Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-04.txt

Takahiko Kawasaki <daru.tk@gmail.com> Wed, 08 November 2017 11:34 UTC

Return-Path: <daru.tk@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFD91131A08 for <oauth@ietfa.amsl.com>; Wed, 8 Nov 2017 03:34:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.439
X-Spam-Level:
X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOYVZBl-3IlN for <oauth@ietfa.amsl.com>; Wed, 8 Nov 2017 03:34:51 -0800 (PST)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B019F1319EF for <oauth@ietf.org>; Wed, 8 Nov 2017 03:34:51 -0800 (PST)
Received: by mail-yw0-x22b.google.com with SMTP id w2so1995468ywa.9 for <oauth@ietf.org>; Wed, 08 Nov 2017 03:34:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=N7gxKDOJDm3aLFqrtgcTVqobCxzT7YP1wjvCmwyDrOs=; b=lzuO6CLSa4KrExXBAt0gUKWomV5k2S2BCfQDAS+n54rG4Unbc5Gutgw7/IX2Jbl2M0 UGyVGNVrrrlaK72Ot1bKCN6AOWUKPOPrfH4xtYbaY1WqC99Iya5wNi9zkjR5ZDjQOHVF jeJ73vUkx8NM6knGW9g9iH7pS6d8pApEU+fe1ozLJvjoJ/b+zaXe7p4ecV2WDD2ckooR ZQGkwkE2toOg/Y97AZo6XRKwq8UJsRciLqhAkFnqx75kaV3wuSusJYRI5zcjKdl0L21T 7y/1Cs901I39Hut0oe/9KwWDWaldIOVTOiZqPBdihAh9zt8IftZ48BxW4sns3fXAeM3+ 6/hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=N7gxKDOJDm3aLFqrtgcTVqobCxzT7YP1wjvCmwyDrOs=; b=Tj8LzFyJH75K4NQ6gB2b09t5wdd5U8moZqLkD7CMPYzIKELvwAyKjoN4JfFdazdjUM 4nOIp95n0XZmgC8dIiDuq7uLmgCbvdck3d5RULQmlYYeXL3K2KICRs4MmGU3kv0zcP1+ 2SLrULjb9BvJldGJoo7ufy+wEfzCEXvSPqHIAWl/qavkZQa7XA8EZCKIOPelPevK/RX8 W+yMPjvodKx0K18cf09YMGP6WNKXLMo0F5wybdPz6DfLXqqmJ7xjMMs2Qw0FCET/Fr9L nfuo/XFsvdr7+1s2d38ZpCnfJ7qF4wb9x9RegigNX0b6Vw9VZJ3y4jgc5lx6/c0+Bq2g Q0PA==
X-Gm-Message-State: AJaThX5H1SSQrISm3mu3gCkxwout2KdmsFg/QmEFbY0r2erZu6vKYY7t DzSzjYOGP6dc9gG0gBZoWTmlQ0qI6a1oFgv+PTQ=
X-Google-Smtp-Source: ABhQp+QrnvVWhfwJ5VhGCQiv9SmRj46Vh7hphi0MfRi2Az7DYtBhX9KnX0Gjt/Kxbwrq4zjTEHZeqKHrDmRF21gidKg=
X-Received: by 10.37.162.142 with SMTP id c14mr103637ybi.406.1510140890795; Wed, 08 Nov 2017 03:34:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.248.32 with HTTP; Wed, 8 Nov 2017 03:34:50 -0800 (PST)
In-Reply-To: <CA+k3eCTGPiMKSqDmAoRjzjG8fgiq2=HU5vbwyaSXkDJXTxMO2Q@mail.gmail.com>
References: <150784500346.16836.10053591552617872796@ietfa.amsl.com> <CA+k3eCSD73-djpiUOq3u+arXjsUQ=aZsiA8Xv2tUM6mSecwvdA@mail.gmail.com> <83c305ab-4c3b-b16e-1385-7e0e3af6a556@connect2id.com> <CA+k3eCTGPiMKSqDmAoRjzjG8fgiq2=HU5vbwyaSXkDJXTxMO2Q@mail.gmail.com>
From: Takahiko Kawasaki <daru.tk@gmail.com>
Date: Wed, 8 Nov 2017 11:34:50 +0000
Message-ID: <CAGpwqP9hsR51XNnueSfhwmD07cE6xZe5w8cMJ5Q1e7R3hiVWfA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="089e0828b5545b532e055d7713c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mXplmNqk9roPNUZZzakk_r3H7NY>
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 11:34:55 -0000

Dear Brian,

I'd like to make some small comments.

2. / 1st paragraph / 4th line
"for client authentications" --> "for client authentication"
(remove 's' at the end)

2.1.1. / 1st paragraph / 4th line
"used to indicated" -> "used to indicate"
(remove 'd' at the end)

2.2. / 1st paragraph / 3rd line
"a X.509 certificate" -> "an X.509 certificate"
(replace "a" with "an")

2.2. / 1st paragraph / 11th line
"info of one the" -> "info of one of the"
(insert "of" between "one" and "the")

2.2. / 1st paragraph / 17th line
"directly with at the" -> "directly at the"
(remove "with")

2.2.1. / 1st paragraph / 4th line
"used to indicated" -> "used to indicate"
(remove 'd' at the end)

3.1. / 1st paragraph / 1st line
"as a JSON Web Tokens" -> "as JSON Web Tokens"
(remove 'a')

3.1. / 2nd paragraph / 6th-7th lines
"are also sometimes also" -> "are sometimes also"
(remove one "also")

3.3. & 3.4.
After reading the specification, for me, "certificate_bound_access_tokens"
sounds more natural than "mutual_tls_sender_constrained_access_tokens". Is
there any special reason for the parameter name?

4.3. / 1st paragraph / 1st line
"allows for the use" -> "allows use"
(remove "for the", but I'm not sure because I'm not a native English
speaker.)

6.1. / 1st paragraph / 2nd line
"it is latest" -> "it is the latest"
(insert "the" between "is" and "latest")

By the way, isn't it necessary to define rules for REFRESH tokens? For
example, "if a refresh token is issued, it MUST/SHOULD/MAY be also bound to
the same certificate. When the token endpoint of the authorization server
receives a refresh token request with a certificate-bound refresh token,
..."

Best Regards,
Taka


2017-10-13 17:31 GMT+01:00 Brian Campbell <bcampbell@pingidentity.com>om>:

> Thanks for the review, Vladimir. And yes, sender-constrained access tokens
> should also work in a token exchange scenario.
>
> On Fri, Oct 13, 2017 at 3:18 AM, Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> Superb! Thanks for putting down everything that was discussed. I read the
>> new version and have zero comments about it.
>>
>> Will sender-constrained access tokens also work in a token exchange
>> scenario?
>>
>> (draft-ietf-oauth-token-exchange-09)
>>
>> Vladimir
>>
>> On 13/10/17 01:07, Brian Campbell wrote:
>>
>> I'm pleased to announce that a new draft of "Mutual TLS Profile for OAuth
>> 2.0" has been published. The changes, based on feedback and discussion on
>> this list over the last two months, are listed below.
>>
>>    draft-ietf-oauth-mtls-04<https://tools.ietf.org/html/draft-ietf-oauth-mtls-04> <https://tools.ietf.org/html/draft-ietf-oauth-mtls-04>
>>
>>    o  Change the name of the 'Public Key method' to the more accurate
>>       'Self-Signed Certificate method' and also change the associated
>>       authentication method metadata value to
>>       "self_signed_tls_client_auth".
>>    o  Removed the "tls_client_auth_root_dn" client metadata field as
>>       discussed in https://mailarchive.ietf.org/arch/msg/oauth/<https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc> <https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc>
>>       swDV2y0be6o8czGKQi1eJV-g8qc<https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc> <https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc>
>>    o  Update draft-ietf-oauth-discovery<https://tools.ietf.org/html/draft-ietf-oauth-discovery> <https://tools.ietf.org/html/draft-ietf-oauth-discovery> reference to
>> -07
>>    o  Clarify that MTLS client authentication isn't exclusive to the
>>       token endpoint and can be used with other endpoints, e.g.  RFC<https://tools.ietf.org/html/rfc7009> <https://tools.ietf.org/html/rfc7009>
>>       7009 <https://tools.ietf.org/html/rfc7009> <https://tools.ietf.org/html/rfc7009> revocation and 7662
>> introspection, that utilize client
>>       authentication as discussed in
>>       https://mailarchive.ietf.org/arch/msg/oauth/<https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI> <https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI>
>>       bZ6mft0G7D3ccebhOxnEYUv4puI<https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI> <https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI>
>>
>>    o  Reorganize the document somewhat in an attempt to more clearly
>>       make a distinction between mTLS client authentication and
>>       certificate bound access tokens as well as a more clear
>>       delineation between the two (PKI/Public key) methods for client
>>       authentication
>>    o  Editorial fixes and clarifications
>>
>>
>> ---------- Forwarded message ----------
>> From: <internet-drafts@ietf.org> <internet-drafts@ietf.org>
>> Date: Thu, Oct 12, 2017 at 3:50 PM
>> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-04.txt
>> To: i-d-announce@ietf.org
>> Cc: oauth@ietf.org
>>
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>>
>>         Title           : Mutual TLS Profile for OAuth 2.0
>>         Authors         : Brian Campbell
>>                           John Bradley
>>                           Nat Sakimura
>>                           Torsten Lodderstedt
>>         Filename        : draft-ietf-oauth-mtls-04.txt
>>         Pages           : 18
>>         Date            : 2017-10-12
>>
>> Abstract:
>>    This document describes Transport Layer Security (TLS) mutual
>>    authentication using X.509 certificates as a mechanism for OAuth
>>    client authentication to the authorization sever as well as for
>>    certificate bound sender constrained access tokens.
>>
>>
>> The IETF datatracker status page for this draft is:https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/
>>
>> There are also htmlized versions available at:https://tools.ietf.org/html/draft-ietf-oauth-mtls-04https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-04
>>
>> A diff from the previous version is available at:https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-04
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>