Discussion:
[OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients
Hannes Tschofenig
2017-04-20 16:32:55 UTC
Permalink
Hi all,

based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01

Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.

Ciao
Hannes & Rifaat
Brian Campbell
2017-04-20 16:47:50 UTC
Permalink
I accept adoption of this document as a starting point for work in the
OAuth working group!

On Thu, Apr 20, 2017 at 10:32 AM, Hannes Tschofenig <
Post by Hannes Tschofenig
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
John Bradley
2017-04-20 17:40:20 UTC
Permalink
I accept the adoption as a starting point.

John B.
Post by Hannes Tschofenig
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Phil Hunt (IDM)
2017-04-21 05:47:34 UTC
Permalink
+1 for adoption

Phil
Post by John Bradley
I accept the adoption as a starting point.
John B.
Post by Hannes Tschofenig
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Manger, James
2017-04-21 05:33:59 UTC
Permalink
I support adoption of draft-campbell-oauth-mtls.

Now some comments on the doc:

1. [§2.3] The syntax of tls_client_auth_subject_dn is not specified. Perhaps LDAP's "String Representation of Distinguished Names" [RFC4514]? Perhaps a base64url-encoding of a DER-encoded DN?
It would actually be better to allow any subjectAltName to be specified, instead of a DN.

2. [§2.3] Change the name of tls_client_auth_issuer_dn (maybe tls_client_auth_root_dn). Given tls_client_auth_client_dn, it will be too easy to assume this pair refer to the issuer and subject fields of the cert.
PKI chains can be complex so the expected root might not be such a stable concept. For example, the Let's Encrypt CA chains to an ISRG Root and an IdenTrust DST Root [https://letsencrypt.org/certificates/].

3. [§2.3] If a client dynamically registers a "jwks_uri" does this mean the authz server MUST automatically cope when the client updates the key(s) it publishes there?

4. [§3] An access token is bound to a specific client certificate. That is probably ok, but does mean all access tokens die when the client updates their certificate (which could be every 2 months if using Let's Encrypt). This at least warrants a paragraph in the Security Considerations.

5. [§3.1] "exp" and "nbf" values in the example need to be numbers, not strings (drop the quotes).

6. An access token linked to a client TLS cert isn't a bearer token. The spec should really define a new token_type for responses from the token endpoint. That might not necessarily mean we needs a new HTTP authentication scheme as well (it might just hint that "Bearer" wasn't quite the right name).
--
James Manger
Dave Tonge
2017-04-21 09:31:39 UTC
Permalink
I support adoption of draft-campbell-oauth-mtls

As previously mentioned this spec will be very useful for Europe where
there is legislation requiring the use of certificate-based authentication
and many financial groups and institutions are considering OAuth2.

The UK Open Banking Implementation Entity has a strong interest in using
this spec.

Dave
Post by Hannes Tschofenig
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
Nat Sakimura
2017-04-21 19:43:23 UTC
Permalink
+1 for adoption
Post by Manger, James
I support adoption of draft-campbell-oauth-mtls
As previously mentioned this spec will be very useful for Europe where
there is legislation requiring the use of certificate-based authentication
and many financial groups and institutions are considering OAuth2.
The UK Open Banking Implementation Entity has a strong interest in using
this spec.
Dave
Post by Hannes Tschofenig
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120 <+44%20117%20280%205120>
Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Torsten Lodderstedt
2017-04-23 16:11:24 UTC
Permalink
+1 for adoption
Post by Phil Hunt (IDM)
+1 for adoption
I support adoption of draft-campbell-oauth-mtls
As previously mentioned this spec will be very useful for Europe where there is legislation requiring the use of certificate-based authentication and many financial groups and institutions are considering OAuth2.
The UK Open Banking Implementation Entity has a strong interest in using this spec.
Dave
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01 <https://tools.ietf.org/html/draft-campbell-oauth-mtls-01>
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
--
Dave Tonge
CTO
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120 <tel:+44%20117%20280%205120>
Moneyhub Enterprise is a trading style of Momentum Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Momentum Financial Technology is entered on the Financial Services Register (FRN 561538) at fca.org.uk/register <http://fca.org.uk/register>. Momentum Financial Technology is registered in England & Wales, company registration number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
William Denniss
2017-04-24 07:02:34 UTC
Permalink
I support the adoption of this draft by the working group.

On Sun, Apr 23, 2017 at 9:11 AM, Torsten Lodderstedt <
Post by Phil Hunt (IDM)
+1 for adoption
+1 for adoption
Post by Manger, James
I support adoption of draft-campbell-oauth-mtls
As previously mentioned this spec will be very useful for Europe where
there is legislation requiring the use of certificate-based authentication
and many financial groups and institutions are considering OAuth2.
The UK Open Banking Implementation Entity has a strong interest in using this spec.
Dave
Post by Hannes Tschofenig
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120 <+44%20117%20280%205120>
Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register.
Momentum Financial Technology is registered in England & Wales, company
registration number 06909772 © . Momentum Financial Technology Limited
2016. DISCLAIMER: This email (including any attachments) is subject to
copyright, and the information in it is confidential. Use of this email or
of any information in it other than by the addressee is unauthorised and
unlawful. Whilst reasonable efforts are made to ensure that any attachments
are virus-free, it is the recipient's sole responsibility to scan all
attachments for viruses. All calls and emails to and from this company may
be monitored and recorded for legitimate purposes relating to this
company's business. Any opinions expressed in this email (or in any
attachments) are those of the author and do not necessarily represent the
opinions of Momentum Financial Technology Limited or of any other group
company.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Samuel Erdtman
2017-04-25 19:45:21 UTC
Permalink
+1 for adoption
Post by William Denniss
I support the adoption of this draft by the working group.
On Sun, Apr 23, 2017 at 9:11 AM, Torsten Lodderstedt <
Post by Phil Hunt (IDM)
+1 for adoption
+1 for adoption
Post by Manger, James
I support adoption of draft-campbell-oauth-mtls
As previously mentioned this spec will be very useful for Europe where
there is legislation requiring the use of certificate-based authentication
and many financial groups and institutions are considering OAuth2.
The UK Open Banking Implementation Entity has a strong interest in using this spec.
Dave
Post by Hannes Tschofenig
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120 <+44%20117%20280%205120>
Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register.
Momentum Financial Technology is registered in England & Wales, company
registration number 06909772 © . Momentum Financial Technology Limited
2016. DISCLAIMER: This email (including any attachments) is subject to
copyright, and the information in it is confidential. Use of this email or
of any information in it other than by the addressee is unauthorised and
unlawful. Whilst reasonable efforts are made to ensure that any attachments
are virus-free, it is the recipient's sole responsibility to scan all
attachments for viruses. All calls and emails to and from this company may
be monitored and recorded for legitimate purposes relating to this
company's business. Any opinions expressed in this email (or in any
attachments) are those of the author and do not necessarily represent the
opinions of Momentum Financial Technology Limited or of any other group
company.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2017-05-01 22:28:58 UTC
Permalink
I support this draft as a starting point for this work.

A context on my perspective: several years ago, I worked on a project that looked toward this kind of functionality being standardized in the future. See section 6.1 of this document published in 2015 (written in 2014).

http://secure-restful-interface-profile.github.io/pages/docs/profiles/Secure%20RESTful%20Interface%20Profiles%20for%20OAuth%202%20v1.4.docx <http://secure-restful-interface-profile.github.io/pages/docs/profiles/Secure%20RESTful%20Interface%20Profiles%20for%20OAuth%202%20v1.4.docx>

— Justin
Post by Phil Hunt (IDM)
+1 for adoption
I support the adoption of this draft by the working group.
+1 for adoption
Post by Phil Hunt (IDM)
+1 for adoption
I support adoption of draft-campbell-oauth-mtls
As previously mentioned this spec will be very useful for Europe where there is legislation requiring the use of certificate-based authentication and many financial groups and institutions are considering OAuth2.
The UK Open Banking Implementation Entity has a strong interest in using this spec.
Dave
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01 <https://tools.ietf.org/html/draft-campbell-oauth-mtls-01>
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
--
Dave Tonge
CTO
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120 <tel:+44%20117%20280%205120>
Moneyhub Enterprise is a trading style of Momentum Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Momentum Financial Technology is entered on the Financial Services Register (FRN 561538) at fca.org.uk/register <http://fca.org.uk/register>. Momentum Financial Technology is registered in England & Wales, company registration number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Hannes Tschofenig
2017-05-09 13:32:30 UTC
Permalink
resending


-------- Forwarded Message --------
Subject: Call for Adoption: Mutual TLS Profiles for OAuth Clients
Date: Thu, 20 Apr 2017 18:32:55 +0200
From: Hannes Tschofenig <***@gmx.net>
To: ***@ietf.org <***@ietf.org>

Hi all,

based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01

Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.

Ciao
Hannes & Rifaat
Hannes Tschofenig
2017-05-09 13:37:32 UTC
Permalink
Sorry; this was the wrong email. I had sent a mail around to confirm the
call for adoption and it turns out that this email got lost somewhere....
Post by Hannes Tschofenig
resending
-------- Forwarded Message --------
Subject: Call for Adoption: Mutual TLS Profiles for OAuth Clients
Date: Thu, 20 Apr 2017 18:32:55 +0200
Hi all,
based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Rifaat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Loading...