Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-mtls-00.txt
Dave Tonge <dave.tonge@momentumft.co.uk> Fri, 31 March 2017 16:08 UTC
Return-Path: <dave.tonge@bluespeckfinancial.co.uk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D87B124281 for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 09:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=momentumft.co.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2MksEcCHaHP for <oauth@ietfa.amsl.com>; Fri, 31 Mar 2017 09:07:58 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 301CB12950C for <oauth@ietf.org>; Fri, 31 Mar 2017 09:07:58 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id y18so15654142itc.0 for <oauth@ietf.org>; Fri, 31 Mar 2017 09:07:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=momentumft.co.uk; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=7MbIkD4IIxP2j1ke19vp+4kORU/SZjBIdobIkS/pGSI=; b=T9bmjo0hHbEXw82ubpZoC1th9szv3lsD2LNiHkWHK/TeF51UfqNU9VtPpjY/sRLifU n5jB4vTgPk4TWxowkiFcdjW5XSVdk2ueFNd5avuaH74pvKrAAAkNhnJEbR1m0ZbZl9zK zLws+2h/PXzR8P2gM/WBVekqIBvTa52WPbm3U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=7MbIkD4IIxP2j1ke19vp+4kORU/SZjBIdobIkS/pGSI=; b=hqQlTA2dcVG2Un5tflUDln51fwJUFX4Vsmsq/dioSkWbykg7Q+lXiWXICWuAWa/92H pQjiTeWEqo6EFK5zDGiZhxNcMG0/fx22SKcH323mLasMcJO7TGUkw3tPc1/BK3fGdP2F ku99G5sgH+I89jZYRjqDFGMndJqyY0Zr8O07FXoyxOAWbI5/QLnbM0wAEHERMvhmzcQg kKicfoXbaiG6fGBfEIcjvJE+HJvBsyrp0qXMFkd1tEwvtXD1xlDmkricTyuDG025stZ+ a1HHNrkNrft9p3f1kD/EkYSklKAy8oFwaFEkAjBdMrMP8h3A+q6UI0VR0yiZaSW7Rw5y yKBA==
X-Gm-Message-State: AFeK/H25Czaxopsth0hAc1zj+7LWkYLUORpEJKC4icUixj96PGUN5DX9GiR9AeKakDICRu4KhslrErKc7Tj0thVS
X-Received: by 10.36.43.194 with SMTP id h185mr4880478ita.121.1490976477458; Fri, 31 Mar 2017 09:07:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.223 with HTTP; Fri, 31 Mar 2017 09:07:36 -0700 (PDT)
In-Reply-To: <CA+k3eCTZ=6vG=vpL2ZR3oDMG+LJBT8xMSoTsam8fR_0bbXf6OQ@mail.gmail.com>
References: <149090694651.9027.6337833834024757190.idtracker@ietfa.amsl.com> <CAAX2Qa1OAoY0TOPX-19XgVrxq_63GN5obbh9VB_7851YXERfXA@mail.gmail.com> <CA+k3eCTZ=6vG=vpL2ZR3oDMG+LJBT8xMSoTsam8fR_0bbXf6OQ@mail.gmail.com>
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Fri, 31 Mar 2017 17:07:36 +0100
Message-ID: <CAP-T6TRp96tvPr3L6hq4rDFE2RNRw7rMUe385RJbxgXLW78HGQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="001a1146f4704ed638054c09034d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TFtO1T8zBEoxg1vyNk4m6gGI9A4>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-mtls-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 16:08:00 -0000
Hi Brian Thanks for this - it will be very useful for open banking in Europe where cert based auth is required by law. I have a few suggestions around wording. Happy to submit these via pull request if it's helpful. 1. Typo - remove can from 1: Mutual TLS sender constrained access tokens and mutual TLS client authentication are distinct mechanisms that *can* don't necessarily need to be deployed together. 2. Consistency of terminology in 2 (and throughout the document). In section 2 the following phrases are used: - Mutual TLS for Client Authentication - Mutual TLS Client Authentication to the Token Endpoint - mutual TLS as client credentials - mutual X.509 certificate authentication Interestingly RFC5246 does not refer to "mutual authentication" at all, but does refer to "client authentication". >From an OAuth perspective, surely we are more interested in the fact that it is TLS client auth - than the fact that it is mutual. However referring to TLS Client Authentication would bring confusion as we would have two client definitions in play: the TLS Client and the OAuth Client "TLS Mutual Auth" and "Mutual TLS" are established phrases in the industry - even though they don't seem to be defined in any of the relevant specs, however, "Mutual TLS Client Auth" isn't. I'm not sure of the best solution for this, but would be interested as to whether the authors considered this phrasing to be clearer? - Mutual TLS for Client Authentication -> TLS Mutual Auth for Client Authentication - Mutual TLS Client Authentication to the Token Endpoint -> TLS Mutual Auth for Client Authentication to the Token Endpoint - mutual TLS as client credentials -> TLS X509 client certificate as client credentials Or alternatively, a definition of "Mutual TLS" could be provided earlier on in the document. Thanks again for your work on this spec. Dave Tonge
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Dave Tonge
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Steve Hutchinson