[OAUTH-WG] key vs. cert fingerprint in -security-topics-13
Brian Campbell <bcampbell@pingidentity.com> Mon, 23 December 2019 23:36 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59276120D21 for <oauth@ietfa.amsl.com>; Mon, 23 Dec 2019 15:36:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 85OovvBvrfgo for <oauth@ietfa.amsl.com>; Mon, 23 Dec 2019 15:36:41 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 529E912003E for <oauth@ietf.org>; Mon, 23 Dec 2019 15:36:41 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id y1so13812741lfb.6 for <oauth@ietf.org>; Mon, 23 Dec 2019 15:36:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=w5Jer1DdstFlXD28ira5Nu6cQW71o0xEZFvZqKWEV50=; b=B9yXTGoLCWoV8avjCKYshiIJACWTLvQUEzkpy0nGJ1a87bGbvyhafLJ14E1zECU8Gp msFP26FlujU/mkeLBqX8Oh2uGn4wO50JxUr3dzipSztO6CUrq5rmRArmQaNFpKvHWQsm M7K6NNZsFynFC3y7mV8B/TVblCgW7WAp9GAqWM15ekUmrHmbgmkomOfVFy5NfcEnoBa8 wipaJvgT3m+wSwbH3HO1bifj5BB048k0Tth/utH5rEL9oa8d9rr6Y8fSeasQ2zAvBxaS fYuH8K/IItmXqGJgvmkVDS+wWajbVBQ+e19g0FarPF8zXHdN1Jtu5U1s00JgcMwoI4v9 5BAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=w5Jer1DdstFlXD28ira5Nu6cQW71o0xEZFvZqKWEV50=; b=jGJJvX4s9bZxR/PHGW3Goc3M5cbPg4GCTOjbuZ/+eq+ihbgHXtXf9bnvZhhz4xckN/ QoUUP/69oNO6X3RgLQ6lAiRwltby8pBRxiissviqQY+qyJnbpy0QHn+NGSCpfjOWjCE5 Hr1FyyokoOzv65fARfp91KHHafB1m53eQJSnf3OQJLWRLr68n2wl7okjbL1Bk3YjsQrK B+LrCW0Q9NaRyLK9se4hXKGwfT6zbakcUJ+GD1Ufczykexq57rtfKkiPsR86xcpuDYhK dIuBhn062inCEXuMqhf6iu1MpNBmiCXb/yJA6Iss8vFAcYPISfv82jHZA+jGf47b+8ij BW0A==
X-Gm-Message-State: APjAAAX2BiNuYrz/LWbfJRCX5wEaazKSpYEcFtvBAP7uadTLtXIHxm/L fjDVpHRaFAvzjgpXbKUTlieph17S3ZI0TvFwHfMkD0UAR7Sa29s96vKpEaO50DkfGSP3wl3zjLk oFqf03e0XG+MD5ld3Y3U=
X-Google-Smtp-Source: APXvYqw5++UnfiG1TpYPb5Oz7ZBcWTJcICShgB6zg9u4jE1wkZssDTgNDZ93swbO9YT5vVu0YfL4StuB3oqw6KTNZ7A=
X-Received: by 2002:a19:5057:: with SMTP id z23mr17929223lfj.132.1577144199274; Mon, 23 Dec 2019 15:36:39 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Dec 2019 16:36:12 -0700
Message-ID: <CA+k3eCSY8Lk2FAVxhb8NA5NXXH6bGOPmd3w9B0-phd2224RrgA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c204b5059a677fea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/L3oZOaHcJ36QpTxq2W8k9S_TeAY>
Subject: [OAUTH-WG] key vs. cert fingerprint in -security-topics-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Dec 2019 23:36:43 -0000
The description of OAuth Mutual TLS in https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.8.1.2 says the "client is identified towards the resource server by the fingerprint of its public key" but it's actually a fingerprint/hash of the certificate not the public key. See https://tools.ietf.org/html/draft-ietf-oauth-mtls-17#section-3.1 for example. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] key vs. cert fingerprint in -security-… Brian Campbell