[Openid-specs-mobile-profile] CIBA's OAuth MTLS reference

Brian Campbell bcampbell at pingidentity.com
Mon Jul 9 22:44:18 UTC 2018 

Sec 4 of the latest CIBA draft from source
<https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/585e168fcc5d89bbb0e0908ecf2d7498982aac9f/draft-mobile-client-initiated-backchannel-authentication.xml#registration>
on Polling and Pairwise Identifiers says that "it is MANDATORY for the
Client to authenticate the token endpoint using one of this two mechanisms"
and then cites "Mutual TLS as defined in section 3 Mutual TLS Sender
Constrained Resources Access
<https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-3> of the
[I-D.ietf-oauth-mtls]
<https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/585e168fcc5d89bbb0e0908ecf2d7498982aac9f/draft-mobile-client-initiated-backchannel-authentication.xml#I-D.ietf-oauth-mtls>"
as one of the mechanisms. However, section 3 of the OAuth MTLS draft isn't
about client authentication so pointing to it in that context doesn't
really make sense.

Mutual TLS for OAuth Client Authentication is defined in section 2 of that
document <https://tools.ietf.org/html/draft-ietf-oauth-mtls-09#section-2>
and more specifically the Self-Signed Certificate Mutual TLS OAuth Client
Authentication Method is defined in sec 2.2
<https://tools.ietf.org/html/draft-ietf-oauth-mtls-09#section-2.2> and is
probably the more appropriate reference here because it (potentially) makes
use of the client's jwks_uri.

Also just noticed that the "this" should be "these" in that first sentence
quoted.

I-D.ietf-oauth-mtls is at draft -09 now (rather than -07) and hopefully a
real RFC soon (by IETF time anyway).

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180709/7871dc2c/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list