Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Benjamin Kaduk <kaduk@mit.edu> Tue, 08 January 2019 23:56 UTC

Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Date: Tue, 08 Jan 2019 17:56:23 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>
CC: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Message-ID: <20190108235623.GC28515@kduck.kaduk.org>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <20190104215540.GL86936@kduck.kaduk.org> <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jan 2019 23:56:27.2938 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 41c3f7ce-39c1-4fb0-f12b-08d675c4e76c
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR01MB5522
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rmCR_kDuP7mbvnwVRznyemH7n7k>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 23:56:32 -0000

On Mon, Jan 07, 2019 at 10:21:51AM -0700, Brian Campbell wrote:
> I don't honestly know for sure but I suspect that employees of big
> corporations will likely have keys/certs on their devices/machines that are
> issued by some internal CA and provisioned to them automatically (and in
> many cases without the user knowing and/or understanding that they are
> there and why). Those users would likely be prompted when TLS handshaking
> with a server that presents an empty list of CAs in the
> certificate_authorities of the CertificateRequest.
> 
> I dunno. Maybe I was too quick to retract the proposal for the MTLS
> supporting secondary token endpoint?
> 
> What do folks (including Ben & Neil) think?

Sorry for the slow reply.  I agree with Filip that we can't be confident
that the affected population is a vanishingly small population, so it
probably does make sense to continue thinking about how we can present a
better UX.

-Ben

[OAUTH-WG] MTLS and in-browser clients using the … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
Re: [OAUTH-WG] MTLS and in-browser clients using … Dave Tonge
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … George Fletcher
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… David Waite
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Justin Richer
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Filip Skokan
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
[OAUTH-WG] MTLS token endoint & discovery Dominick Baier
Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Dominick Baier
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Neil Madden
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… David Waite
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell