<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Justin,<br>
<br>
<div class="moz-cite-prefix">Am 13.11.2016 um 13:39 schrieb Justin
Richer:<br>
</div>
<blockquote cite="mid:4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Torsten, I believe this is intended to be triggered by the
tls_client_auth value specified in §3. <br>
</blockquote>
<br>
in the token request?<br>
<br>
<blockquote cite="mid:4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu"
type="cite">
<div class=""><br class="">
</div>
<div class="">Nit on that section, the field name for the client
metadata in RFC7591 is token_endpoint_auth_method, the
_supported version is from the corresponding discovery document.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
</div>
</blockquote>
Torsten.<br>
<blockquote cite="mid:4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu"
type="cite">
<div class="">
<div>
<blockquote type="cite" class="">
<div class="">On Nov 13, 2016, at 12:31 PM, Torsten
Lodderstedt <<a moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""> Hi John
and Brian,<br class="">
<br class="">
thanks for writting this draft.<br class="">
<br class="">
One question: how does the AS determine the
authentication method is TLS authentication? I think you
assume this is defined by the client-specific policy,
independent of whether the client is registered
automatically or manually. Would you mind to explicitely
state this in the draft?<br class="">
<br class="">
best regards,<br class="">
Torsten.<br class="">
<br class="">
<div class="moz-cite-prefix">Am 11.10.2016 um 05:59
schrieb John Bradley:<br class="">
</div>
<blockquote
cite="mid:9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com"
type="cite" class=""> At the request of the OpenID
Foundation Financial Services API Working group, Brian
Campbell and I have documented
<div class="">mutual TLS client authentication. This
is something that lots of people do in practice
though we have never had a spec for it.</div>
<div class=""><br class="">
</div>
<div class="">The Banks want to use it for some server
to server API use cases being driven by new open
banking regulation.</div>
<div class=""><br class="">
</div>
<div class="">The largest thing in the draft is the
IANA registration of “tls_client_auth” Token
Endpoint authentication method for use in
Registration and discovery.</div>
<div class=""><br class="">
</div>
<div class="">The trust model is intentionally left
open so that you could use a “common name” and a
restricted list of CA or a direct lookup of the
subject public key against a reregistered value, or
something in between.</div>
<div class=""><br class="">
</div>
<div class="">I hope that this is non controversial
and the WG can adopt it quickly.</div>
<div class=""><br class="">
</div>
<div class="">Regards</div>
<div class="">John B.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"
class=""><span style="font-family:
-webkit-system-font, 'Helvetica Neue',
Helvetica, sans-serif;" class=""><b class="">From:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:internet-drafts@ietf.org"><a class="moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a></a><br
class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"
class=""><span style="font-family:
-webkit-system-font, 'Helvetica Neue',
Helvetica, sans-serif;" class=""><b class="">Subject:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><b class="">New
Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt</b><br
class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"
class=""><span style="font-family:
-webkit-system-font, 'Helvetica Neue',
Helvetica, sans-serif;" class=""><b class="">Date:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">October 10,
2016 at 5:44:39 PM GMT-3<br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;"
class=""><span style="font-family:
-webkit-system-font, 'Helvetica Neue',
Helvetica, sans-serif;" class=""><b class="">To:
</b></span><span style="font-family:
-webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">"Brian
Campbell" <<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:brian.d.campbell@gmail.com">brian.d.campbell@gmail.com</a>>,
"John Bradley" <<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" class="">ve7jtb@ve7jtb.com</a>><br
class="">
</span></div>
<br class="">
<div class="">
<div class=""><br class="">
A new version of I-D,
draft-campbell-oauth-tls-client-auth-00.txt<br
class="">
has been successfully submitted by John
Bradley and posted to the<br class="">
IETF repository.<br class="">
<br class="">
Name:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>draft-campbell-oauth-tls-client-auth<br
class="">
Revision:<span class="Apple-tab-span" style="white-space:pre"> </span>00<br
class="">
Title:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>Mutual
X.509 Transport Layer Security (TLS)
Authentication for OAuth Clients<br class="">
Document date:<span class="Apple-tab-span" style="white-space:pre"> </span>2016-10-10<br
class="">
Group:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>Individual
Submission<br class="">
Pages:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>5<br
class="">
URL: <a moz-do-not-send="true"
href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt"
class="">https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt</a><br
class="">
Status: <a moz-do-not-send="true"
href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/"
class="">https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/</a><br
class="">
Htmlized: <a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00"
class="">https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00</a><br
class="">
<br class="">
<br class="">
Abstract:<br class="">
This document describes X.509 certificates
as OAuth client<br class="">
credentials using Transport Layer Security
(TLS) mutual<br class="">
authentication as a mechanism for client
authentication to the<br class="">
authorization server's token endpoint.<br
class="">
<br class="">
<br class="">
<br class="">
<br class="">
Please note that it may take a couple of
minutes from the time of submission<br
class="">
until the htmlized version and diff are
available at <a moz-do-not-send="true"
href="http://tools.ietf.org/" class="">tools.ietf.org</a>.<br
class="">
<br class="">
The IETF Secretariat<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br
class="">
OAuth mailing list<br class="">
<a moz-do-not-send="true" href="mailto:OAuth@ietf.org"
class="">OAuth@ietf.org</a><br class="">
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
</body>
</html>