[Openid-specs-fapi] [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Torsten Lodderstedt torsten at lodderstedt.net
Sun Nov 13 05:21:24 UTC 2016


Justin,

Am 13.11.2016 um 13:39 schrieb Justin Richer:
> Torsten, I believe this is intended to be triggered by the 
> tls_client_auth value specified in §3.

in the token request?

>
> Nit on that section, the field name for the client metadata in RFC7591 
> is token_endpoint_auth_method, the _supported version is from the 
> corresponding discovery document.
>
>  — Justin
>
Torsten.
>> On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt 
>> <torsten at lodderstedt.net <mailto:torsten at lodderstedt.net>> wrote:
>>
>> Hi John and Brian,
>>
>> thanks for writting this draft.
>>
>> One question: how does the AS determine the authentication method is 
>> TLS authentication? I think you assume this is defined by the 
>> client-specific policy, independent of whether the client is 
>> registered automatically or manually. Would you mind to explicitely 
>> state this in the draft?
>>
>> best regards,
>> Torsten.
>>
>> Am 11.10.2016 um 05:59 schrieb John Bradley:
>>> At the request of the OpenID Foundation Financial Services API 
>>> Working group, Brian Campbell and I have documented
>>> mutual TLS client authentication.   This is something that lots of 
>>> people do in practice though we have never had a spec for it.
>>>
>>> The Banks want to use it for some server to server API use cases 
>>> being driven by new open banking regulation.
>>>
>>> The largest thing in the draft is the IANA registration of 
>>> “tls_client_auth” Token Endpoint authentication method for use in 
>>> Registration and discovery.
>>>
>>> The trust model is intentionally left open so that you could use a 
>>> “common name” and a restricted list of CA or a direct lookup of the 
>>> subject public key against a reregistered value,  or something in 
>>> between.
>>>
>>> I hope that this is non controversial and the WG can adopt it quickly.
>>>
>>> Regards
>>> John B.
>>>
>>>
>>>
>>>
>>>> Begin forwarded message:
>>>>
>>>> *From: *internet-drafts at ietf.org
>>>> *Subject: **New Version Notification for 
>>>> draft-campbell-oauth-tls-client-auth-00.txt*
>>>> *Date: *October 10, 2016 at 5:44:39 PM GMT-3
>>>> *To: *"Brian Campbell" <brian.d.campbell at gmail.com>, "John Bradley" 
>>>> <ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>>
>>>>
>>>>
>>>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>>> has been successfully submitted by John Bradley and posted to the
>>>> IETF repository.
>>>>
>>>> Name:draft-campbell-oauth-tls-client-auth
>>>> Revision:00
>>>> Title:Mutual X.509 Transport Layer Security (TLS) Authentication 
>>>> for OAuth Clients
>>>> Document date:2016-10-10
>>>> Group:Individual Submission
>>>> Pages:5
>>>> URL: 
>>>> https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
>>>> Status: 
>>>> https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
>>>> Htmlized: 
>>>> https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
>>>>
>>>>
>>>> Abstract:
>>>>   This document describes X.509 certificates as OAuth client
>>>>   credentials using Transport Layer Security (TLS) mutual
>>>>   authentication as a mechanism for client authentication to the
>>>>   authorization server's token endpoint.
>>>>
>>>>
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of 
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org 
>>>> <http://tools.ietf.org/>.
>>>>
>>>> The IETF Secretariat
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth at ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth at ietf.org <mailto:OAuth at ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20161113/1f2c6fb0/attachment-0001.html>


More information about the Openid-specs-fapi mailing list