[Openid-specs-fapi] [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
bcampbell at pingidentity.com
Wed Nov 2 21:03:16 UTC 2016
On Sun, Oct 30, 2016 at 9:27 AM, Samuel Erdtman <samuel at erdtman.se> wrote:
> I agree it is written so that the connection to the certificate is
> implicitly required but I think it would be better if it was explicit
> written since the lack of a connection would result in a potential security
That's fair. I agree it can be made more explicit and that it be good to do
> When it comes to the client_id I think subject common name or maybe
> subject serial numbers will be the common location, and I think an example
> would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
> I´m not saying it is a bad Idea just that I would prefer if it was not a
> With very limited addition of code it is just as easy to get the
> certificate attribute for client id as it is to get it from the HTTP
> request data (at least in java). I also think that with the requirement to
> match the incoming certificate in some way one has to read out the
> certificate that was used to establish the connection to do some kind of
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi