Discussion:
[OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-mtls-00.txt
Brian Campbell
2017-03-30 21:15:34 UTC
Permalink
This document, which I hope to present and discuss briefly at tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication for
OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00> that
was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html> and
adds mutual TLS sender constrained access to OAuth protected resources. The
concept for the latter was largely derived from one of the options in the
JPOP draft <https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>. I
apologize for the 11th hour publication but hope some folks will have a
chance to read it.

---------- Forwarded message ----------
From: <internet-***@ietf.org>
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for draft-campbell-oauth-mtls-00.txt
To: Brian Campbell <***@gmail.com>, Nat Sakimura <
n-***@nri.co.jp>, Torsten Lodderstedt <***@lodderstedt.net>, John
Bradley <***@ve7jtb.com>



A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.

Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-mt
ls-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
Htmlized: https://datatracker.ietf.org/doc/html/draft-campbell-oauth-
mtls-00


Abstract:
This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for both OAuth
client authentication to the token endpoint as well as for sender
constrained access to OAuth protected resources.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat
Dave Tonge
2017-03-31 16:07:36 UTC
Permalink
Hi Brian

Thanks for this - it will be very useful for open banking in Europe where
cert based auth is required by law.

I have a few suggestions around wording.
Happy to submit these via pull request if it's helpful.

1. Typo - remove can from 1:

Mutual TLS sender constrained access tokens and mutual TLS client
authentication are distinct mechanisms that *can* don't necessarily
need to be deployed together.


2. Consistency of terminology in 2 (and throughout the document).
In section 2 the following phrases are used:

- Mutual TLS for Client Authentication
- Mutual TLS Client Authentication to the Token Endpoint
- mutual TLS as client credentials
- mutual X.509 certificate authentication

Interestingly RFC5246 does not refer to "mutual authentication" at all, but
does refer to "client authentication".
From an OAuth perspective, surely we are more interested in the fact that
it is TLS client auth - than the fact that it is mutual. However referring
to TLS Client Authentication would bring confusion as we would have two
client definitions in play: the TLS Client and the OAuth Client

"TLS Mutual Auth" and "Mutual TLS" are established phrases in the industry
- even though they don't seem to be defined in any of the relevant specs,
however, "Mutual TLS Client Auth" isn't.

I'm not sure of the best solution for this, but would be interested as to
whether the authors considered this phrasing to be clearer?

- Mutual TLS for Client Authentication
-> TLS Mutual Auth for Client Authentication

- Mutual TLS Client Authentication to the Token Endpoint
-> TLS Mutual Auth for Client Authentication to the Token Endpoint

- mutual TLS as client credentials
-> TLS X509 client certificate as client credentials

Or alternatively, a definition of "Mutual TLS" could be provided earlier on
in the document.

Thanks again for your work on this spec.

Dave Tonge
Brian Campbell
2017-04-03 18:36:59 UTC
Permalink
Hi Dave,

Thanks for the review, support, and feedback.

I've already removed the extraneous "can" in the source. The easy part...

I did struggle with terminology for many of the reasons you point out about
there being somewhat established terms that aren't quite the same as those
defined in the RFC. And apparently I wasn't terribly consistent with the
terminology I did use.

I think the phrasing you suggest is pretty good and yes possibly more
clear. I'd happily take a pull request with such changes. Thank you.

The XML source of the document currently in a bitbucket git repo at
https://bitbucket.org/b_c/internet-drafts/src/master/draft-campbell-oauth-mtls.xml?at=master&fileviewer=file-view-default


Thanks,
Brian
Post by Dave Tonge
Hi Brian
Thanks for this - it will be very useful for open banking in Europe where
cert based auth is required by law.
I have a few suggestions around wording.
Happy to submit these via pull request if it's helpful.
Mutual TLS sender constrained access tokens and mutual TLS client
authentication are distinct mechanisms that *can* don't necessarily
need to be deployed together.
2. Consistency of terminology in 2 (and throughout the document).
- Mutual TLS for Client Authentication
- Mutual TLS Client Authentication to the Token Endpoint
- mutual TLS as client credentials
- mutual X.509 certificate authentication
Interestingly RFC5246 does not refer to "mutual authentication" at all,
but does refer to "client authentication".
From an OAuth perspective, surely we are more interested in the fact that
it is TLS client auth - than the fact that it is mutual. However referring
to TLS Client Authentication would bring confusion as we would have two
client definitions in play: the TLS Client and the OAuth Client
"TLS Mutual Auth" and "Mutual TLS" are established phrases in the industry
- even though they don't seem to be defined in any of the relevant specs,
however, "Mutual TLS Client Auth" isn't.
I'm not sure of the best solution for this, but would be interested as to
whether the authors considered this phrasing to be clearer?
- Mutual TLS for Client Authentication
-> TLS Mutual Auth for Client Authentication
- Mutual TLS Client Authentication to the Token Endpoint
-> TLS Mutual Auth for Client Authentication to the Token Endpoint
- mutual TLS as client credentials
-> TLS X509 client certificate as client credentials
Or alternatively, a definition of "Mutual TLS" could be provided earlier
on in the document.
Thanks again for your work on this spec.
Dave Tonge
Vladimir Dzhuvinov
2017-04-06 07:54:05 UTC
Permalink
The cert / token binding is a significant upgrade on the previous
version, and I hope it will become an official WG item.

I also see that the comments about which certificate fields to use to
identify the client were addressed, this is important for interop.

Thanks for the great work,

Vladimir
Post by Brian Campbell
This document, which I hope to present and discuss briefly at tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication for
OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00> that
was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html> and
adds mutual TLS sender constrained access to OAuth protected resources. The
concept for the latter was largely derived from one of the options in the
JPOP draft <https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>. I
apologize for the 11th hour publication but hope some folks will have a
chance to read it.
---------- Forwarded message ----------
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for draft-campbell-oauth-mtls-00.txt
A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.
Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-mt
ls-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
Htmlized: https://datatracker.ietf.org/doc/html/draft-campbell-oauth-
mtls-00
This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for both OAuth
client authentication to the token endpoint as well as for sender
constrained access to OAuth protected resources.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Vladimir Dzhuvinov :: ***@connect2id.com
Sergey Beryozkin
2017-04-07 12:58:28 UTC
Permalink
Hi Brian

Thanks, a minor typo in the example,
"x5t#s256" as opposed to "x5t#S256"

(sorry if it was already reported, might've missed it)

Cheers, Sergey
Post by Brian Campbell
This document, which I hope to present and discuss briefly at tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication
for OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
that was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html> and
adds mutual TLS sender constrained access to OAuth protected resources.
The concept for the latter was largely derived from one of the options
in the JPOP draft
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>. I apologize
for the 11th hour publication but hope some folks will have a chance to
read it.
---------- Forwarded message ----------
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for draft-campbell-oauth-mtls-00.txt
A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.
Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>
https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>
This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for both OAuth
client authentication to the token endpoint as well as for sender
constrained access to OAuth protected resources.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
John Bradley
2017-04-07 13:54:20 UTC
Permalink
It was a test to see who was really reading it:)
Post by Dave Tonge
Hi Brian
Thanks, a minor typo in the example,
"x5t#s256" as opposed to "x5t#S256"
(sorry if it was already reported, might've missed it)
Cheers, Sergey
Post by Brian Campbell
This document, which I hope to present and discuss briefly at tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication
for OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
that was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html> and
adds mutual TLS sender constrained access to OAuth protected resources.
The concept for the latter was largely derived from one of the options
in the JPOP draft
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>. I apologize
for the 11th hour publication but hope some folks will have a chance to
read it.
---------- Forwarded message ----------
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for draft-campbell-oauth-mtls-00.txt
A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.
Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>
https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>
This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for both OAuth
client authentication to the token endpoint as well as for sender
constrained access to OAuth protected resources.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2017-04-07 14:36:47 UTC
Permalink
And Sergey is the only person to pass the test...

Thanks for catching that, Sergey. I'll get it fixed in the next revision.
Post by John Bradley
It was a test to see who was really reading it:)
Post by Dave Tonge
Hi Brian
Thanks, a minor typo in the example,
"x5t#s256" as opposed to "x5t#S256"
(sorry if it was already reported, might've missed it)
Cheers, Sergey
Post by Brian Campbell
This document, which I hope to present and discuss briefly at tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication
for OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
that was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html> and
adds mutual TLS sender constrained access to OAuth protected resources.
The concept for the latter was largely derived from one of the options
in the JPOP draft
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>. I apologize
for the 11th hour publication but hope some folks will have a chance to
read it.
---------- Forwarded message ----------
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for draft-campbell-oauth-mtls-00.txt
A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.
Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>
https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>
This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for both OAuth
client authentication to the token endpoint as well as for sender
constrained access to OAuth protected resources.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Sergey Beryozkin
2017-04-07 14:42:06 UTC
Permalink
Hi John

I spotted it probably after the 10th iteration :-)

Cheers, Sergey
Post by John Bradley
It was a test to see who was really reading it:)
Hi Brian
Thanks, a minor typo in the example,
"x5t#s256" as opposed to "x5t#S256"
(sorry if it was already reported, might've missed it)
Cheers, Sergey
This document, which I hope to present and discuss briefly at tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication
for OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>>
that was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html>>
and
adds mutual TLS sender constrained access to OAuth protected resources.
The concept for the latter was largely derived from one of the options
in the JPOP draft
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>>. I
apologize
for the 11th hour publication but hope some folks will have a chance to
read it.
---------- Forwarded message ----------
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for
draft-campbell-oauth-mtls-00.txt
Torsten Lodderstedt
A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to the
IETF repository.
Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>>
https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>>
https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>>
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>>
This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for both OAuth
client authentication to the token endpoint as well as for sender
constrained access to OAuth protected resources.
Please note that it may take a couple of minutes from the time
of submission
until the htmlized version and diff are available at
tools.ietf.org <http://tools.ietf.org>
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
Steve Hutchinson
2017-04-07 16:28:24 UTC
Permalink
Every time I think I couldn't be more impressed with the people who do
actual standards work, someone raises the bar.

Thanks Sergey!

Hutch
Post by Sergey Beryozkin
Hi John
I spotted it probably after the 10th iteration :-)
Cheers, Sergey
Post by John Bradley
It was a test to see who was really reading it:)
Hi Brian
Thanks, a minor typo in the example,
"x5t#s256" as opposed to "x5t#S256"
(sorry if it was already reported, might've missed it)
Cheers, Sergey
This document, which I hope to present and discuss briefly at
tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS Authentication
for OAuth Clients
<
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
Post by John Bradley
<
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>>
Post by John Bradley
that was published leading up to the Seoul meeting
<
https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html
Post by John Bradley
<
https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html>>
Post by John Bradley
and
adds mutual TLS sender constrained access to OAuth protected resources.
The concept for the latter was largely derived from one of the options
in the JPOP draft
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>>. I
apologize
for the 11th hour publication but hope some folks will have a chance to
read it.
---------- Forwarded message ----------
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for
draft-campbell-oauth-mtls-00.txt
Torsten Lodderstedt
A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and posted to
the
Post by John Bradley
IETF repository.
Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
Post by John Bradley
<
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>
Post by John Bradley
<
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
Post by John Bradley
<
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>>
Post by John Bradley
https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>>
https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>>
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
Post by John Bradley
<
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>
Post by John Bradley
<
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
Post by John Bradley
<
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>>
Post by John Bradley
This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for
both OAuth
client authentication to the token endpoint as well as for
sender
Post by John Bradley
constrained access to OAuth protected resources.
Please note that it may take a couple of minutes from the time
of submission
until the htmlized version and diff are available at
tools.ietf.org <http://tools.ietf.org>
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Sergey Beryozkin
2017-04-07 20:51:17 UTC
Permalink
Hi All

I'm starting really believing now doing OAuth2 is as simple as spotting
a difference between 'S' and 's' :-)

Thanks, Sergey
Post by Steve Hutchinson
Every time I think I couldn't be more impressed with the people who do
actual standards work, someone raises the bar.
Thanks Sergey!
Hutch
Hi John
I spotted it probably after the 10th iteration :-)
Cheers, Sergey
Post by John Bradley
It was a test to see who was really reading it:)
On Fri, Apr 7, 2017 at 1:58 PM, Sergey Beryozkin
Hi Brian
Thanks, a minor typo in the example,
"x5t#s256" as opposed to "x5t#S256"
(sorry if it was already reported, might've missed it)
Cheers, Sergey
This document, which I hope to present and discuss briefly at
tomorrow's
meeting, replaces (but keeps the feature) the Mutual TLS
Authentication
for OAuth Clients
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>>
Post by John Bradley
that was published leading up to the Seoul meeting
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html
<https://www.ietf.org/mail-archive/web/oauth/current/msg16704.html>>
Post by John Bradley
and
adds mutual TLS sender constrained access to OAuth protected
resources.
The concept for the latter was largely derived from one of the
options
in the JPOP draft
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04
<https://tools.ietf.org/html/draft-sakimura-oauth-jpop-04>>. I
apologize
for the 11th hour publication but hope some folks will have a
chance to
read it.
---------- Forwarded message ----------
Date: Thu, Mar 30, 2017 at 3:49 PM
Subject: New Version Notification for
draft-campbell-oauth-mtls-00.txt
Torsten Lodderstedt
A new version of I-D, draft-campbell-oauth-mtls-00.txt
has been successfully submitted by Brian Campbell and
posted to the
Post by John Bradley
IETF repository.
Name: draft-campbell-oauth-mtls
Revision: 00
Title: Mutual TLS Profiles for OAuth Clients
Document date: 2017-03-30
Group: Individual Submission
Pages: 10
https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-mtls-00.txt>>
Post by John Bradley
https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/
<https://datatracker.ietf.org/doc/draft-campbell-oauth-mtls/>>
https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00
<https://tools.ietf.org/html/draft-campbell-oauth-mtls-00>>
https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00
<https://datatracker.ietf.org/doc/html/draft-campbell-oauth-mtls-00>>
Post by John Bradley
This document describes Transport Layer Security (TLS)
mutual
Post by John Bradley
authentication using X.509 certificates as a mechanism for
both OAuth
client authentication to the token endpoint as well as
for sender
Post by John Bradley
constrained access to OAuth protected resources.
Please note that it may take a couple of minutes from the time
of submission
until the htmlized version and diff are available at
tools.ietf.org <http://tools.ietf.org> <http://tools.ietf.org>
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Loading...