Re: [OAUTH-WG] [Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

"Preibisch, Sascha H" <> Tue, 11 October 2016 02:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 71617129458 for <>; Mon, 10 Oct 2016 19:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.731
X-Spam-Status: No, score=-0.731 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=Mg0fgWvn; dkim=pass (1024-bit key) header.b=Sdf7yTNX
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uFKAwG1WwMQ4 for <>; Mon, 10 Oct 2016 19:59:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3051D129431 for <>; Mon, 10 Oct 2016 19:59:02 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id u9B2x1j6012050; Mon, 10 Oct 2016 22:59:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20151012; bh=+zT5tQurLpqoQ5kVGFECLATLtY40eBLm4ya+w/epyyI=; b=Mg0fgWvnqOYINDnJbedVczW+r3LD0lPIJK2t9BMefNQQ6mBk8gCqUZAkzZhgU23rcGvn hEF7pPY0r7ikIjJIOPBxUQYqmF2lCSrJrWAWZMkqLUuXnmMzEHK5nKpl5yLMOjcxmh5i e7wrWFJtgJX/t+Od4XYkEpMI2uyfj6pHU8iSMrhIr1ByWniO0mknav53JxpPaKT8unbX AjQYZhidyWo+diP8hb5Xq52Hq0p35Pej1jfxVWZsMClDgIc+sXkwAK6MBDdchoIExLMA /l9qgQZbls9jbV2VFrJDU7wTww8s6jxonxI26zVdrQt7rkKui3Dv8FjZsI+243WxpXRH wQ==
Received: from ( []) by with ESMTP id 25xu0c09kc-1 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 10 Oct 2016 22:59:01 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 22:58:59 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 22:58:59 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4 via Frontend Transport; Mon, 10 Oct 2016 22:58:59 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 22:58:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zNgNK6ydX2cnSlyc8oZmRHC66aNu7k2WDnWMyigl/Qc=; b=Sdf7yTNXIFe+e3r8pRU6/el9RNU3SeO8GGGFUrv0VPqXshA/UC37mqbKm3WUJA6YpOmZdKiDJCpt4VOCTKJ8398p1xEB5Ivd6t3oVXRvjKIMWPK8CZhRrKbiHW7eAF4AyAeKmQzJzrdgOvAju5wqUbX1xPgqBL/54VqXwkGX81w=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.639.5; Tue, 11 Oct 2016 02:58:54 +0000
Received: from ([]) by ([]) with mapi id 15.01.0639.015; Tue, 11 Oct 2016 02:58:53 +0000
From: "Preibisch, Sascha H" <>
To: John Bradley <>, Financial API Working Group List <>, OAuth WG <>
Thread-Topic: [Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Thread-Index: AQHSI2tmIf7KTlHf60+jkUrnW5Qn/A==
Date: Tue, 11 Oct 2016 02:58:53 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 71c54622-7028-495d-6a89-08d3f1828939
x-microsoft-exchange-diagnostics: 1; BY2PR01MB1864; 20:ra96pXqcAv+bOWU9erUOznuoaOAOprABQkSJXsKPhvD4ItKlGygSRx0XvWBDjoC7QG/bkIjFSk+btocqHcBd/OlocpRKeLP4bNwLXxIwwRnEEKXqnj1xz2mptIyF80gSvfdb9r18x1uHSg1LyzDtM0L+G6s4jKT4RQoQ8z5IheA=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR01MB1864;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(10436049006162)(120809045254105)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:BY2PR01MB1864; BCL:0; PCL:0; RULEID:; SRVR:BY2PR01MB1864;
x-forefront-prvs: 00922518D8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(377424004)(199003)(377454003)(189002)(5002640100001)(122556002)(97736004)(68736007)(5001770100001)(19580395003)(19580405001)(15975445007)(189998001)(107886002)(19617315012)(2906002)(4001150100001)(77096005)(2900100001)(81166006)(3846002)(6116002)(102836003)(8676002)(81156014)(16236675004)(87936001)(10090500001)(7846002)(7736002)(3660700001)(8936002)(3280700002)(2950100002)(586003)(101416001)(86362001)(92566002)(5660300001)(106356001)(7906003)(66066001)(15650500001)(106116001)(76176999)(36756003)(54356999)(50986999)(10400500002)(105586002)(230783001)(24704002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR01MB1864;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D421A3181CB98saschapreibischcacom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2016 02:58:53.6983 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 1194df16-3ae0-49aa-b48b-5c4da6e13689
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR01MB1864
X-WgnSS: ID0028<>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-10-11_01:, , signatures=0
X-Proofpoint-Outbound-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1610110050
Archived-At: <>
Subject: Re: [OAUTH-WG] [Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Oct 2016 02:59:06 -0000


From: Openid-specs-fapi <<>> on behalf of John Bradley via Openid-specs-fapi <<>>
Reply-To: John Bradley <<>>, Financial API Working Group List <<>>
Date: Monday, October 10, 2016 at 1:59 PM
To: OAuth WG <<>>
Cc: Nat Sakimura via Openid-specs-fapi <<>>
Subject: [Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication.   This is something that lots of people do in practice though we have never had a spec for it.

The Banks want to use it for some server to server API use cases being driven by new open banking regulation.

The largest thing in the draft is the IANA registration of "tls_client_auth" Token Endpoint authentication method for use in Registration and discovery.

The trust model is intentionally left open so that you could use a "common name" and a restricted list of CA or a direct lookup of the subject public key against a reregistered value,  or something in between.

I hope that this is non controversial and the WG can adopt it quickly.

John B.

Begin forwarded message:

Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
To: "Brian Campbell" <<>>, "John Bradley" <<>>

A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.

Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL:  <>

  This document describes X.509 certificates as OAuth client
  credentials using Transport Layer Security (TLS) mutual
  authentication as a mechanism for client authentication to the
  authorization server's token endpoint.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at<>.

The IETF Secretariat