Re: [OAUTH-WG] review of draft-ietf-oauth-mtls-08

Brian Campbell <> Mon, 14 May 2018 21:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ED7FA12E8CE for <>; Mon, 14 May 2018 14:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qFeZX2xM425M for <>; Mon, 14 May 2018 14:44:57 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 597F612D969 for <>; Mon, 14 May 2018 14:44:57 -0700 (PDT)
Received: by with SMTP id e20-v6so14886858itc.1 for <>; Mon, 14 May 2018 14:44:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+2bS32jRQHXreV+NcyPtac02NHtB+XbAaWCZV4A6W6I=; b=gu/WIKOMLWoLGM05l0i/5kaKZ9rr0XIxtn5kErQFU+V+uSiDIJ/fZOdqO8B/3BqIrA NnZH4Jv0X6lk3PcVwhWU5Hyq5dV5O9F9cUBhN/jYcaDyOscy3B3OBRNBydhiyPerWxQo g504vYaLHcabEDrtUXGG+HCbKjEKKwIam5ccs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+2bS32jRQHXreV+NcyPtac02NHtB+XbAaWCZV4A6W6I=; b=pTbsVM++N2Q9jMAnJnR5e98rwXbZ5S64YPNzoA9l3ig45nVomH22vbGishGm5zhYE1 KZQdAb4ZSyjevOmmo/84A1zRc8EILbhxW2NDJfV0OYaAIn0A9BSPzBIh5z5AX87ToRFr uAyaeVJ0VaCV5bGJXI/uALSxQpasPuGVBdGbi2lpBtzU+l5QbtY0ylWnR8CwopIOijSW GzS+ET3Q4vFG5vwjo3TsDwHYH6CzR+J1iGTHYJ7QQjENcW5kPtIz49hizuJmDFsEIW0K N+AxyuO7VS/dLloCZvUVeYCdNag1Qx1tERDWFrleYx3KPQkrURS5DlY+fJ0Ll09MYvmX 79OQ==
X-Gm-Message-State: ALKqPwdYP4fkk5tJDpz6bntd8s5C5klIOhntSs33K5sgUUmW2p85SXup Wjm4WXulDohbkF8H/BlRm7zZRe/5uwGNK8emUxcpjOyYGui3PWLF8ELgpQ2XqVtfIYu3blmqbl4 xxFFfdzF3oBJJAg3e
X-Google-Smtp-Source: AB8JxZovqKuwm5xFWKK0/y7J08JSeaQRg1ipOl6GUTTlNxBK+ovJpuZu1GO0LvunhUQi12SUYlBnfJhW+6RdExjHsnI=
X-Received: by 2002:a6b:8361:: with SMTP id f94-v6mr11764429iod.17.1526334296427; Mon, 14 May 2018 14:44:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Mon, 14 May 2018 14:44:25 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Brian Campbell <>
Date: Mon, 14 May 2018 15:44:25 -0600
Message-ID: <>
To: Samuel Erdtman <>
Cc: "<>" <>
Content-Type: multipart/alternative; boundary="0000000000008c2c40056c3165ad"
Archived-At: <>
Subject: Re: [OAUTH-WG] review of draft-ietf-oauth-mtls-08
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 May 2018 21:45:00 -0000

Thanks Samuel (even though this doc already went through WGLC!). I'll
attempt to address your comments/questions inline below.

On Sat, May 12, 2018 at 4:21 PM, Samuel Erdtman <> wrote:

> Hi
> Thanks for a great document.

And thank you too!

I have some minor comments.
> in Abstract
> “...based on either single certificates...”
> Why not write self-signed certificates, to me that is easier to
> understand, and is the term that is used later in the document.

The reason why is that it was the term that Justin used in text he proposed
for the Abstract that was overall and otherwise much better than the text
I'd previously had.

But I agree that "self-signed certificates" there would be easier to
understand and more inline with the content of the document. I'll make that
change in the document source so it'll be in the next draft.

> What is the rational behind writing “OAuth protected resources” or just “a
> protected resource” instead of resource server? The term resource server is
> user later in the document.

At some point many people and documents in this WG started using the
protected resource terminology rather than resource server. I don't recall
the reason why. Maybe someone on the list here can chime in? As far as I
know, they are largely interchangeable. I wrote much of the initial text of
this doc using protected resource to try be like the rest of the group. I
think Torsten added some text a bit later using resource server. That's the
extent of the rational. But I think it's probably okay with both.

> 4.1.  Authorization Server
> Is it not mandatory for the AS to not do PKI validation of self signed
> certificates i.e. the following sentence, “it should configure the TLS
> stack in a way”, should be changed to “it must configure the TLS stack in a
> way”?

There are different ways one could implement it and this text shouldn't be
overly prescriptive. As one example, the TLS layer might do regular PKI
validation except for on a specific set of self-signed certificates certs
configured for  clients using that authn method.

> Finally it might make sense to mention the relation of this document to
> RFC7521, RFC7522 and RFC7523. RFC7521 defines a client credentials
> framework and the other two are examples of profiles. It also mentions
> proof-of-possession. Maybe as an appendix similar to "Relationship to Token
> Binding"

RFC7521 defines a framework for using assertions as a client authentication
mechanism via the client_assertion_type and client_assertion parameters,
which this doc doesn't use. But RFC7521 is not a general client credentials
framework. So there's really not much of a relationship to this document.
And I wouldn't know what to say in a ""Relationship to ..." section other
than that there's not much of a relationship.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._