<div dir="ltr">From my point of view, the cleaner solution is using existing fields for what they are well suited rather than inventing new ones. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 11, 2016 at 1:21 PM, Samuel Erdtman <span dir="ltr"><<a href="mailto:samuel@erdtman.se" target="_blank">samuel@erdtman.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="white-space:pre-wrap">You are right one could absolutely use the jwks or jwks_uri attribute, but from my point of view that would be a workaround.<br>I would prefer that x5u, x5c and/or x5t was directly available in the client registration request not via jwks. This would be a cleaner solution.<br><br>Best Regards<span class="HOEnZb"><font color="#888888"><br>Samuel</font></span></div><br><div class="gmail_quote"><span class=""><div dir="ltr">On Fri, 11 Nov 2016 at 19:13, Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>> wrote:<br></div></span><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr" class="m_4055722970116019915gmail_msg">Wouldn't the existing jwks/jwks_uri client metadata parameters suffice? Perhaps some guidance in this document about that is warranted. But I don't believe anything new is needed for that case.</p>
<div class="gmail_extra m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg"><div class="gmail_quote m_4055722970116019915gmail_msg">On Nov 11, 2016 9:41 AM, "Samuel Erdtman" <<a href="mailto:samuel@erdtman.se" class="m_4055722970116019915gmail_msg" target="_blank">samuel@erdtman.se</a>> wrote:<br type="attribution" class="m_4055722970116019915gmail_msg"><blockquote class="gmail_quote m_4055722970116019915gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_4055722970116019915gmail_msg">Just a quick comment, see inline<br class="m_4055722970116019915gmail_msg"><div class="gmail_extra m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg"><div class="gmail_quote m_4055722970116019915gmail_msg">On Thu, Nov 3, 2016 at 1:41 PM, Justin Richer <span dir="ltr" class="m_4055722970116019915gmail_msg"><<a href="mailto:jricher@mit.edu" class="m_4055722970116019915gmail_msg" target="_blank">jricher@mit.edu</a>></span> wrote:<br class="m_4055722970116019915gmail_msg"><blockquote class="gmail_quote m_4055722970116019915gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" class="m_4055722970116019915gmail_msg">
    <p class="m_4055722970116019915gmail_msg">I agree that the client_id is unlikely to be found inside the
      certificate itself. The client_id is issued by the authorization
      server for the client to use at that single AS. The certificate is
      issued by the CA for the client to use on any connection. The AS
      and CA are not likely to be the same system in most deployments.
      The client will use the same cert across multiple connections,
      possibly multiple AS's, but the same isn't true of the client_id.
      <br class="m_4055722970116019915gmail_msg">
    </p>
    <p class="m_4055722970116019915gmail_msg">Additionally, I think we want to allow for a binding of a
      self-signed certificate using dynamic registration, much the way
      that we already allow binding of a client-generated JWK today. <br class="m_4055722970116019915gmail_msg"></p></div></blockquote><div class="m_4055722970116019915gmail_msg">Should this specification then extend the dynamic registration specification (<a href="https://tools.ietf.org/html/rfc7591" class="m_4055722970116019915gmail_msg" target="_blank">https://tools.ietf.org/html/<wbr>rfc7591</a>) with the certificate parameter to actually do the registration or is that another document?<br class="m_4055722970116019915gmail_msg"></div><div class="m_4055722970116019915gmail_msg"> </div><blockquote class="gmail_quote m_4055722970116019915gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" class="m_4055722970116019915gmail_msg"><p class="m_4055722970116019915gmail_msg">
    </p>
    <p class="m_4055722970116019915gmail_msg">I do think that more examples and guidance are warranted, though,
      to help AS developers.</p><span class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-HOEnZb m_4055722970116019915gmail_msg"><font class="m_4055722970116019915gmail_msg" color="#888888">
    <p class="m_4055722970116019915gmail_msg"> -- Justin<br class="m_4055722970116019915gmail_msg">
    </p></font></span><div class="m_4055722970116019915gmail_msg"><div class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-h5 m_4055722970116019915gmail_msg">
    <br class="m_4055722970116019915gmail_msg">
    <div class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067moz-cite-prefix m_4055722970116019915gmail_msg">On 11/2/2016 5:03 PM, Brian Campbell
      wrote:<br class="m_4055722970116019915gmail_msg">
    </div>
    </div></div><blockquote type="cite" class="m_4055722970116019915gmail_msg"><div class="m_4055722970116019915gmail_msg"><div class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-h5 m_4055722970116019915gmail_msg">
      
      <div dir="ltr" class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
        <div class="gmail_extra m_4055722970116019915gmail_msg">On Sun, Oct 30, 2016 at 9:27 AM, Samuel
          Erdtman <span dir="ltr" class="m_4055722970116019915gmail_msg"><<a href="mailto:samuel@erdtman.se" class="m_4055722970116019915gmail_msg" target="_blank">samuel@erdtman.se</a>></span>
          wrote:<br class="m_4055722970116019915gmail_msg">
          <div class="gmail_quote m_4055722970116019915gmail_msg">
            <blockquote class="gmail_quote m_4055722970116019915gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br class="m_4055722970116019915gmail_msg">
              <div dir="ltr" class="m_4055722970116019915gmail_msg"><span class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067gmail- m_4055722970116019915gmail_msg"></span><span class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067gmail- m_4055722970116019915gmail_msg"></span>
                <div class="gmail_extra m_4055722970116019915gmail_msg"><span class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067gmail- m_4055722970116019915gmail_msg"></span>
                  <div class="gmail_quote m_4055722970116019915gmail_msg">
                    <div class="m_4055722970116019915gmail_msg">I agree it is written so that the connection to
                      the certificate is implicitly required but I think
                      it would be better if it was explicit written
                      since the lack of a connection would result in a
                      potential security hole.<br class="m_4055722970116019915gmail_msg">
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
            <div class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
            </div>
            <div class="m_4055722970116019915gmail_msg">That's fair. I agree it can be made more explicit and
              that it be good to do so. <span class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067gmail- m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
                <br class="m_4055722970116019915gmail_msg">
              </span></div>
            <div class="m_4055722970116019915gmail_msg"> </div>
            <blockquote class="gmail_quote m_4055722970116019915gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
              <div dir="ltr" class="m_4055722970116019915gmail_msg">
                <div class="gmail_extra m_4055722970116019915gmail_msg">
                  <div class="gmail_quote m_4055722970116019915gmail_msg">
                    <div class="m_4055722970116019915gmail_msg">When it comes to the client_id I think subject
                      common name or maybe subject serial numbers will
                      be the common location, and I think an example
                      would be valuable.<br class="m_4055722970116019915gmail_msg">
                       <br class="m_4055722970116019915gmail_msg">
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
            <div class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
            </div>
            <div class="m_4055722970116019915gmail_msg">In my experience and the way we built support for
              mutual TLS OAuth client auth the client_id value does not
              appear in the certificate anywhere. I'm not saying it
              can't happen but don't think it's particularly common. <br class="m_4055722970116019915gmail_msg">
              <br class="m_4055722970116019915gmail_msg">
              I can look at adding some examples, if there's some
              consensus that they'd be useful and this document moves
              forward. <br class="m_4055722970116019915gmail_msg">
            </div>
            <div class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
               </div>
            <blockquote class="gmail_quote m_4055722970116019915gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
              <div dir="ltr" class="m_4055722970116019915gmail_msg">
                <div class="gmail_extra m_4055722970116019915gmail_msg">
                  <div class="gmail_quote m_4055722970116019915gmail_msg"><span class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067gmail- m_4055722970116019915gmail_msg">
                      <div class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
                      </div>
                    </span>
                    <div class="m_4055722970116019915gmail_msg">I´m not saying it is a bad Idea just that I
                      would prefer if it was not a MUST. <br class="m_4055722970116019915gmail_msg">
                      With very limited addition of code it is just as
                      easy to get the certificate attribute for client
                      id as it is to get it from the HTTP request data
                      (at least in java). I also think that with the
                      requirement to match the incoming certificate in
                      some way one has to read out the certificate that
                      was used to establish the connection to do some
                      kind of matching.<br class="m_4055722970116019915gmail_msg">
                    </div>
                    <div class="m_4055722970116019915gmail_msg">
                      <div class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067gmail-h5 m_4055722970116019915gmail_msg">
                        <div class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
            <div class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
            </div>
            <div class="m_4055722970116019915gmail_msg">Getting data out of the certificate isn't a concern. I
              just believe that the constancy of having the client id
              parameter is worth the potential small amount duplicate
              data in some cases. It's just a -00 draft though and if
              the WG wants to proceed with this document, we seek
              further input and work towards some consensus. <br class="m_4055722970116019915gmail_msg">
            </div>
            <div class="m_4055722970116019915gmail_msg"><br class="m_4055722970116019915gmail_msg">
            </div>
          </div>
        </div>
      </div>
      <br class="m_4055722970116019915gmail_msg">
      <fieldset class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067mimeAttachmentHeader m_4055722970116019915gmail_msg"></fieldset>
      <br class="m_4055722970116019915gmail_msg">
      </div></div><span class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail- m_4055722970116019915gmail_msg"><pre class="m_4055722970116019915gmail_msg">______________________________<wbr>_________________
OAuth mailing list
<a class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067moz-txt-link-abbreviated m_4055722970116019915gmail_msg" href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a>
<a class="m_4055722970116019915m_-7085697107402748528m_3505641874876562717gmail-m_-1237624956419455067moz-txt-link-freetext m_4055722970116019915gmail_msg" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a>
</pre>
    </span></blockquote>
    <br class="m_4055722970116019915gmail_msg">
  </div>

</blockquote></div><br class="m_4055722970116019915gmail_msg"></div></div>
</blockquote></div></div>
</blockquote></div></div></div>
</blockquote></div><br></div>