Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Brian Campbell <> Mon, 07 January 2019 17:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5ECFE130F8A for <>; Mon, 7 Jan 2019 09:22:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id m2l_OsRZbkWm for <>; Mon, 7 Jan 2019 09:22:18 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7934D128CE4 for <>; Mon, 7 Jan 2019 09:22:18 -0800 (PST)
Received: by with SMTP id x6so912573ioa.9 for <>; Mon, 07 Jan 2019 09:22:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VFae7h2b++JVs1ZUQSPji+JUqvE5lyk1eK14khVj3dU=; b=k7i/hUUSuUdDfURVpqLsxAnNG0zBpU2aBeyZCGAh8ImOXQlOXIIF+T/5+eZ84Gx1x+ UItZPwIx3V/TEWMNB+wUnP44GtYr2djHK5doxSY0J4vFjdmMhX2/2G2P4Nqifd/z87Zq TT1YyCMRZRDogHbF7HGMYF9Q/69/gPmQyPxwc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VFae7h2b++JVs1ZUQSPji+JUqvE5lyk1eK14khVj3dU=; b=noIj8herCdlzKJs67fR6vAQZTKRq/TpxXtdRtCRWBkTFV7FZWvlj/z8K/mWA/iI7Fb 1Vz/IXfTo7r/h1yUaBfedu91GnoRZx6HjhkKdL0TGph0jF0eUbYYUtuSPuvJ5ijaNmkB EuGcGCAHctYjH54p017kk3ZpYHsXvsJjCjn9uOmQ0gXN6oFbHw0UKdQKuKliyfJc96cM 6JS8oRCbFOw+tiG2YmNQA9Tt60hlYmX9N70wMvxOvQHEQGb5aJCuc8KNIYTvPvAZpnoH YME1FlfwRpPT0zEcktQkTMeH6VWTt9SI4QMCksnxD4+V0n6hG2tjykgUqCBX6yyqzoeF sugg==
X-Gm-Message-State: AJcUukd5LZSAp43WMxOsGYbxTeFCnL5Ae7Ngzk8qBhQfxba0qfYEu5gA us2f6RGAegYg8UDy0d1C8exD/b/FGZkQUWT/was2z9+bxpvTvwOr9Xdx9s0U1mEdLmvwkMxaDcg lQ73mfxzPXKNQtg==
X-Google-Smtp-Source: ALg8bN6WVZQ/aTsq7NdlR6QW2l3CoRYocSGjHbayzOEvwX+5obCLFExtU6GALckM/QalK4LKVx+wpLoywYwv2w1ia2Y=
X-Received: by 2002:a6b:700a:: with SMTP id l10mr15399486ioc.138.1546881737598; Mon, 07 Jan 2019 09:22:17 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Mon, 07 Jan 2019 10:21:51 -0700
Message-ID: <>
To: Benjamin Kaduk <>
Cc: Neil Madden <>, oauth <>
Content-Type: multipart/alternative; boundary="0000000000007ac59b057ee17859"
Archived-At: <>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Jan 2019 17:22:20 -0000

I don't honestly know for sure but I suspect that employees of big
corporations will likely have keys/certs on their devices/machines that are
issued by some internal CA and provisioned to them automatically (and in
many cases without the user knowing and/or understanding that they are
there and why). Those users would likely be prompted when TLS handshaking
with a server that presents an empty list of CAs in the
certificate_authorities of the CertificateRequest.

I dunno. Maybe I was too quick to retract the proposal for the MTLS
supporting secondary token endpoint?

What do folks (including Ben & Neil) think?

On Fri, Jan 4, 2019 at 2:55 PM Benjamin Kaduk <> wrote:

> On Fri, Dec 28, 2018 at 03:55:15PM -0700, Brian Campbell wrote:
> > I
> > suspect that not having client certs set up is the situation for the vast
> > majority of users and their browsers. And for those that do have client
> Is this still true when we limit to the set of users/browsers that are
> employees of big corporations?
> -Ben
> > certs set up, I think they are more likely to be the kind of user that is
> > able to deal with the UI prompt okay.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._