[OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)
Dmitry Telegin <dmitryt@backbase.com> Thu, 09 December 2021 13:23 UTC
Return-Path: <dmitryt@backbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FD1F3A0C19 for <oauth@ietfa.amsl.com>; Thu, 9 Dec 2021 05:23:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=backbase.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CA1Ns7Jmqkey for <oauth@ietfa.amsl.com>; Thu, 9 Dec 2021 05:23:30 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FB613A0C14 for <oauth@ietf.org>; Thu, 9 Dec 2021 05:23:30 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id 13so8909644ljj.11 for <oauth@ietf.org>; Thu, 09 Dec 2021 05:23:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=backbase.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=TFxLrJ274LtudfqsfkRQxZ/xalbJjVJ/JGzLoqSQdxQ=; b=V9WvI58lmGkt9jyqURLSRa4AH6qra5Qj4JHu0rGeN28b+HZr4p2upFTtaetAxzGUnH QZvAoaYziLKd+9kcbuTAgg6IPsFwTiHBnuqOMr/6TccjsR6LGZ4M4nDYb40rLaeXzK6x H8UDglSiRzZ0dIk+bt6GD7RcJs9CqSROZMgFHOTZRmkmQISFYwyFbFkbOMrS4r0RQwwA flxvsQ02+oc9d+HpYSblsf4OOY9WHePJr0X5ixDIky+GYr4OFMXxmNM0OmdpTR9wAeSM eIvifIUxI5LhlBZB2hJ5FCZVsCfHAOHVZmZouSMNj6OByFTBtuUibsdX7mzbQQEznro0 PVGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=TFxLrJ274LtudfqsfkRQxZ/xalbJjVJ/JGzLoqSQdxQ=; b=hTUsRtoqv4ji50SfAL8lRGePmi9HF+dLHhgZmK0mZWrTRIPOaGJQEHC+hGko/bXWR9 EFNGukOtH86UNnrIeAcVZa9s1DS8250ceh64fhIR6F6MynXtWAS/1MfCS/f8gp27hA06 v+I6IvT+unQnRvbzOI3NWz+zpU5JpgnZmzrRPkAwioYfqThjpueZUnA3QF1+9SgiiG3c +uZn5NyidiXVBdMSli30HudzyRzo7E001eY4F5ZhuQ9qmeZhEIwT6vPXiwWunGa15P6c z1vDxZ0YwDRznNNbJOpVSlzJ9pz2L28XieAVa9KOw4zpqfdTTUYZ0r0b1AmOfmX6fW2C ZFHA==
X-Gm-Message-State: AOAM5331T1r4zcdkV2FAluoDNp+KCuA0Q0OAOxpese94ccvYRz4qm2K7 YX+1p7MSQlVdulbZXpC1h3TgdXelE6Cm/WJrvaAip2PMxX6QNg==
X-Google-Smtp-Source: ABdhPJziLdV/tvDhakJKVZKbl7qk5SCmxfncdC1jJ+gNgFwO/qfOABTGIdA8N1yFfuAu+vKgwzAFNvgDmg51lJV+F5Y=
X-Received: by 2002:a05:651c:555:: with SMTP id q21mr6456580ljp.193.1639056207497; Thu, 09 Dec 2021 05:23:27 -0800 (PST)
MIME-Version: 1.0
From: Dmitry Telegin <dmitryt@backbase.com>
Date: Thu, 09 Dec 2021 16:23:16 +0300
Message-ID: <CAOtx8Dm_zbG-cosMELOkoDoCrJP=XGsazATSv7mLmpztj+qcvw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000003f6ff05d2b6836f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/djB2kWG5cXnbfbJjLr3EKzV23T4>
Subject: [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 13:23:35 -0000
There following changes to RFC 8705 have been proposed: - introduce a new error code (e.g. "invalid_mtls_certificate") to be used when the certificate is required by the AS/RS, but the underlying stack has been misconfigured and the client didn't send one; - for bound token use, change Authorization scheme from Bearer to MTLS; - for token response returning a bound token, change token_type from Bearer to MTLS See discussion: https://mailarchive.ietf.org/arch/msg/oauth/XfeH2q0Rwa2YocsR484xk-8LMqc/ Accepting the changes would imply a new RFC and the obsolescence of the current one. Two questions so far: - what's the group's general stance on this, would that be a welcome change? - if so, could we also hear from the implementors if there any other issues / suggested changes. Dmitry Backbase / Keycloak
- [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mt… Dmitry Telegin
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Neil Madden
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Justin Richer
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Neil Madden
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… David Waite
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Benjamin Kaduk
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Warren Parad
- Re: [OAUTH-WG] Proposed changes to RFC 8705 (oaut… Brian Campbell