibility issues. It is
> not a
> > > big issue for us, but might cause some confusion.
> > > > >
> > > > >
> > > > >
> > > > > 6. The OAuth 2.0 PoP Architecture draft says (
> > > https://tools.ietf.org/html/draft-ietf-oauth-pop-
> architecture-08#section-5
> > > <https://tools.ietf.org/html/draft-ietf-oauth-pop-
> > > architecture-08#section-5>):
> > > > >
> > > > >          Strong, fresh session keys:
> > > > >
> > > > >                 Session keys MUST be strong and fresh.  Each
> session
> > > deserves an
> > > > >                 independent session key, i.e., one that is
> generated
> > > specifically
> > > > >                 for the intended use.  In context of OAuth this
> means
> > > that keying
> > > > >                 material is created in such a way that can only be
> > > used by the
> > > > >                 combination of a client instance, protected
> resource,
> > > and
> > > > >                 authorization scope.
> > > > >
> > > > >
> > > > > However, the mTLS draft section 3 (https://tools.ietf.org/html/
> > > draft-ietf-oauth-mtls-07#section-3 <https://tools.ietf.org/html/
> > > draft-ietf-oauth-mtls-07#section-3>) says:
> > > > >
> > > > >         The client makes protected resource requests as described
> in
> > > > >         [RFC6750], however, those requests MUST be made over a
> mutually
> > > > >         authenticated TLS connection using the same certificate
> that
> > > was used
> > > > >         for mutual TLS at the token endpoint.
> > > > >
> > > > > These two statements are contradictory: the OAuth 2.0 PoP
> architecture
> > > effectively requires a fresh key-pair to be used for every access token
> > > request, whereas this draft proposes reusing the same long-lived client
> > > certificate for every single access token and every resource server.
> > > > >
> > > > > In the self-signed case (and even in the CA case, with a bit of
> work -
> > > e.g., https://www.vaultproject.io/docs/secrets/pki/index.html <
> > > https://www.vaultproject.io/docs/secrets/pki/index.html>) it is
> perfectly
> > > possible for the client to generate a fresh key-pair for each access
> token
> > > and include the certificate on the token request (e.g., as per
> > > https://tools.ietf.org/html/draft-ietf-oauth-pop-key-
> > > distribution-03#section-5.1 <https://tools.ietf.org/html/
> > > draft-ietf-oauth-pop-key-distribution-03#section-5.1> - in which case
> an
> > > appropriate “alg” value should probably be described). This should
> probably
> > > at least be an option.
> > > > >
> > > > > This draft doesn't necessarily seek to align with the (long
> expired)
> > > PoP architecture draft.  Rather it is aiming to provide a pragmatic
> > > solution for PoP style access tokens and OAuth client auth using mTLS
> > > client certificates.
> > > > >
> > > > > That said, with the current draft, it's certainly possible for a
> > > client to update its cert more frequently, even so far as using a new
> one
> > > for each access token. The details of how that would work will vary
> some
> > > based on the token endpoint authentication method. But it's not
> precluded.
> > > > >
> > > > > *** You are right, the text doesn’t preclude that. I am happy with
> > > that solution. I suspect most people will deploy and be happy with
> reusing
> > > a long-lived cert for every access token, so this may not matter in
> > > practice.
> > > > >
> > > > >
> > > > > 7. The use of a single client certificate with every resource
> server
> > > (RS) should be called out in a Privacy Considerations section, as it
> allows
> > > correlation of activity.
> > > > >
> > > > > Practically speaking the access tokens being presented likely
> already
> > > have correlatable info in them about the client as well as the user. I
> > > don't know that there's much of a (new) concern in reality. If you feel
> > > this concern is unique and import enough though, perhaps there's some
> text
> > > you'd like to propose for a Privacy Considerations section that the WG
> > > could consider? I mean, I guess it doesn't hurt to mention it but I
> would
> > > like to avoid overstating the issue.
> > > > >
> > > > > *** On reflection, I am going to withdraw this comment. As you say
> > > there are other ways to correlate clients. The privacy issue would
> mainly
> > > arise in the context of dynamic client registration e.g., a pattern
> I’ve
> > > seen described where every instance of a mobile app does dynamic client
> > > registration to avoid including credentials directly in the app bundle.
> > > This would make clients one-to-one with users. But (a) those apps are
> > > fairly unlikely to be using TLS certs, and (b) that is more of a
> privacy
> > > consideration for dynamic client registration rather than this draft.
> > > > >
> > > > >
> > > > >
> > > > > 8. This is maybe a more general point, but RFC 6750 defines the
> > > Authorization: Bearer scheme (https://tools.ietf.org/html/
> > > rfc6750#section-2 <https://tools.ietf.org/html/rfc6750#section-2>)
> for a
> > > client to communicate it’s access token to the RS in a standard way. As
> > > sender-constrained access tokens are not strictly bearer tokens any
> more,
> > > should this draft also register a new scheme for that? Should there be
> a
> > > generic PoP scheme?
> > > > >
> > > > > The thinking and general consensus (in this draft as well as the
> OAuth
> > > token binding work) has been that continuing to use the RFC 6750 scheme
> > > while putting the "not strictly bearer" stuff in (or referenced by) the
> > > token itself will be easier on deployment and implementation. And
> better
> > > for adoption as a result. I believe some early implementation work has
> > > borne that out too.
> > > > >
> > > > >  *** OK.
> > > > >
> > > > >
> > > > > 9. The Security Considerations should really make some mention of
> the
> > > long history of attacks against X.509 certificate chain validation,
> e.g.
> > > failure to check the “CA” bit in the basic constraints, errors in
> parsing
> > > DNs, etc. It should be strongly suggested to use an existing TLS
> library to
> > > perform these checks rather than implementing your own checks. This
> relates
> > > to Justin’s comments around DN parsing and normalisation.
> > > > >
> > > > > Suggesting to use an existing TLS library is certainly sound advice
> > > and I sort of felt is implied in the draft. But saying so more
> > > strongly/explicitly might be worthwhile.  And pointing to historical
> > > reasons to do so would probably be good too.  Could you propose a new
> > > Security Considerations section or maybe augmentation of §5.2 with that
> > > content?
> > > > >
> > > > > *** I’ll try and come up with some text.
> > > > >
> > > > >
> > > > >
> > > > > 10. The PKI client authentication method (
> https://tools.ietf.org/html/
> > > draft-ietf-oauth-mtls-07#section-2.1 <https://tools.ietf.org/html/
> > > draft-ietf-oauth-mtls-07#section-2.1>) makes no mention at all of
> > > certificate revocation and how to handle checking for that (CRLs, OCSP
> -
> > > with stapling?). Neither does the Security Considerations. If this is a
> > > detail to be agreed between then AS and the CA (or just left up to the
> AS
> > > TLS stack) then that should perhaps be made explicit. Again, there are
> > > privacy considerations with some of these mechanisms, as OCSP requests
> are
> > > typically sent in the clear (plain HTTP) and so allow an observer to
> see
> > > which clients are connecting to which AS.
> > > > >
> > > > > I didn't think that a TLS client could do OCSP stapling?
> > > > >
> > > > > *** I think you are right about this. I always assumed it was
> > > symmetric (and I think it technically could work), but the spec only
> talks
> > > about stapling in the server-side of the handshake.
> > > > >
> > > > > That aside, revocation checking (how and even if) is something
> that's
> > > at the discretion of the AS. I can add something in §2.1 to say that
> more
> > > explicitly.
> > > > >
> > > > > *** Thanks.
> > > > >
> > > > >
> > > > >
> > > > > 11. The same comment applies to how the protected resource checks
> for
> > > revocation of the certificate presented during sender constrained
> access
> > > token usage. Should the RS make its own revocation checks based on the
> > > information in the certificate presented, or should it trust the
> > > certificate while the access token is still valid? If the latter case,
> is
> > > the AS responsible for revoking any access tokens whose certificate
> have
> > > been revoked (if so, should it be doing an OCSP call on every token
> > > introspection request, and should the RS be passing on the
> > > certificate/serial number on that request)? If the Client request uses
> OCSP
> > > Stapling (https://en.wikipedia.org/wiki/OCSP_stapling <
> > > https://en.wikipedia.org/wiki/OCSP_stapling>) how can the RS verify
> the
> > > signature on that if it does not have a separate trust relationship
> with
> > > the CA already?
> > > > >
> > > > > The draft effectively uses cert mtls at the RS as a
> > > proof-of-possession method only and not as authentication. So
> revocation
> > > checking isn't really applicable. In specific deployment situations, I
> > > suppose an RS could check revocation. But that'd be a deployment
> decision
> > > for the RS that's beyond the scope of this draft.
> > > > >
> > > > > *** OK, that is an interesting observation. If either the client
> or AS
> > > suspect the key has been compromised they can revoke the access
> token(s)
> > > instead.
> > > > >
> > > > >
> > > > >
> > > > > 12. The use of only SHA-256 fingerprints means that the security
> > > strength of the sender-constrained access tokens is limited by the
> > > collision resistance of SHA-256 - roughly “128-bit security" - without
> a
> > > new specification for a new thumbprint algorithm. An implication of
> this is
> > > that is is fairly pointless for the protected resource TLS stack to
> ever
> > > negotiate cipher suites/keys with a higher level of security. In more
> > > crystal ball territory, if a practical quantum computer becomes a
> > > possibility within the lifetime of this spec, then the expected
> collision
> > > resistance of SHA-256 would drop quadratically, allowing an attacker to
> > > find a colliding certificate in ~2^64 effort. If we are going to pick
> just
> > > one thumbprint hash algorithm, I would prefer we pick SHA-512.
> > > > >
> > > > > The idea behind haveing just one thumbprint hash algorithm was to
> keep
> > > things simple. And SHA-256 seems good enough for the reasonably
> foreseeable
> > > future (and space aware). Also a new little spec to register a
> different
> > > hash algorithm, should the need arise, didn't seem particularity
> onerous.
> > > > >
> > > > > That was the thinking anyway. Maybe it is too short sighted though?
> > > > >
> > > > > I do think SHA-256 should stay regardless.
> > > > >
> > > > > But the draft could also define SHA-512 (and maybe others). What do
> > > you and WG folks think about that?
> > > > >
> > > > > *** Yes please.
> > > > >
> > > > > It would probably then be useful for the metadata in §3.3 and §3.4
> to
> > > change from just boolean values to something to convey what hash
> alg/cnf
> > > method the client expects and the list of what the server supports.
> That's
> > > maybe something that should be done anyway. That'd be a breaking
> change to
> > > the metadata. But there's already another potential breaking change
> > > identified earlier in this message. So maybe it's worth doing...
> > > > >
> > > > > How do folks feel about making this kind of change?
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Neil
> > > > >
> > > > >
> > > > > > On 19 Mar 2018, at 22:34, Rifaat Shekh-Yusef <
> rifaat.ietf@gmail.com
> > > <mailto:rifaat.ietf@gmail.com>> wrote:
> > > > > >
> > > > > > All,
> > > > > >
> > > > > > As discussed during the meeting today, we are starting a WGLC on
> the
> > > MTLS document:
> > > > > > https://tools.ietf.org/html/draft-ietf-oauth-mtls-07 <
> > > https://tools.ietf.org/html/draft-ietf-oauth-mtls-07>
> > > > > >
> > > > > > Please, review the document and provide feedback on any issues
> you
> > > see with the document.
> > > > > >
> > > > > > The WGLC will end in two weeks, on April 2, 2018.
> > > > > >
> > > > > > Regards,
> > > > > >  Rifaat and Hannes
> > > > > >
> > > > > > _______________________________________________
> > > > > > OAuth mailing list
> > > > > > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > > > > > https://www.ietf.org/mailman/listinfo/oauth <
> > > https://www.ietf.org/mailman/listinfo/oauth>
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > OAuth mailing list
> > > > > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > > > > https://www.ietf.org/mailman/listinfo/oauth <
> > > https://www.ietf.org/mailman/listinfo/oauth>
> > > > >
> > > > >
> > > > >
> > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and
> > > privileged material for the sole use of the intended recipient(s). Any
> > > review, use, distribution or disclosure by others is strictly
> prohibited.
> > > If you have received this communication in error, please notify the
> sender
> > > immediately by e-mail and delete the message and any file attachments
> from
> > > your computer. Thank you.
> > > > >
> > > > >
> > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and
> > > privileged material for the sole use of the intended recipient(s). Any
> > > review, use, distribution or disclosure by others is strictly
> prohibited.
> > > If you have received this communication in error, please notify the
> sender
> > > immediately by e-mail and delete the message and any file attachments
> from
> > > your computer. Thank you.
> > > >
> > >
> > > > _______________________________________________
> > > > OAuth mailing list
> > > > OAuth@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/oauth
> > >
> > >
> >
> > --
> > _CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged
> > material for the sole use of the intended recipient(s). Any review, use,
> > distribution or disclosure by others is strictly prohibited.  If you
> have
> > received this communication in error, please notify the sender
> immediately
> > by e-mail and delete the message and any file attachments from your
> > computer. Thank you._
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._