[OAUTH-WG] Protocol Action: 'OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens' to Proposed Standard (draft-ietf-oauth-mtls-17.txt)
The IESG <iesg-secretary@ietf.org> Wed, 11 September 2019 17:27 UTC
Return-Path: <iesg-secretary@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 829DA120B48; Wed, 11 Sep 2019 10:27:39 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 6.101.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: rdd@cert.org, draft-ietf-oauth-mtls@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, The IESG <iesg@ietf.org>, rifaat.ietf@gmail.com, oauth@ietf.org, oauth-chairs@ietf.org, rfc-editor@rfc-editor.org
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Message-ID: <156822285946.13296.12014085900062306101.idtracker@ietfa.amsl.com>
Date: Wed, 11 Sep 2019 10:27:39 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sr__8WCvLYNi7lRi9FP-SdFz0BM>
Subject: [OAUTH-WG] Protocol Action: 'OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens' to Proposed Standard (draft-ietf-oauth-mtls-17.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 17:27:40 -0000
The IESG has approved the following document: - 'OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens' (draft-ietf-oauth-mtls-17.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/ Technical Summary This document describes OAuth client authentication and certificate bound access tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization sever using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client's mutual TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token. Working Group Summary There is consensus on the contents of this document. This work was motivated by a request from OpenBanking UK to allow the OAuth Client and OAuth Authorization Server establish a mutually authenticated channel. Document Quality A number of people reviewed the document over several rounds of reviews and provided feedback during meetings and on the mailing list, with no blocking comments. Implementations: Ping Identity has implemented one of the two methods, PKI-based method. Ping Identity also supports the certificate bound access token. Authlete has an implementation of this document. https://www.authlete.com/ ConnectId has an implementation. https://connect2id.com/blog/connect2id-server-6.13 oidc-provider: https://github.com/panva/node-oidc-provider References: OpenBanking UK reference this document https://openbanking.atlassian.net/wiki/spaces/DZ/pages/83919096/Open+Banking+Security+Profile+-+Implementer+s+Draft+v1.1.2 OpenID WG reference https://bitbucket.org/openid/mobile/src/default/draft-mobile-client-initiated-backchannel-authentication.xml?fileviewer=file-view-default OpenID Foundation FAPI WG ref to MTLS https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md?fileviewer=file-view-default Berlin Group‘s Nextgen PSD2 Spec: https://docs.wixstatic.com/ugd/c2914b_5351b289bf844c6881e46ee3561d95bb.pdf Personnel The document shepherd is Rifaat Shekh-Yusef. The responsible Area Director is Roman Danyliw.