IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Justin Richer <jricher@mit.edu> Mon, 14 November 2016 00:26 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E562B129558 for <oauth@ietfa.amsl.com>; Sun, 13 Nov 2016 16:26:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Level:
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxFNeB66NKuO for <oauth@ietfa.amsl.com>; Sun, 13 Nov 2016 16:26:48 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAC2A129467 for <oauth@ietf.org>; Sun, 13 Nov 2016 16:26:48 -0800 (PST)
X-AuditID: 12074423-0abff70000005d64-6d-582904c6e001
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 2E.33.23908.6C409285; Sun, 13 Nov 2016 19:26:47 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id uAE0Qj6q013490; Sun, 13 Nov 2016 19:26:46 -0500
Received: from dhcp-8693.meeting.ietf.org (dhcp-8693.meeting.ietf.org [31.133.134.147]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id uAE0Qd0j016975 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 13 Nov 2016 19:26:42 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_F321B417-8580-4E8D-9F5B-63BE1E7CD0F6"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CA+k3eCS-S8G-jxRMnvczaysdNZSRWwiPnGTMnGVnh8dWgh0k-A@mail.gmail.com>
Date: Mon, 14 Nov 2016 09:26:37 +0900
Message-Id: <F31A1C87-C18F-4203-A1AE-DF32BCB005B4@mit.edu>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <5827DE8A.4010807@lodderstedt.net> <4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu> <5827F848.3060803@lodderstedt.net> <2164E521-236F-46FC-AAF1-D2EE80F29BA9@mit.edu> <58280139.2040505@lodderstedt.net> <CA+k3eCS-S8G-jxRMnvczaysdNZSRWwiPnGTMnGVnh8dWgh0k-A@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLKsWRmVeSWpSXmKPExsUixCmqrHucRTPCYMFKaYvV/28yWpx8+4rN 4tWxpywWq+/+ZXNg8Viy5CeTx7GeflaPu0cvsnjcvr2RJYAlissmJTUnsyy1SN8ugSvjyslO 9oIX1xkrLi8Ta2DsmcLYxcjJISFgInHowFHmLkYuDiGBNiaJR11XWEASQgIbGSVWTSqESFxh kljx4icbSIJZIEHi6JxfYDavgJ7EpvVvmUBsYaD4mVftYDabgKrE9DUtYDanQKDE7Vub2EFs FqD4jBkvmUCGMgs0MkrMmnoFapCVxNppr6HO6GaWWL5iIliHiIC+xO2nc9ghbpWVeHJyEcsE Rv5ZSA6ZheQQiLi2xLKFr5khbE2J/d3LWTDFNSQ6v01kXcDItopRNiW3Sjc3MTOnODVZtzg5 MS8vtUjXTC83s0QvNaV0EyMoDthdlHcwvuzzPsQowMGoxMP7oFAjQog1say4MvcQoyQHk5Io 71lzoBBfUn5KZUZicUZ8UWlOavEhRgkOZiUR3gPMmhFCvCmJlVWpRfkwKWkOFiVx3v9uX8OF BNITS1KzU1MLUotgsjIcHEoSvAtBGgWLUtNTK9Iyc0oQ0kwcnCDDeYCGq7GADC8uSMwtzkyH yJ9iNOZ4s+vlAyaOPbNePWASYsnLz0uVEueVYQQqFQApzSjNg5sGSmXyrW2TXzGKAz0nzBsK spQHmAbh5r0CWsUEtGoXyI+8xSWJCCmpBsbpkhMWhc/Tey9QunDm1iNLpj89xLtzrlTNSqHK TTUnRDe19h1fM0FK9/CKq/qtapN+pbtXCEndva4axcF5VeeRwgOO3ded3/37liZqUHB5mW8p EwfbApvNsRvFb39iNc3YfE94aoBeY/6dDb8NTHbNYW/7Z/d2y64v/SXT9b4aLNtQ9SFZWm2G EktxRqKhFnNRcSIANgypmkADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Le6MuEYJ4u7kKRWyEfA5uDiAW6U>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 00:26:51 -0000

Right — this is a fine way to put it. RFC7591 defines a client model where RFC6749 didn’t. Ideally all that metadata would’ve been in the original spec, but it’s not. It doesn’t matter whether the client was registered dynamically or statically, it just matters that the AS knows what to expect from a given client.

 — Justin

> On Nov 14, 2016, at 6:21 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> Yes, the intend is that the authentication method is determined by client policy regardless of whether the client was dynamically registered or statically configured or whatever. I can make that point more explicit in future revisions of the draft. 
> 
> On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
> I understand. My point is different: the text seems to assume everybody is using client registration, but that's not the case. I would like to point out it makes sense to explicitely state the assumption that it is determined by client policy (indepedent of the way this policy is established).
> 
> 
> Am 13.11.2016 um 14:24 schrieb Justin Richer:
>> As part of the client’s registered data model. At least, based on how our own implementation works (where we support client_secret_basic, private_key_jwt, etc), that’s where we’d check to see if the client was supposed to be using TLS auth or not.
>> 
>> We don’t let clients switch away from their registered auth mechanism.
>> 
>>  — Justin
>> 
>>> On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>> 
>>> Justin,
>>> 
>>> Am 13.11.2016 um 13:39 schrieb Justin Richer:
>>>> Torsten, I believe this is intended to be triggered by the tls_client_auth value specified in §3. 
>>> 
>>> in the token request?
>>> 
>>>> 
>>>> Nit on that section, the field name for the client metadata in RFC7591 is token_endpoint_auth_method, the _supported version is from the corresponding discovery document.
>>>> 
>>>>  — Justin
>>>> 
>>> Torsten.
>>>>> On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt < <mailto:torsten@lodderstedt.net>torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>>>> 
>>>>> Hi John and Brian,
>>>>> 
>>>>> thanks for writting this draft.
>>>>> 
>>>>> One question: how does the AS determine the authentication method is TLS authentication? I think you assume this is defined by the client-specific policy, independent of whether the client is registered automatically or manually. Would you mind to explicitely state this in the draft?
>>>>> 
>>>>> best regards,
>>>>> Torsten.
>>>>> 
>>>>> Am 11.10.2016 um 05:59 schrieb John Bradley:
>>>>>> At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented 
>>>>>> mutual TLS client authentication.   This is something that lots of people do in practice though we have never had a spec for it.
>>>>>> 
>>>>>> The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
>>>>>> 
>>>>>> The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
>>>>>> 
>>>>>> The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value,  or something in between.
>>>>>> 
>>>>>> I hope that this is non controversial and the WG can adopt it quickly.
>>>>>> 
>>>>>> Regards
>>>>>> John B.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> Begin forwarded message:
>>>>>>> 
>>>>>>> From:  <mailto:internet-drafts@ietf.org>internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>>>>>> Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
>>>>>>> Date: October 10, 2016 at 5:44:39 PM GMT-3
>>>>>>> To: "Brian Campbell" < <mailto:brian.d.campbell@gmail.com>brian.d.campbell@gmail.com <mailto:brian.d.campbell@gmail.com>>, "John Bradley" < <mailto:ve7jtb@ve7jtb.com>ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
>>>>>>> 
>>>>>>> 
>>>>>>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>>>>>> has been successfully submitted by John Bradley and posted to the
>>>>>>> IETF repository.
>>>>>>> 
>>>>>>> Name:		draft-campbell-oauth-tls-client-auth
>>>>>>> Revision:	00
>>>>>>> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
>>>>>>> Document date:	2016-10-10
>>>>>>> Group:		Individual Submission
>>>>>>> Pages:		5
>>>>>>> URL:             <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
>>>>>>> Status:          <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/ <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
>>>>>>> Htmlized:        <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00 <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
>>>>>>> 
>>>>>>> 
>>>>>>> Abstract:
>>>>>>>   This document describes X.509 certificates as OAuth client
>>>>>>>   credentials using Transport Layer Security (TLS) mutual
>>>>>>>   authentication as a mechanism for client authentication to the
>>>>>>>   authorization server's token endpoint.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Please note that it may take a couple of minutes from the time of submission
>>>>>>> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
>>>>>>> 
>>>>>>> The IETF Secretariat
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>> 
>> 
> 
>

v2.23.0 | Report a Bug | By Email