<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi John and Brian,<br>
    <br>
    thanks for writting this draft.<br>
    <br>
    One question: how does the AS determine the authentication method is
    TLS authentication? I think you assume this is defined by the
    client-specific policy, independent of whether the client is
    registered automatically or manually. Would you mind to explicitely
    state this in the draft?<br>
    <br>
    best regards,<br>
    Torsten.<br>
    <br>
    <div class="moz-cite-prefix">Am 11.10.2016 um 05:59 schrieb John
      Bradley:<br>
    </div>
    <blockquote
      cite="mid:9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      At the request of the OpenID Foundation Financial Services API
      Working group, Brian Campbell and I have documented 
      <div class="">mutual TLS client authentication.   This is
        something that lots of people do in practice though we have
        never had a spec for it.</div>
      <div class=""><br class="">
      </div>
      <div class="">The Banks want to use it for some server to server
        API use cases being driven by new open banking regulation.</div>
      <div class=""><br class="">
      </div>
      <div class="">The largest thing in the draft is the IANA
        registration of “tls_client_auth” Token Endpoint authentication
        method for use in Registration and discovery.</div>
      <div class=""><br class="">
      </div>
      <div class="">The trust model is intentionally left open so that
        you could use a “common name” and a restricted list of CA or a
        direct lookup of the subject public key against a reregistered
        value,  or something in between.</div>
      <div class=""><br class="">
      </div>
      <div class="">I hope that this is non controversial and the WG can
        adopt it quickly.</div>
      <div class=""><br class="">
      </div>
      <div class="">Regards</div>
      <div class="">John B.</div>
      <div class=""><br class="">
      </div>
      <div class=""><br class="">
      </div>
      <div class=""><br class="">
        <div><br class="">
          <blockquote type="cite" class="">
            <div class="">Begin forwarded message:</div>
            <br class="Apple-interchange-newline">
            <div style="margin-top: 0px; margin-right: 0px;
              margin-bottom: 0px; margin-left: 0px;" class=""><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
                class=""><b class="">From: </b></span><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif;" class=""><a
                  moz-do-not-send="true"
                  href="mailto:internet-drafts@ietf.org" class=""><a class="moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a></a><br
                  class="">
              </span></div>
            <div style="margin-top: 0px; margin-right: 0px;
              margin-bottom: 0px; margin-left: 0px;" class=""><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
                class=""><b class="">Subject: </b></span><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif;" class=""><b class="">New Version
                  Notification for
                  draft-campbell-oauth-tls-client-auth-00.txt</b><br
                  class="">
              </span></div>
            <div style="margin-top: 0px; margin-right: 0px;
              margin-bottom: 0px; margin-left: 0px;" class=""><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
                class=""><b class="">Date: </b></span><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif;" class="">October 10, 2016 at
                5:44:39 PM GMT-3<br class="">
              </span></div>
            <div style="margin-top: 0px; margin-right: 0px;
              margin-bottom: 0px; margin-left: 0px;" class=""><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
                class=""><b class="">To: </b></span><span
                style="font-family: -webkit-system-font, Helvetica Neue,
                Helvetica, sans-serif;" class="">"Brian Campbell" <<a
                  moz-do-not-send="true"
                  href="mailto:brian.d.campbell@gmail.com" class=""><a class="moz-txt-link-abbreviated" href="mailto:brian.d.campbell@gmail.com">brian.d.campbell@gmail.com</a></a>>,
                "John Bradley" <<a moz-do-not-send="true"
                  href="mailto:ve7jtb@ve7jtb.com" class="">ve7jtb@ve7jtb.com</a>><br
                  class="">
              </span></div>
            <br class="">
            <div class="">
              <div class=""><br class="">
                A new version of I-D,
                draft-campbell-oauth-tls-client-auth-00.txt<br class="">
                has been successfully submitted by John Bradley and
                posted to the<br class="">
                IETF repository.<br class="">
                <br class="">
                Name:<span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span>draft-campbell-oauth-tls-client-auth<br
                  class="">
                Revision:<span class="Apple-tab-span" style="white-space:pre">        </span>00<br
                  class="">
                Title:<span class="Apple-tab-span" style="white-space:pre">   </span><span class="Apple-tab-span" style="white-space:pre">    </span>Mutual
                X.509 Transport Layer Security (TLS) Authentication for
                OAuth Clients<br class="">
                Document date:<span class="Apple-tab-span" style="white-space:pre">   </span>2016-10-10<br
                  class="">
                Group:<span class="Apple-tab-span" style="white-space:pre">   </span><span class="Apple-tab-span" style="white-space:pre">    </span>Individual
                Submission<br class="">
                Pages:<span class="Apple-tab-span" style="white-space:pre">   </span><span class="Apple-tab-span" style="white-space:pre">    </span>5<br
                  class="">
                URL:            <a moz-do-not-send="true"
href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt"
                  class="">https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt</a><br
                  class="">
                Status:         <a moz-do-not-send="true"
href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/"
                  class="">https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/</a><br
                  class="">
                Htmlized:       <a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00"
                  class="">https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00</a><br
                  class="">
                <br class="">
                <br class="">
                Abstract:<br class="">
                  This document describes X.509 certificates as OAuth
                client<br class="">
                  credentials using Transport Layer Security (TLS)
                mutual<br class="">
                  authentication as a mechanism for client
                authentication to the<br class="">
                  authorization server's token endpoint.<br class="">
                <br class="">
                <br class="">
                <br class="">
                <br class="">
                Please note that it may take a couple of minutes from
                the time of submission<br class="">
                until the htmlized version and diff are available at <a
                  moz-do-not-send="true" href="http://tools.ietf.org"
                  class="">tools.ietf.org</a>.<br class="">
                <br class="">
                The IETF Secretariat<br class="">
                <br class="">
              </div>
            </div>
          </blockquote>
        </div>
        <br class="">
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>