[OAUTH-WG] little nit on draft-ietf-oauth-security-topics-13 wrt ietf-oauth-mtls

Brian Campbell <bcampbell@pingidentity.com> Mon, 22 July 2019 18:37 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 018A8120125 for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 11:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HrVj0hGNEAHN for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 11:36:59 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08770120122 for <oauth@ietf.org>; Mon, 22 Jul 2019 11:36:58 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id f4so76179608ioh.6 for <oauth@ietf.org>; Mon, 22 Jul 2019 11:36:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to; bh=mcJBp9rIgyo6umSsStGW3KsUnj095EMpzJO9B1G4O34=; b=pVy3wZ0LTHcvP6Oz7EOBYc9lT3FnM0F0iXRHwbLppZ37++llui00hQ0wDu6Dr5E1X0 5CoQ98EagpYByWmkDuRQPzs7ayCDP8ZtHg4usOi5/4bcGTsZrKXW6Zhwwdg9HcJU9mwS X/GJVXzoFTNcF4UKFZbWTRWzaq4frVynu+kwg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=mcJBp9rIgyo6umSsStGW3KsUnj095EMpzJO9B1G4O34=; b=UPfvsYTujArLUdpTwKOTNRl+mReCczllW2ZML+ws3dbbgcUYYrlIVEExij0gdiBpZc cAv58Nx4UfFdnV121vcPJnqMOEcB7WGGaFr+Z29VmyY7ysb8P5zwifxz6ChLhkaJWB3S qktermkxQcNrml0R+r7JDnY+sVEGo9yOd1qCF1RRPvOpWUvtA5+cLnJu3V8raS0UBwgg +cEw2sEoeoR8HvRbLIl2mzmr5R1PG5E9HJXA8grb3mK0IUnkQS/jC6uxk2uy964Idx3L SQldmHUdyjXUfD5ZgR4cGqjXHgZ8uJxRC27qxwgIrRJhdJmYpcFTJdcTADAEd49zoSpb mjpw==
X-Gm-Message-State: APjAAAVoQ+9bhf7KzvITrAcwExywp5UIrGUmMOTqtz46P3EjJ5dZq/0W 6CoOwvGYo5kc1AhlFOsN9ZjEoQq2iVkM+Cnf2B4cAmH5dzPsK9eDcVqbOOxlhriDU3LLQ8QguMD F+YFbkGnvarXPjVU0Oz+wUg==
X-Google-Smtp-Source: APXvYqyHlu7qUp8tjpcGT+G55fbBvt/fxsqzDCEL1yM7uypQCRqJXmhq7mOkPvm3bFDRH52LpZ3s4SUjkyYIbV3MaNo=
X-Received: by 2002:a6b:621a:: with SMTP id f26mr58997639iog.127.1563820617867; Mon, 22 Jul 2019 11:36:57 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 22 Jul 2019 12:36:32 -0600
Message-ID: <CA+k3eCRkBZ8ehLLBrc4fXhQec=jXb6KLqstN2b-N4r9yuVqA9w@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006bbca9058e495c0e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wrKNZ_zMMMpD045oDFYUqX-Z01U>
Subject: [OAUTH-WG] little nit on draft-ietf-oauth-security-topics-13 wrt ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 18:37:01 -0000

The description of I-D.ietf-oauth-mtls in
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.8.1.2
talks about binding to and checking against the fingerprint of the public
key from the client certificate. However,
https://tools.ietf.org/html/draft-ietf-oauth-mtls-15 uses a hash of the
whole certificate rather than of just the public key.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._