[OAUTH-WG] review of draft-ietf-oauth-mtls-08

Samuel Erdtman <samuel@erdtman.se> Sat, 12 May 2018 22:21 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5341F1270AC for <oauth@ietfa.amsl.com>; Sat, 12 May 2018 15:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z89lEgj6uT1i for <oauth@ietfa.amsl.com>; Sat, 12 May 2018 15:21:03 -0700 (PDT)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB9E126CC7 for <oauth@ietf.org>; Sat, 12 May 2018 15:21:02 -0700 (PDT)
Received: by mail-pf0-x232.google.com with SMTP id a20-v6so349124pfo.0 for <oauth@ietf.org>; Sat, 12 May 2018 15:21:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=+QVgnz8NR8Vz+GpmzciGealsZEnqZZIJEXmcbfI4trE=; b=NAedS4pgBWMzJ+QuZlv1nqBtUaeFLI7fyG/CtPvNFBoHC5/T1QngEe2/arLxPz5+bn F5Lvs+lE4kZBdfXlnyf/D0NABWTaVTHNbcdJB7aNjC/U26SeynYx13sC7aVXGS4Fd2UN wRMDpXX0tgN3xalNJrA9gX7xlDA5A6862hEFhJk1u/NfgIFUvQFqq8L0FOhfefcU//hA 2GlH6eJX43WqTfKiL83sc60OCNUMSYvBbdRq7BMcZk4VJdGsu07yAYPU2a6Eyc/HNdkN MWwabuYEw0cjkkErprUnhBdbJNWEy4frLB77HMLoVpVQkzUULsPkiauac3okebMlb88S hjkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=+QVgnz8NR8Vz+GpmzciGealsZEnqZZIJEXmcbfI4trE=; b=PyPZZE0giMe2yEQAF12wvLF1CTpnU+HVoGzxbquybEDVTgUnYpWIbzQSQ9eb1u1DOH IuIK/yAxh5g7xMF3VDmZRev5fxRca2vEt6cneI2yfwpwRrTklAMxqrM/OUSY4aQ/OzNC p99MZlPWD7Ahlv+0mRIHi56j7Vk5iZxXhrQsec0gXux/Ab2XVc4QSoyiJDg+jV47aEOg xG18lECQMA1JtYp58P3/9Fxwcd6rNVwX8PJI3eUy0ZkO37qGCgiAGA/8b2BFo/AdeoY4 7JwqgGbqHbTPnrVUPlwZLLAU/mFA6bsYdYKEDgTKfF1/kRfx5OTMMSa3VWDfS4L5sQrj pgvA==
X-Gm-Message-State: ALKqPwd/j1PXMA3gIznvDXZZPUA8cDsTZE5yadbP25zj1Xs6opfbyco+ b7bQsPU75X4dTGgEWBSeTemJ10IW3VWDU0HSyveyAg==
X-Google-Smtp-Source: AB8JxZqKhpBi/ECyvugvGAbiRFIdsxnf8Fbv8in08H82OUYigdqH8wjy8Z1Co1me8I7jOzF/y/49ZiN6Fc+WaoCuIws=
X-Received: by 2002:a62:20c7:: with SMTP id m68-v6mr4423602pfj.110.1526163662333; Sat, 12 May 2018 15:21:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:5d05:0:0:0:0 with HTTP; Sat, 12 May 2018 15:21:01 -0700 (PDT)
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 13 May 2018 00:21:01 +0200
Message-ID: <CAF2hCbZjwVg8Yt2pE8JXDAkcsURA7z-6e9MLDFF_V+HNBtwVKA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f67c07056c09aaa7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uteLgqC9o291Zn7MUsltFHILDTM>
Subject: [OAUTH-WG] review of draft-ietf-oauth-mtls-08
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 May 2018 22:21:05 -0000

Hi

Thanks for a great document. I have some minor comments.

in Abstract
“...based on either single certificates...”
Why not write self-signed certificates, to me that is easier to understand,
and is the term that is used later in the document.

What is the rational behind writing “OAuth protected resources” or just “a
protected resource” instead of resource server? The term resource server is
user later in the document.

4.1.  Authorization Server
Is it not mandatory for the AS to not do PKI validation of self signed
certificates i.e. the following sentence, “it should configure the TLS
stack in a way”, should be changed to “it must configure the TLS stack in a
way”?

Finally it might make sense to mention the relation of this document to
RFC7521, RFC7522 and RFC7523. RFC7521 defines a client credentials
framework and the other two are examples of profiles. It also mentions
proof-of-possession. Maybe as an appendix similar to "Relationship to Token
Binding"

Best regards
//Samuel