<div dir="ltr">I did consider something like that but stopped short of putting it in the -00 document. I'm not convinced that some metadata around it would really contribute to interop one way or the other. I also wanted to get the basic concept written down before going too far into the weeds. But I'd be open to adding something along those lines in future revisions, if there's some consensus that it'd be useful. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <span dir="ltr"><<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Superb, I welcome that!</p>
<p>Regarding
<a class="m_-6672115355814729153moz-txt-link-freetext" href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00#section-5.2" target="_blank">https://tools.ietf.org/html/<wbr>draft-campbell-oauth-tls-<wbr>client-auth-00#section-5.2</a>
:</p>
<p>My concern is that the choice of how to bind the client identity
is left to implementers, and that may eventually become an interop
problem.<br>
</p>
Have you considered some kind of an open ended enumeration of the
possible binding methods, and giving them some identifiers or names,
so that AS / OPs can advertise them in their metadata, and clients
register accordingly?<br>
<br>
For example:<br>
<br>
"tls_client_auth_bind_methods_<wbr>supported" : [
"subject_alt_name_match", "subject_public_key_info_<wbr>match" ]<br>
<p><br>
</p>
<p>Cheers,</p>
<p>Vladimir<br>
</p><div><div class="h5">
<br>
<div class="m_-6672115355814729153moz-cite-prefix">On 10/10/16 23:59, John Bradley wrote:<br>
</div>
</div></div><blockquote type="cite"><div><div class="h5">
<pre>At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
</pre>
<blockquote type="cite">
<pre>Begin forwarded message:
From: <a class="m_-6672115355814729153moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org" target="_blank">internet-drafts@ietf.org</a>
Subject: New Version Notification for draft-campbell-oauth-tls-<wbr>client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
To: "Brian Campbell" <a class="m_-6672115355814729153moz-txt-link-rfc2396E" href="mailto:brian.d.campbell@gmail.com" target="_blank"><brian.d.campbell@gmail.com></a>, "John Bradley" <a class="m_-6672115355814729153moz-txt-link-rfc2396E" href="mailto:ve7jtb@ve7jtb.com" target="_blank"><ve7jtb@ve7jtb.com></a>
A new version of I-D, draft-campbell-oauth-tls-<wbr>client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-<wbr>client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: <a class="m_-6672115355814729153moz-txt-link-freetext" href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt" target="_blank">https://www.ietf.org/internet-<wbr>drafts/draft-campbell-oauth-<wbr>tls-client-auth-00.txt</a>
Status: <a class="m_-6672115355814729153moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/" target="_blank">https://datatracker.ietf.org/<wbr>doc/draft-campbell-oauth-tls-<wbr>client-auth/</a>
Htmlized: <a class="m_-6672115355814729153moz-txt-link-freetext" href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00" target="_blank">https://tools.ietf.org/html/<wbr>draft-campbell-oauth-tls-<wbr>client-auth-00</a>
Abstract:
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at <a href="http://tools.ietf.org" target="_blank">tools.ietf.org</a>.
The IETF Secretariat
</pre>
</blockquote>
<pre>
</pre>
<br>
<fieldset class="m_-6672115355814729153mimeAttachmentHeader"></fieldset>
<br>
</div></div><span class=""><pre>______________________________<wbr>_________________
OAuth mailing list
<a class="m_-6672115355814729153moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a>
<a class="m_-6672115355814729153moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a>
</pre>
</span></blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href="https://www.ietf.org/mailman/listinfo/oauth" rel="noreferrer" target="_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
<br></blockquote></div><br></div>