IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Brian Campbell <bcampbell@pingidentity.com> Tue, 15 January 2019 13:49 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50EE9130E58 for <oauth@ietfa.amsl.com>; Tue, 15 Jan 2019 05:49:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_pDsySCFnDD for <oauth@ietfa.amsl.com>; Tue, 15 Jan 2019 05:49:10 -0800 (PST)
Received: from mail-it1-x130.google.com (mail-it1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1C4912D4E8 for <oauth@ietf.org>; Tue, 15 Jan 2019 05:49:09 -0800 (PST)
Received: by mail-it1-x130.google.com with SMTP id g76so5074853itg.2 for <oauth@ietf.org>; Tue, 15 Jan 2019 05:49:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HiJhAJIeffCMddpNsboPdkTq64pUINbCGRBtD9/2DEw=; b=EiDRqeQluE+n5fqYn/FL4ZZ1yNyqoREbbmz3tI8n9eok0/TZa2DTbjdLu8K8EQ7LyM QSwk2sabFymfggn9lUhwvGDDdjNrZmA6zhEazfY+YCsaj1TBWezMUykLiUPOm9l0Uwdq fR1lQ4k95Qf5ize3ISwRiXJxf0LRd3q00Esrg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HiJhAJIeffCMddpNsboPdkTq64pUINbCGRBtD9/2DEw=; b=UQ8lYjAQ5XWadFrkiqtauJ1xBcVt29Br/+19BWIw5x9qb0Ftirj+CyhhJheV8J/h0y yXp+jX3hmG3J8Ve/OYxstUvmhmQ2QdIYsHMsMjZnkjqicGc4Wh1YiqN4ZppfVlwhtaR7 EALuPMhYGvvxpzRwjkpTq4s7QoFg8JcaMvOJOLhFqnnjwZ58SICcNKLRqKe3VoTJMphF 4/SgZG/BKO4jqgSM34HMdtxdiLoBaHnE9OnwCIv0cHfP+c6yABQ1kuZ/oeA/qSZA+Iyl ZF7kRjUQYBAgKGPe8ZdeXl6wRGb1LAdkG0cS/067MG6PEj1asrARzp1jW4ZdAKwzPoTy o3ZA==
X-Gm-Message-State: AJcUukdTPDnwP70SVHdpQ6lFhZ44NxKTKMIKu1nnKW0R0rRP0l9us8X0 zJf0ezErRq4A7psXy/7vp1wFQThT/dXP2cac3shIMOh3s1W1/AD8HIVJxmaxyHfELPoG4S7hZ8x 7NYKeHqm4PRUDX1yaghM=
X-Google-Smtp-Source: ALg8bN7QdBQ3GsqJCQkasGB1zNVTQ2D8cMnHXv6uzc+gZ9amGHwxUlrtX2h46JCiF8ZWlkZnoExCU6S4FOte9tUJ4IU=
X-Received: by 2002:a24:3987:: with SMTP id l129mr2365458ita.45.1547560149002; Tue, 15 Jan 2019 05:49:09 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com> <1119DDAE-8044-43C9-A6D4-6032B3BB62B8@forgerock.com> <9D007408-3BCC-4165-BCA4-083BD7602E7D@alkaline-solutions.com> <CA+k3eCQi1sz2bDOMEATpN9ZvXd+VJydQXG03WKuLczG5kz2z+Q@mail.gmail.com> <CAP-T6TTD-nLGoPHqJ042SzotLorb2mzoWgLxsausWHhRPZr8xA@mail.gmail.com>
In-Reply-To: <CAP-T6TTD-nLGoPHqJ042SzotLorb2mzoWgLxsausWHhRPZr8xA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 15 Jan 2019 06:48:42 -0700
Message-ID: <CA+k3eCQtgku68usoCFsTeHVnNOLqWs6NweOgpQKsa7_9=wK7Vw@mail.gmail.com>
To: Dave Tonge <dave.tonge@momentumft.co.uk>
Cc: David Waite <david@alkaline-solutions.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f35569057f7f6c87"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KUwirHax9vzw46e5ik73i1Bw2yw>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2019 13:49:12 -0000

It would definitely be optional, apologies if that wasn't made clear. It'd
be something to the effect of optional for the AS to include and clients
doing MTLS would use it when present in AS metadata.

On Tue, Jan 15, 2019 at 2:04 AM Dave Tonge <dave.tonge@momentumft.co.uk>
wrote:

> I'm in favour of the `mtls_endpoints` metadata parameter - although it
> should be optional.
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email