[OAUTH-WG] draft-ietf-oauth-mtls-03: enforcing mutual_tls_sender_constrained_access_tokens

Vladimir Dzhuvinov <vladimir@connect2id.com> Sun, 27 August 2017 07:47 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 077FC132C27 for <oauth@ietfa.amsl.com>; Sun, 27 Aug 2017 00:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_3m8eA0l8te for <oauth@ietfa.amsl.com>; Sun, 27 Aug 2017 00:47:31 -0700 (PDT)
Received: from p3plsmtpa09-08.prod.phx3.secureserver.net (p3plsmtpa09-08.prod.phx3.secureserver.net [173.201.193.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BE6D132C03 for <oauth@ietf.org>; Sun, 27 Aug 2017 00:47:31 -0700 (PDT)
Received: from [192.168.1.80] ([94.68.122.137]) by :SMTPAUTH: with SMTP id lsHadKUI1euGGlsHbdqiMf; Sun, 27 Aug 2017 00:46:59 -0700
To: IETF oauth WG <oauth@ietf.org>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <50944e7c-a958-1d59-c68d-77f1c68db05c@connect2id.com>
Date: Sun, 27 Aug 2017 10:46:57 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040001000406010602010706"
X-CMAE-Envelope: MS4wfMGo9Qft0sxQdHmHWdR8TxbtOKt5euCIZPX3twaDmvIgnHA0Cu5QCcFAcOiDcxC6gxfaYFcAn7g6NvyGyzpeGQOHdAaDAFhQEBAAds5aTMqtgcrkgi6p r2KrT0Uwy1WHXoQM/b0ERJeHLIeNvVB/Y9GtA2eXdyc2rgrsLoWEUXCA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qsK0n7vE9zrInHH-6-_-5mqtRtw>
Subject: [OAUTH-WG] draft-ietf-oauth-mtls-03: enforcing mutual_tls_sender_constrained_access_tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Aug 2017 07:47:33 -0000

Let's suppose that an OAuth 2.0 client is registered for

mutual_tls_sender_constrained_access_tokens=true

Is it correct that in the presence of this parameter, and regardless of
how "token_endpoint_auth_method" is set, the AS must require a client
X.509 cert to be passed to the token endpoint? If yes, then what error
should the AS return if no client cert is passed with the token request?

https://tools.ietf.org/html/rfc6749#section-5.2

Thanks,

Vladimir

PS: Noticed a typo - "manor" in #section-4.3