[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-03.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 28 July 2017 18:34 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EA28D132026 for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2017 11:34:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.74
X-Spam-Status: No, score=-1.74 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VgoakRSgM-Ae for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2017 11:34:16 -0700 (PDT)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64914131D69 for <oauth@ietf.org>; Fri, 28 Jul 2017 11:34:16 -0700 (PDT)
Received: by mail-pf0-x22e.google.com with SMTP id q85so98729961pfq.1 for <oauth@ietf.org>; Fri, 28 Jul 2017 11:34:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=XVRCxH2gVtqNA/rz+H2sM4ROoApqX9sslWFrNtWbe18=; b=ht+Mx5vi3unne4bEjz2IILCjRbIb6WC0e/1NPaJoUC1dJXkza2DN9eKwNyKPgyyPtU 6Ul1AErWZ36FypLXpQQ4/aNV0S/1NpxxrL4hlkeo+LKmls+WMkDjJBoKpRotbN8w+v2G 2Pj8YLHGHBGlQKlcQp6REBMO5qlOv4ObuniDE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=XVRCxH2gVtqNA/rz+H2sM4ROoApqX9sslWFrNtWbe18=; b=eBlmL1EOjBkvDSenevkECZhdqO0WHYdjiryVrX4328ATzYdXyFxh4MKWYUSKMaGypz oqC2+huRL5QNxE/6jhThei4PFNrVCgzKp9RrtEejEk0gom90ynY2dv0XnXvndxO8Mtas eEEMn4j1X43rRHwaQOqDKh8dnevotUpJRZR3CKG32PCFOFLZJqaXxXUdkQIobH+tEg4R oUfAhR4dWQhv6pnh+KfkA4aEpMWq1rX3/yreLf+DeGVQQv49+hdzSTtrv1T/GegxtDcz Yw/jFobxK+4ISJK7YrJlX5SEGPU44ejYu7uSgYP1w4NEy+adTnspHpTZTUBD18ySJsJa cV5g==
X-Gm-Message-State: AIVw110FGY4Y95/zTLnEb0Ste5b8yGCrqwuI9P/cDaSuWNHY7nZQhKQ7 /BHwd4p70vmapl3NNmIFe0E0fK/ESG+TGflWJ0pTFtZ0Q271bwmPNTF/FTKavj+hxU0ykH2LPqj cXDpz
X-Received: by with SMTP id q2mr8291858pga.332.1501266855741; Fri, 28 Jul 2017 11:34:15 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 28 Jul 2017 11:33:45 -0700 (PDT)
In-Reply-To: <150126635076.25225.3854025136006448469@ietfa.amsl.com>
References: <150126635076.25225.3854025136006448469@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 28 Jul 2017 12:33:45 -0600
Message-ID: <CA+k3eCThoxNM394K=it4vCL2k-BW68Lg73eTN=4Z3LrupbXtVw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c08da74a66cfd055564ed4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aYk3hgiapj33MTWlR99d7X3jW5Q>
Subject: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 18:34:19 -0000

A new draft of "Mutual TLS Profile for OAuth 2.0" has been published with
the changes listed below based on comments and dissuasion in Prague.


   o  Introduced metadata and client registration parameter to publish
      and request support for mutual TLS sender constrained access
   o  Added description of two methods of binding the cert and client,
      PKI and Public Key.
   o  Indicated that the "tls_client_auth" authentication method is for
      the PKI method and introduced "pub_key_tls_client_auth" for the
      Public Key method
   o  Added implementation considerations, mainly regarding TLS stack
      configuration and trust chain validation, as well as how to to do
      binding of access tokens to a TLS client certificate for public
      clients, and considerations around certificate bound access tokens
   o  Added new section to security considerations on cert spoofing
   o  Add text suggesting that a new cnf member be defined in the
      future, if hash function(s) other than SHA-256 need to be used for
      certificate thumbprints

---------- Forwarded message ----------
From: <internet-drafts@ietf.org>
Date: Fri, Jul 28, 2017 at 12:25 PM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-03.txt
To: i-d-announce@ietf.org
Cc: oauth@ietf.org

A New Internet-Draft is available from the on-line Internet-Drafts
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : Mutual TLS Profile for OAuth 2.0
        Authors         : Brian Campbell
                          John Bradley
                          Nat Sakimura
                          Torsten Lodderstedt
        Filename        : draft-ietf-oauth-mtls-03.txt
        Pages           : 17
        Date            : 2017-07-28

   This document describes Transport Layer Security (TLS) mutual
   authentication using X.509 certificates as a mechanism for OAuth
   client authentication to the token endpoint as well as for
   certificate bound sender constrained access tokens.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:

OAuth mailing list

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*