<div dir="ltr">Yes, the intend is that the authentication method is determined by client policy regardless of whether the client was dynamically registered or statically configured or whatever. I can make that point more explicit in future revisions of the draft. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <span dir="ltr"><<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
I understand. My point is different: the text seems to assume
everybody is using client registration, but that's not the case. I
would like to point out it makes sense to explicitely state the
assumption that it is determined by client policy (indepedent of the
way this policy is established).<div><div class="h5"><br>
<br>
<div class="m_-6266504976240642489moz-cite-prefix">Am 13.11.2016 um 14:24 schrieb Justin
Richer:<br>
</div>
<blockquote type="cite">
As part of the client’s registered data model. At least, based on
how our own implementation works (where we support
client_secret_basic, private_key_jwt, etc), that’s where we’d
check to see if the client was supposed to be using TLS auth or
not.
<div><br>
</div>
<div>We don’t let clients switch away from their
registered auth mechanism.</div>
<div><br>
</div>
<div> — Justin</div>
<div><br>
<div>
<blockquote type="cite">
<div>On Nov 13, 2016, at 2:21 PM, Torsten
Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>>
wrote:</div>
<br class="m_-6266504976240642489Apple-interchange-newline">
<div>
<div text="#000000" bgcolor="#FFFFFF"> Justin,<br>
<br>
<div class="m_-6266504976240642489moz-cite-prefix">Am 13.11.2016 um 13:39
schrieb Justin Richer:<br>
</div>
<blockquote type="cite"> Torsten, I believe this is
intended to be triggered by the tls_client_auth value
specified in §3. <br>
</blockquote>
<br>
in the token request?<br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div>Nit on that section, the field name for
the client metadata in RFC7591 is
token_endpoint_auth_method, the _supported version
is from the corresponding discovery document.</div>
<div><br>
</div>
<div> — Justin</div>
<div><br>
</div>
</blockquote>
Torsten.<br>
<blockquote type="cite">
<div>
<div>
<blockquote type="cite">
<div>On Nov 13, 2016, at 12:31 PM,
Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank"></a><a class="m_-6266504976240642489moz-txt-link-abbreviated" href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>>
wrote:</div>
<br class="m_-6266504976240642489Apple-interchange-newline">
<div>
<div text="#000000" bgcolor="#FFFFFF">
Hi John and Brian,<br>
<br>
thanks for writting this draft.<br>
<br>
One question: how does the AS determine the
authentication method is TLS authentication?
I think you assume this is defined by the
client-specific policy, independent of
whether the client is registered
automatically or manually. Would you mind to
explicitely state this in the draft?<br>
<br>
best regards,<br>
Torsten.<br>
<br>
<div class="m_-6266504976240642489moz-cite-prefix">Am 11.10.2016
um 05:59 schrieb John Bradley:<br>
</div>
<blockquote type="cite"> At the request of
the OpenID Foundation Financial Services
API Working group, Brian Campbell and I
have documented
<div>mutual TLS client
authentication. This is something that
lots of people do in practice though we
have never had a spec for it.</div>
<div><br>
</div>
<div>The Banks want to use it for
some server to server API use cases
being driven by new open banking
regulation.</div>
<div><br>
</div>
<div>The largest thing in the
draft is the IANA registration of
“tls_client_auth” Token Endpoint
authentication method for use in
Registration and discovery.</div>
<div><br>
</div>
<div>The trust model is
intentionally left open so that you
could use a “common name” and a
restricted list of CA or a direct lookup
of the subject public key against a
reregistered value, or something in
between.</div>
<div><br>
</div>
<div>I hope that this is non
controversial and the WG can adopt it
quickly.</div>
<div><br>
</div>
<div>Regards</div>
<div>John B.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div><br>
<blockquote type="cite">
<div>Begin forwarded
message:</div>
<br class="m_-6266504976240642489Apple-interchange-newline">
<div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span><b>From: </b></span><span style="font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif"><a class="m_-6266504976240642489moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org" target="_blank"></a><a class="m_-6266504976240642489moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org" target="_blank">internet-drafts@ietf.org</a><br>
</span></div>
<div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span><b>Subject: </b></span><span style="font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif"><b>New Version
Notification for
draft-campbell-oauth-tls-<wbr>client-auth-00.txt</b><br>
</span></div>
<div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span><b>Date: </b></span><span style="font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif">October 10, 2016 at
5:44:39 PM GMT-3<br>
</span></div>
<div style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px"><span><b>To: </b></span><span style="font-family:-webkit-system-font,Helvetica Neue,Helvetica,sans-serif">"Brian Campbell" <<a class="m_-6266504976240642489moz-txt-link-abbreviated" href="mailto:brian.d.campbell@gmail.com" target="_blank"></a><a class="m_-6266504976240642489moz-txt-link-abbreviated" href="mailto:brian.d.campbell@gmail.com" target="_blank">brian.d.campbell@gmail.com</a>>,
"John Bradley" <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank"></a><a class="m_-6266504976240642489moz-txt-link-abbreviated" href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>><br>
</span></div>
<br>
<div>
<div><br>
A new version of I-D,
draft-campbell-oauth-tls-<wbr>client-auth-00.txt<br>
has been successfully submitted
by John Bradley and posted to
the<br>
IETF repository.<br>
<br>
Name:<span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span><span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span>draft-campbell-oauth-tls-<wbr>client-auth<br>
Revision:<span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span>00<br>
Title:<span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span><span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span>Mutual
X.509 Transport Layer Security
(TLS) Authentication for OAuth
Clients<br>
Document date:<span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span>2016-10-10<br>
Group:<span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span><span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span>Individual
Submission<br>
Pages:<span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span><span class="m_-6266504976240642489Apple-tab-span" style="white-space:pre-wrap"> </span>5<br>
URL: <a href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt" target="_blank"></a><a class="m_-6266504976240642489moz-txt-link-freetext" href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt" target="_blank">https://www.ietf.<wbr>org/internet-drafts/draft-<wbr>campbell-oauth-tls-client-<wbr>auth-00.txt</a><br>
Status: <a href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/" target="_blank"></a><a class="m_-6266504976240642489moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/" target="_blank">https://datatracker.<wbr>ietf.org/doc/draft-campbell-<wbr>oauth-tls-client-auth/</a><br>
Htmlized: <a href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00" target="_blank"></a><a class="m_-6266504976240642489moz-txt-link-freetext" href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00" target="_blank">https://tools.ietf.org/<wbr>html/draft-campbell-oauth-tls-<wbr>client-auth-00</a><br>
<br>
<br>
Abstract:<br>
This document describes X.509
certificates as OAuth client<br>
credentials using Transport
Layer Security (TLS) mutual<br>
authentication as a mechanism
for client authentication to the<br>
authorization server's token
endpoint.<br>
<br>
<br>
<br>
<br>
Please note that it may take a
couple of minutes from the time
of submission<br>
until the htmlized version and
diff are available at <a href="http://tools.ietf.org/" target="_blank">tools.ietf.org</a>.<br>
<br>
The IETF Secretariat<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_-6266504976240642489mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
OAuth mailing list
<a class="m_-6266504976240642489moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a>
<a class="m_-6266504976240642489moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a>
</pre>
</blockquote>
<br>
</div>
______________________________<wbr>_________________<br>
OAuth mailing list<br>
<a href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a><br>
<a class="m_-6266504976240642489moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/<wbr>listinfo/oauth</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>