[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-08.txt
Brian Campbell <bcampbell@pingidentity.com> Mon, 07 May 2018 20:14 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 54212129C6E
for <oauth@ietfa.amsl.com>; Mon, 7 May 2018 13:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.44
X-Spam-Level:
X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26,
RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kFOuOsRfwXjP for <oauth@ietfa.amsl.com>;
Mon, 7 May 2018 13:14:35 -0700 (PDT)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com
[IPv6:2607:f8b0:4001:c06::234])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 274A5129C5D
for <oauth@ietf.org>; Mon, 7 May 2018 13:14:35 -0700 (PDT)
Received: by mail-io0-x234.google.com with SMTP id p124-v6so35707208iod.1
for <oauth@ietf.org>; Mon, 07 May 2018 13:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=pingidentity.com; s=gmail;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
bh=y+d++YGljJqAbkhdRMjYYXKOE1O/POkhfv289c0FJco=;
b=pW6aAd3ZNQnZ6XbomgF1OEne8kI9/3GBilnHcBKMH1IWs+PTlpIfMFwIZLx7Fis7Mq
V37uyWirN2OegjUW8hebZfvevdaCpf7vjGkQQPxDqB6VOeaxp1XhZ7RXgQVCWXnZg0Qy
tqtPSkdAoPQQo3FM2u8cTyKx5ptMLdJxvj7Gs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to;
bh=y+d++YGljJqAbkhdRMjYYXKOE1O/POkhfv289c0FJco=;
b=U8PPoofxEbYveX5eSLL9/r0Ck6ango9GFsET89lrrR1A/ucL3Mc6dcBulQjEAVswmT
FnzLTM0/Qsvi9DQRFj/849i+n1wjCzYVzE727VrG8Yu1FNm990Wk8lbGj4J049JXmpCT
U1nhZiJln7aXZyKtrhMwQf9iEkZPDVNUJEq6XjpiC7rhQ9h19vSw04v/fBGYA7Aoxkss
+42HOz9CzW58tn4NxOfhS6K6+WCaz75ZcxWXMlfXVHO1DfFwgKpbWZxLgwxeNxHIOUpj
k5TzMcgJjWisY1GrjWviK4f7ROhDFHeyDUTlxYwLeFleggpZBoNrD3jLaIsXKJR4d+Tv
gt/w==
X-Gm-Message-State: ALKqPwe3NbQaAiblhOG97Hz+C019HsVd8rNldX4VuFN0lfgY8xR40GSb
UG4b5RzTM0CJ6QuJruLuyMJ753uin0CNgZiRHEiGS8FThEl2HfTxwxEHuaI0Z5fvc2tnfmA7cwj
96uEgBkqvDnpyYIKM
X-Google-Smtp-Source: AB8JxZpL5B94nbwz/yLSiY2O29Xbqw/eNUW0V6n+gBNnAmDalF/LmSFMtNwXqBzQ7qm/IdGoyjUjCTJ0Ub7qSRbc9+Y=
X-Received: by 2002:a6b:1c06:: with SMTP id c6-v6mr466069ioc.247.1525724073962;
Mon, 07 May 2018 13:14:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP;
Mon, 7 May 2018 13:14:03 -0700 (PDT)
In-Reply-To: <152572323194.1316.16504160657904107453@ietfa.amsl.com>
References: <152572323194.1316.16504160657904107453@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 7 May 2018 14:14:03 -0600
Message-ID: <CA+k3eCS6omRPisq_L7SR=_fHmE8o7KcOSD696UjM4KtW-a7NZw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000744667056ba3510f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YSmwNQxJtrjDYBiDJSOj-iru9cg>
Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
<mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
<mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2018 20:14:37 -0000
A new draft of the OAuth 2.0 Mutual TLS Client Authentication and
Certificate Bound Access Tokens specification has published with changes
addressing review comments from Working Group Last Call. Thanks in
particular to Justin Richer and Neil Madden for the detailed reviews. A
summary of the changes (copied from the document history) is below.
draft-ietf-oauth-mtls-08
o Incorporate clarifications and editorial improvements from Justin
Richer's WGLC review
o Drop the use of the "sender constrained" terminology per WGLC
feedback from Neil Madden (including changing the metadata
parameters from mutual_tls_sender_constrained_access_tokens to
tls_client_certificate_bound_access_tokens)
o Add a new security considerations section on X.509 parsing and
validation per WGLC feedback from Neil Madden and Benjamin Kaduk
o Note that a server can terminate TLS at a load balancer, reverse
proxy, etc. but how the client certificate metadata is securely
communicated to the backend is out of scope per WGLC feedback
o Note that revocation checking is at the discretion of the AS per
WGLC feedback
o Editorial updates and clarifications
o Update draft-ietf-oauth-discovery reference to -10 and draft-ietf-
oauth-token-binding to -06
o Add folks involved in WGLC feedback to the acknowledgements list
---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Mon, May 7, 2018 at 2:00 PM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.txt
To: i-d-announce@ietf.org
Cc: oauth@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Mutual TLS Client Authentication and
Certificate Bound Access Tokens
Authors : Brian Campbell
John Bradley
Nat Sakimura
Torsten Lodderstedt
Filename : draft-ietf-oauth-mtls-08.txt
Pages : 21
Date : 2018-05-07
Abstract:
This document describes OAuth client authentication and certificate
bound access tokens using mutual Transport Layer Security (TLS)
authentication with X.509 certificates. OAuth clients are provided a
mechanism for authentication to the authorization sever using mutual
TLS, based on either single certificates or public key infrastructure
(PKI). OAuth authorization servers are provided a mechanism for
binding access tokens to a client's mutual TLS certificate, and OAuth
protected resources are provided a method for ensuring that such an
access token presented to it was issued to the client presenting the
token.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-mtls-08
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-08
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-08
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
- [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.t… internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-… Justin Richer