Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Benjamin Kaduk <kaduk@mit.edu> Tue, 15 January 2019 04:09 UTC

Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Date: Mon, 14 Jan 2019 22:09:44 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
CC: David Waite <david@alkaline-solutions.com>, oauth <oauth@ietf.org>
Message-ID: <20190115040943.GB18381@kduck.mit.edu>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com> <1119DDAE-8044-43C9-A6D4-6032B3BB62B8@forgerock.com> <9D007408-3BCC-4165-BCA4-083BD7602E7D@alkaline-solutions.com> <CA+k3eCQi1sz2bDOMEATpN9ZvXd+VJydQXG03WKuLczG5kz2z+Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA+k3eCQi1sz2bDOMEATpN9ZvXd+VJydQXG03WKuLczG5kz2z+Q@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2019 04:09:48.8878 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 77ce6aa7-0754-44c3-2770-08d67a9f4acc
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB5527
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/l_aFNoQ0ombyXqwetixx8xp8CuM>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2019 04:09:54 -0000

On just one narrow point...

On Mon, Jan 14, 2019 at 02:28:59PM -0700, Brian Campbell wrote:
> 
> I will say that, in addition to the folks that have pointed out that
> renegotiation just isn't possible in some cases, my experience trying to do
> something like that in the past was not particularly successful or
> encouraging. That could have been my fault, of course, but still seems a
> relevant data point. I also have my doubts about the actual difficulty of

Also, the TLS folks get sad when we come up with new applications of
renegotiation -- its removal from TLS 1.3 made many people happy.

-Ben

> getting an AS to issue a 307 like response for requests based on the
> calling client and the likelihood that some/all OAuth client software would
> handle it appropriately.

[OAUTH-WG] MTLS and in-browser clients using the … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
Re: [OAUTH-WG] MTLS and in-browser clients using … Dave Tonge
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … George Fletcher
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… David Waite
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Justin Richer
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Filip Skokan
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
[OAUTH-WG] MTLS token endoint & discovery Dominick Baier
Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Dominick Baier
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Neil Madden
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… David Waite
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell