Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.txt

Brian Campbell <bcampbell@pingidentity.com> Mon, 07 May 2018 20:17 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00BF129C5D for <oauth@ietfa.amsl.com>; Mon, 7 May 2018 13:17:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8WXgo7LRBHq for <oauth@ietfa.amsl.com>; Mon, 7 May 2018 13:17:04 -0700 (PDT)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAB81129C6E for <oauth@ietf.org>; Mon, 7 May 2018 13:17:03 -0700 (PDT)
Received: by mail-io0-x232.google.com with SMTP id f21-v6so35685194iob.13 for <oauth@ietf.org>; Mon, 07 May 2018 13:17:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=wzOkfo4lJOke1Gs3AS8aib1NBebo+wSfd9Jk+OYqJU0=; b=LZ3HdEKlsWtwNbH9c1dKVhnFPRcuo5hDL45aw2KZRddqrJvyICrBomJoIQ3j0/sl++ drMscNqiyPhSruMrKu0BBI7GP8AAVSMQjMewTq6hVFE2Kc61eOVBYQMC7ia8c57UhcWi sxAr08c//Fug/kcHb6y1ZywE7T/VchiA8Fj5Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=wzOkfo4lJOke1Gs3AS8aib1NBebo+wSfd9Jk+OYqJU0=; b=uKHUCwQwKL+oG0SS8fvfSZF+qhEzY5NoJHUvFEWtzLTGTkIXLePz4t8UZ4a8n7prCv nSNMw5OQIENA0KtnN7H0Cm4Hd4938yvLIVRxbdirMp2pWqE5j1+tBTtzhXWP41f4lUmY P0IHblMCx4FUrhPQnuGOYftknF09Vn+h2S9aieL1sCsY7Hg0QFtk/4n7xMT1m0NWKmEK h3HrIse1NuSZ7Uk+CI/NPCThLfxyC7DYHiN/kgowsMb/R0wPOs5bQGHktbmSq0TAMENf xTrBgjvRSWQBm1PtX9MCJRDdOz7cQfNJClazoAnhc3KlTe0FrlT0/zkJgKDG+K67HSo6 yHrQ==
X-Gm-Message-State: ALQs6tCP3peIciDzPZ+eLaVUilzmyRSSYA5zJnrtEX4YwfUp0SQIM3fI BZwA2ZVzaPE2obx6Kfk29MCPTTVdYqGBhyJKWt783UbQ+nhWr90wdBb3iZjyX1/gxqWr0vj4+yi YPvx3lsz3j01w/NTl
X-Google-Smtp-Source: AB8JxZo4Bjp2M0BYtU3kDvSkZkAGwMAcBwU0idU/r6m+tP83rVNtDp3TslkkhCzX8w1Ur3oX1p42TCDGJk5ms3qM80o=
X-Received: by 2002:a6b:8361:: with SMTP id f94-v6mr39354091iod.17.1525724222587; Mon, 07 May 2018 13:17:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Mon, 7 May 2018 13:16:32 -0700 (PDT)
In-Reply-To: <CA+k3eCS6omRPisq_L7SR=_fHmE8o7KcOSD696UjM4KtW-a7NZw@mail.gmail.com>
References: <152572323194.1316.16504160657904107453@ietfa.amsl.com> <CA+k3eCS6omRPisq_L7SR=_fHmE8o7KcOSD696UjM4KtW-a7NZw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 7 May 2018 14:16:32 -0600
Message-ID: <CA+k3eCSyEuVsG_ZC6N-vNN_D6if=bnbyYmyZQK+x3gPHpp5PMw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000050289c056ba35a0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tNWPYWLkulQDKpGi6yV-IoEUhqE>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2018 20:17:07 -0000

has *been* published

sigh

On Mon, May 7, 2018 at 2:14 PM, Brian Campbell <bcampbell@pingidentity.com>
wrote:

> A new draft of the OAuth 2.0 Mutual TLS Client Authentication and
> Certificate Bound Access Tokens specification has published with changes
> addressing review comments from Working Group Last Call. Thanks in
> particular to Justin Richer and Neil Madden for the detailed reviews. A
> summary of the changes (copied from the document history) is below.
>
>    draft-ietf-oauth-mtls-08
>
>    o  Incorporate clarifications and editorial improvements from Justin
>       Richer's WGLC review
>    o  Drop the use of the "sender constrained" terminology per WGLC
>       feedback from Neil Madden (including changing the metadata
>       parameters from mutual_tls_sender_constrained_access_tokens to
>       tls_client_certificate_bound_access_tokens)
>    o  Add a new security considerations section on X.509 parsing and
>       validation per WGLC feedback from Neil Madden and Benjamin Kaduk
>    o  Note that a server can terminate TLS at a load balancer, reverse
>       proxy, etc. but how the client certificate metadata is securely
>       communicated to the backend is out of scope per WGLC feedback
>    o  Note that revocation checking is at the discretion of the AS per
>       WGLC feedback
>    o  Editorial updates and clarifications
>    o  Update draft-ietf-oauth-discovery reference to -10 and draft-ietf-
>       oauth-token-binding to -06
>    o  Add folks involved in WGLC feedback to the acknowledgements list
>
>
>
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Mon, May 7, 2018 at 2:00 PM
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-08.txt
> To: i-d-announce@ietf.org
> Cc: oauth@ietf.org
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>         Title           : OAuth 2.0 Mutual TLS Client Authentication and
> Certificate Bound Access Tokens
>         Authors         : Brian Campbell
>                           John Bradley
>                           Nat Sakimura
>                           Torsten Lodderstedt
>         Filename        : draft-ietf-oauth-mtls-08.txt
>         Pages           : 21
>         Date            : 2018-05-07
>
> Abstract:
>    This document describes OAuth client authentication and certificate
>    bound access tokens using mutual Transport Layer Security (TLS)
>    authentication with X.509 certificates.  OAuth clients are provided a
>    mechanism for authentication to the authorization sever using mutual
>    TLS, based on either single certificates or public key infrastructure
>    (PKI).  OAuth authorization servers are provided a mechanism for
>    binding access tokens to a client's mutual TLS certificate, and OAuth
>    protected resources are provided a method for ensuring that such an
>    access token presented to it was issued to the client presenting the
>    token.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-08
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-08
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-08
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._