<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi John and Brian,<br>
<br>
thanks for writting this draft.<br>
<br>
One question: how does the AS determine the authentication method is
TLS authentication? I think you assume this is defined by the
client-specific policy, independent of whether the client is
registered automatically or manually. Would you mind to explicitely
state this in the draft?<br>
<br>
best regards,<br>
Torsten.<br>
<br>
<div class="moz-cite-prefix">Am 11.10.2016 um 05:59 schrieb John
Bradley:<br>
</div>
<blockquote
cite="mid:9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
At the request of the OpenID Foundation Financial Services API
Working group, Brian Campbell and I have documented
<div class="">mutual TLS client authentication. This is
something that lots of people do in practice though we have
never had a spec for it.</div>
<div class=""><br class="">
</div>
<div class="">The Banks want to use it for some server to server
API use cases being driven by new open banking regulation.</div>
<div class=""><br class="">
</div>
<div class="">The largest thing in the draft is the IANA
registration of “tls_client_auth” Token Endpoint authentication
method for use in Registration and discovery.</div>
<div class=""><br class="">
</div>
<div class="">The trust model is intentionally left open so that
you could use a “common name” and a restricted list of CA or a
direct lookup of the subject public key against a reregistered
value, or something in between.</div>
<div class=""><br class="">
</div>
<div class="">I hope that this is non controversial and the WG can
adopt it quickly.</div>
<div class=""><br class="">
</div>
<div class="">Regards</div>
<div class="">John B.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">From: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><a
moz-do-not-send="true"
href="mailto:internet-drafts@ietf.org" class=""><a class="moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a></a><br
class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">Subject: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><b class="">New Version
Notification for
draft-campbell-oauth-tls-client-auth-00.txt</b><br
class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">Date: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">October 10, 2016 at
5:44:39 PM GMT-3<br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">To: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">"Brian Campbell" <<a
moz-do-not-send="true"
href="mailto:brian.d.campbell@gmail.com" class=""><a class="moz-txt-link-abbreviated" href="mailto:brian.d.campbell@gmail.com">brian.d.campbell@gmail.com</a></a>>,
"John Bradley" <<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" class="">ve7jtb@ve7jtb.com</a>><br
class="">
</span></div>
<br class="">
<div class="">
<div class=""><br class="">
A new version of I-D,
draft-campbell-oauth-tls-client-auth-00.txt<br class="">
has been successfully submitted by John Bradley and
posted to the<br class="">
IETF repository.<br class="">
<br class="">
Name:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>draft-campbell-oauth-tls-client-auth<br
class="">
Revision:<span class="Apple-tab-span" style="white-space:pre"> </span>00<br
class="">
Title:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>Mutual
X.509 Transport Layer Security (TLS) Authentication for
OAuth Clients<br class="">
Document date:<span class="Apple-tab-span" style="white-space:pre"> </span>2016-10-10<br
class="">
Group:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>Individual
Submission<br class="">
Pages:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>5<br
class="">
URL: <a moz-do-not-send="true"
href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt"
class="">https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt</a><br
class="">
Status: <a moz-do-not-send="true"
href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/"
class="">https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/</a><br
class="">
Htmlized: <a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00"
class="">https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00</a><br
class="">
<br class="">
<br class="">
Abstract:<br class="">
This document describes X.509 certificates as OAuth
client<br class="">
credentials using Transport Layer Security (TLS)
mutual<br class="">
authentication as a mechanism for client
authentication to the<br class="">
authorization server's token endpoint.<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
Please note that it may take a couple of minutes from
the time of submission<br class="">
until the htmlized version and diff are available at <a
moz-do-not-send="true" href="http://tools.ietf.org"
class="">tools.ietf.org</a>.<br class="">
<br class="">
The IETF Secretariat<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
</blockquote>
<br>
</body>
</html>