IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 21 October 2016 22:51 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415821296BC for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fNmwZaw4XZng for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD8511296AB for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id m138so14397788itm.0 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Lk0TJyLP0E89sVOQf23wKR+WDEoA6iLFZqZbYtMKXxI=; b=doEXag2gT1bSxhMUpvgJqglOmE29supyeL6TronH6NoBuOlKxKY1BJdG8tFUmuPq7d +amoAXbMbaxLSmsKl44SKODh1HMFqY6Lba2QBh6MzLepiLX5R9S5Xy82T4DyOqFsN6nN 91+H4L9ZYcrYk8GGImQxRFd51QHSPVJ7dahoI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Lk0TJyLP0E89sVOQf23wKR+WDEoA6iLFZqZbYtMKXxI=; b=HJhXMUmMZsedKzPHltuWHzHGe1NCl4jb/rpaRjHJj4WwoBEAKPewCuJyJv1GQyTyTW y+U+hwUUpH4pOPVUsa6A1OLIfnD1mdS+VOUPOYMHammE1AjEeEUMUgQQXX7Zf4oT/3oY dN8LQSYP/MakmFG1HeQ9aebpgA6UvBTSQj5txKL4NMxhS9E5UaZQleMm6jdRok1qdu+K o1CKvFbdiGsyR8CdDqz3iWPu8pB2hb7+o7zP1Q2SxVzF0CLZQ5i3KQerEq/QLnB0al2R AMPcI6bdv2vE6BjS4ESNcf424x9PKfdcuyufavSUngE45ZlysunnwoC45XJd74VB3v3V 8Ngg==
X-Gm-Message-State: ABUngvfCzQomQ8vjFUBe6pcKmdkyNqp08QiDGm940++BA+73mHvsL++a1noya+lJSvqc99E2ov8FvNZoTl7gEZ6b
X-Received: by 10.36.121.131 with SMTP id z125mr743986itc.79.1477090314042; Fri, 21 Oct 2016 15:51:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.5.132 with HTTP; Fri, 21 Oct 2016 15:51:23 -0700 (PDT)
In-Reply-To: <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <26838e0e-1aee-04ca-4f7e-f6cff8dcfacf@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 21 Oct 2016 16:51:23 -0600
Message-ID: <CA+k3eCQaWm+O8VMNGGJG41j=dW2vqa4n6QZgKmVM9=d0HxgnCA@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Content-Type: multipart/alternative; boundary="001a114abbd278590f053f67e341"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nHa-Ryn_-Jk2PatC6Qy5AjBKqrI>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-fapi@lists.openid.net>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 22:51:57 -0000

I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the basic
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's some
consensus that it'd be useful.

On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <vladimir@connect2id.com
> wrote:

> Superb, I welcome that!
>
> Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
> client-auth-00#section-5.2 :
>
> My concern is that the choice of how to bind the client identity is left
> to implementers, and that may eventually become an interop problem.
> Have you considered some kind of an open ended enumeration of the possible
> binding methods, and giving them some identifiers or names, so that AS /
> OPs can advertise them in their metadata, and clients register accordingly?
>
> For example:
>
> "tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
> "subject_public_key_info_match" ]
>
>
> Cheers,
>
> Vladimir
>
> On 10/10/16 23:59, John Bradley wrote:
>
> At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
> mutual TLS client authentication.   This is something that lots of people do in practice though we have never had a spec for it.
>
> The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
>
> The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
>
> The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value,  or something in between.
>
> I hope that this is non controversial and the WG can adopt it quickly.
>
> Regards
> John B.
>
>
>
>
>
> Begin forwarded message:
>
> From: internet-drafts@ietf.org
> Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
> Date: October 10, 2016 at 5:44:39 PM GMT-3
> To: "Brian Campbell" <brian.d.campbell@gmail.com> <brian.d.campbell@gmail.com>, "John Bradley" <ve7jtb@ve7jtb.com> <ve7jtb@ve7jtb.com>
>
>
> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
> has been successfully submitted by John Bradley and posted to the
> IETF repository.
>
> Name:		draft-campbell-oauth-tls-client-auth
> Revision:	00
> Title:		Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
> Document date:	2016-10-10
> Group:		Individual Submission
> Pages:		5
> URL:            https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
> Htmlized:       https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
>
>
> Abstract:
>   This document describes X.509 certificates as OAuth client
>   credentials using Transport Layer Security (TLS) mutual
>   authentication as a mechanism for client authentication to the
>   authorization server's token endpoint.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email