[OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate

Dmitry Telegin <dmitryt@backbase.com> Thu, 23 September 2021 23:23 UTC

Return-Path: <dmitryt@backbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC8C53A0637 for <oauth@ietfa.amsl.com>; Thu, 23 Sep 2021 16:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=backbase.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5anrxedw8_P for <oauth@ietfa.amsl.com>; Thu, 23 Sep 2021 16:23:33 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 117283A060D for <oauth@ietf.org>; Thu, 23 Sep 2021 16:23:33 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id t10so32676974lfd.8 for <oauth@ietf.org>; Thu, 23 Sep 2021 16:23:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=backbase.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=H0YPbI0EKRfpQvkEchL6PNnKZriG5lPvTyWudjF9w1U=; b=YtyY2YFqEMegmzUvFcAgpcs6YefxGNWUCEtM0hLH6320tmpUU8lscFWbk9p5xBOnF2 Tzqvf1y8niSNg1e/vlxm2DbTgFaZ2k2h8ra15QSi2/VYU37R4jkqzmhN7efd0d8ZaSuZ W7002f82HO2IuOWpmSFegG+dSXbGbypllnpffFZRuo6L9iHQzbOa+UwES5Hfxb8xnLUS mdhKJq8/H/EOb1Sr2xAsJp2CwdzL7OlEdPy1IeSS6+kjEUQ6BPjhC6uIEzj4xckcrTXB 7ODS3nuTk/GWlqvXesv+jW/zk2z4zOvLcb/zqwg5+tbsGVvZQ8xK7SkNSiE2Ulx44ZdX LBZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=H0YPbI0EKRfpQvkEchL6PNnKZriG5lPvTyWudjF9w1U=; b=HSXjvUNf/P08nY82OD5QFb48m9+2walZ9s2GWE+hdp9LtuPgsX07FLWGG/jb1f1Za3 ud9m+tH07weMGzaIDguPHNsShUNUYpGU1P1TeEXQm2/YS+5nLe6vdjG7DAV3FwUYl4ht uscOkjUDXOuE51Gr9zX+w9eyQADzezf/ZF0MhdkI9vdG5HbdX8tgUtev4LkXNr4sXYME tTm721Z6deOBM7epW4PGm7VYU6R6DKjXFhPm3v97eMHUKCm8BYO3cfrVo73rc2BGrbiN caNXq3K75OnCykdjB2ApOZXByUaX+h9Q3ss1GLvMiXD8D1uL4rsMJb2MdFqsIOBKry+g NpEQ==
X-Gm-Message-State: AOAM532M3lbRFbupcOJ6wyQAG8/JjsI22lDlPfQbYqTeU9QDs9w8HJC8 NDMVBo5UjlkK/VOBpH/l34hTXlTVZocFFPM11TzoEYzZXQSYwA==
X-Google-Smtp-Source: ABdhPJzkcLaHVGHn+GoxPECNSHoY0SOSg4QVm8B32QlhNyY9OjYMR1jsRB+7gMsohrBTzyFKz1h11w6tiKJzftJiumI=
X-Received: by 2002:a2e:6d12:: with SMTP id i18mr8334051ljc.481.1632439410742; Thu, 23 Sep 2021 16:23:30 -0700 (PDT)
MIME-Version: 1.0
From: Dmitry Telegin <dmitryt@backbase.com>
Date: Fri, 24 Sep 2021 02:23:20 +0300
Message-ID: <CAOtx8Dk5f9dLT=mF4_G3ytTm4BzjYxohHVbc27R0nikiQxsdsA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000031fc5005ccb1eb39"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u9CBn65gugmabBeuHBbmrLSh37o>
Subject: [OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2021 23:23:38 -0000

>From the document:

   The protected resource MUST obtain, from its TLS implementation
>    layer, the client certificate used for mutual TLS and MUST verify
>    that the certificate matches the certificate associated with the
>    access token.  If they do not match, the resource access attempt MUST
>    be rejected with an error, per [RFC6750 <https://datatracker.ietf.org/doc/html/rfc6750>], using an HTTP 401 status
>    code and the "invalid_token" error code.
>
>
Should the same error code be used in the case when the resource failed to
obtain a certificate from the TLS layer? This could happen, for example, if
the TLS stack has been misconfigured (e.g. verify-client="REQUESTED"
instead of "REQUIRED" for Undertow), and the user agent provided no
certificate.

Thanks,
Dmitry