Re: [OAUTH-WG] draft-ietf-oauth-mtls-03 - auth to other endpoints?

Brian Campbell <bcampbell@pingidentity.com> Wed, 23 August 2017 11:24 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C365513294F for <oauth@ietfa.amsl.com>; Wed, 23 Aug 2017 04:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpxEY5mteM3C for <oauth@ietfa.amsl.com>; Wed, 23 Aug 2017 04:24:03 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B7531320CF for <oauth@ietf.org>; Wed, 23 Aug 2017 04:15:37 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id x187so8273353ite.1 for <oauth@ietf.org>; Wed, 23 Aug 2017 04:15:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=85VRH04Vzr9bUZ/DW2GF435vJbaTgD0jrhp7y/EDrDA=; b=KRW9Z6QX9ZnzgQ3OiuCFV2CZPXWlIpfHBIFz1Mp/s+8IAOV/5qqDLMbA44Z0Zx/JkH DACwx7n9B1y2L7UVmIO6sBEsBt5bpowyyF6BZzHRHk2AT3dIotr4PKL1DbwpL/tXYtft eOcQoB4Jh2XGcR7Al2ezviWiTVkdyIVN8eFrU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=85VRH04Vzr9bUZ/DW2GF435vJbaTgD0jrhp7y/EDrDA=; b=i3bFh7T/R+6uLp2cvnrPTLvaKsi1cNMcXPcCSTjM6bxs9ts/m/jVjBJQbXgxs9IgOV W7FMbQIaMuugYcF1xu+k+kYg7ggsiemjYJj2muqzZdo8JuWnblC4QiY6CxAVnFpqCRXI 39G1BcE2KxdFpE5+8pZZBopweUGizbyrt7sd9AaBv2ZIPiXYb6Edlg7Ah/TAJchECgyi OcMRTIV6VnRQ2NuT/f36CP6e5o5N4dZWG5jvS6qTyJtBg+6H2eR38EvWEyKj+SojzKwZ 1xwRFTMXNQov7S5vX28OtdOGI5BL14bz+m3Sb2B11q3YB7a2hTyTWSCHnVqeJeIgMbsf bnBA==
X-Gm-Message-State: AHYfb5j51izsoy6uHHzRJ93wlYtE6u+6xYJa/gy377M9lqbBYLfQ/0dA Z/w753fVgAw0RLiWrCPbx5RFA4OdTEvX6nSswIVUXkETyLSY3KUbkyWemZuToY/BNPjP7lIWONi jU9ma
X-Received: by 10.36.118.211 with SMTP id z202mr2928734itb.82.1503486936379; Wed, 23 Aug 2017 04:15:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.73.29 with HTTP; Wed, 23 Aug 2017 04:15:05 -0700 (PDT)
In-Reply-To: <5CB52046-8233-4684-961B-C49C6F042F40@ve7jtb.com>
References: <eab137d4-e60a-e37c-f2f2-c33bb0887ece@connect2id.com> <5CB52046-8233-4684-961B-C49C6F042F40@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 23 Aug 2017 05:15:05 -0600
Message-ID: <CA+k3eCSLZgPte0qtinJah794j8JPKuPuzb4n12iT+6CW6_cC9g@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a11441236c49760055769d4a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-mtls-03 - auth to other endpoints?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2017 11:24:05 -0000

Yeah, we definitely didn't intend for it to be exclusive to the token
endpoint. I think the text kinda came out that way as an artifact of the
way some of these specs are layered and when they were written as well as
some assumptions on my part that it would be understood that this client
authentication could be applicable to the other places OAuth client
authentication is used. We will clarify things in the next draft.

On Mon, Aug 7, 2017 at 10:28 AM, John Bradley <ve7jtb@ve7jtb.com>; wrote:

> Good point,  I don’t think we intended it to be exclusive to the token
> endpoint.  It is another client auth method and should work those other
> places as well.   I will need to look at the other specs to see how they
> incorporate client auth methods.
>
> Thanks
> John B.
>
> > On Aug 7, 2017, at 11:17 AM, Vladimir Dzhuvinov <vladimir@connect2id.com>;
> wrote:
> >
> > I just noticed that the spec is very explicit on the MTLS auth method
> > being used for the token endpoint, but it could also work with other
> > endpoints, e.g. RFC 7009 (revocation), 7662 (intospection).
> >
> > Were there any talks about that?
> >
> > Vladimir
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*