Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-04.txt

Vladimir Dzhuvinov <vladimir@connect2id.com> Fri, 13 October 2017 09:18 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65407132331 for <oauth@ietfa.amsl.com>; Fri, 13 Oct 2017 02:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.419
X-Spam-Level:
X-Spam-Status: No, score=-1.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6IacwcCMFen for <oauth@ietfa.amsl.com>; Fri, 13 Oct 2017 02:18:55 -0700 (PDT)
Received: from p3plsmtpa07-06.prod.phx3.secureserver.net (p3plsmtpa07-06.prod.phx3.secureserver.net [173.201.192.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93560133052 for <oauth@ietf.org>; Fri, 13 Oct 2017 02:18:55 -0700 (PDT)
Received: from [192.168.0.103] ([78.130.190.73]) by :SMTPAUTH: with SMTP id 2w7Ie2ol8o61w2w7JelnPU; Fri, 13 Oct 2017 02:18:55 -0700
To: oauth@ietf.org
References: <150784500346.16836.10053591552617872796@ietfa.amsl.com> <CA+k3eCSD73-djpiUOq3u+arXjsUQ=aZsiA8Xv2tUM6mSecwvdA@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <83c305ab-4c3b-b16e-1385-7e0e3af6a556@connect2id.com>
Date: Fri, 13 Oct 2017 12:18:52 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCSD73-djpiUOq3u+arXjsUQ=aZsiA8Xv2tUM6mSecwvdA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------2FC14BC7AD696C628EAD31D6"
Content-Language: en-US
X-CMAE-Envelope: MS4wfGkkuyUYz2Sc68s7AXZINzV7stRa+4oNJVXpxqNwoahBO++gM9NWz52BKjdMPCcYQP2RZ44y0DFh62hOTUcYji96JmEoPXdxG5xX3oFXrdCNJyP20gS/ asqtvuacGEUesGnL6+hidetNNFWQuHlnmSegTbnMK34Cs1ghNNu58Lm6
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xXOHM9_fKB-w6xPev4SgZfIiY4Y>
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-mtls-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Oct 2017 09:18:57 -0000

Superb! Thanks for putting down everything that was discussed. I read
the new version and have zero comments about it.

Will sender-constrained access tokens also work in a token exchange
scenario?

(draft-ietf-oauth-token-exchange-09)

Vladimir


On 13/10/17 01:07, Brian Campbell wrote:
> I'm pleased to announce that a new draft of "Mutual TLS Profile for OAuth
> 2.0" has been published. The changes, based on feedback and discussion on
> this list over the last two months, are listed below.
>
>    draft-ietf-oauth-mtls-04
> <https://tools.ietf.org/html/draft-ietf-oauth-mtls-04>
>
>    o  Change the name of the 'Public Key method' to the more accurate
>       'Self-Signed Certificate method' and also change the associated
>       authentication method metadata value to
>       "self_signed_tls_client_auth".
>    o  Removed the "tls_client_auth_root_dn" client metadata field as
>       discussed in https://mailarchive.ietf.org/arch/msg/oauth/
> <https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc>
>       swDV2y0be6o8czGKQi1eJV-g8qc
> <https://mailarchive.ietf.org/arch/msg/oauth/swDV2y0be6o8czGKQi1eJV-g8qc>
>    o  Update draft-ietf-oauth-discovery
> <https://tools.ietf.org/html/draft-ietf-oauth-discovery> reference to
> -07
>    o  Clarify that MTLS client authentication isn't exclusive to the
>       token endpoint and can be used with other endpoints, e.g.  RFC
> <https://tools.ietf.org/html/rfc7009>
>       7009 <https://tools.ietf.org/html/rfc7009> revocation and 7662
> introspection, that utilize client
>       authentication as discussed in
>       https://mailarchive.ietf.org/arch/msg/oauth/
> <https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI>
>       bZ6mft0G7D3ccebhOxnEYUv4puI
> <https://mailarchive.ietf.org/arch/msg/oauth/bZ6mft0G7D3ccebhOxnEYUv4puI>
>    o  Reorganize the document somewhat in an attempt to more clearly
>       make a distinction between mTLS client authentication and
>       certificate bound access tokens as well as a more clear
>       delineation between the two (PKI/Public key) methods for client
>       authentication
>    o  Editorial fixes and clarifications
>
>
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Thu, Oct 12, 2017 at 3:50 PM
> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-04.txt
> To: i-d-announce@ietf.org
> Cc: oauth@ietf.org
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>         Title           : Mutual TLS Profile for OAuth 2.0
>         Authors         : Brian Campbell
>                           John Bradley
>                           Nat Sakimura
>                           Torsten Lodderstedt
>         Filename        : draft-ietf-oauth-mtls-04.txt
>         Pages           : 18
>         Date            : 2017-10-12
>
> Abstract:
>    This document describes Transport Layer Security (TLS) mutual
>    authentication using X.509 certificates as a mechanism for OAuth
>    client authentication to the authorization sever as well as for
>    certificate bound sender constrained access tokens.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-04
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-04
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-04
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth