
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">

<div>+1</div>

<div><br>

</div>

<span id="OLK_SRC_BODY_SECTION">

<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">

<span style="font-weight:bold">From: </span>Openid-specs-fapi <<a href="mailto:openid-specs-fapi-bounces@lists.openid.net">openid-specs-fapi-bounces@lists.openid.net</a>> on behalf of John Bradley via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>><br>

<span style="font-weight:bold">Reply-To: </span>John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>>, Financial API Working Group List <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>><br>

<span style="font-weight:bold">Date: </span>Monday, October 10, 2016 at 1:59 PM<br>

<span style="font-weight:bold">To: </span>OAuth WG <<a href="mailto:oauth@ietf.org">oauth@ietf.org</a>><br>

<span style="font-weight:bold">Cc: </span>Nat Sakimura via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>><br>

<span style="font-weight:bold">Subject: </span>[Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt<br>

</div>

<div><br>

</div>

<div>

<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">

At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented 

<div class="">mutual TLS client authentication.   This is something that lots of people do in practice though we have never had a spec for it.</div>

<div class=""><br class="">

</div>

<div class="">The Banks want to use it for some server to server API use cases being driven by new open banking regulation.</div>

<div class=""><br class="">

</div>

<div class="">The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.</div>

<div class=""><br class="">

</div>

<div class="">The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value,  or something in between.</div>

<div class=""><br class="">

</div>

<div class="">I hope that this is non controversial and the WG can adopt it quickly.</div>

<div class=""><br class="">

</div>

<div class="">Regards</div>

<div class="">John B.</div>

<div class=""><br class="">

</div>

<div class=""><br class="">

</div>

<div class=""><br class="">

<div><br class="">

<blockquote type="cite" class="">

<div class="">Begin forwarded message:</div>

<br class="Apple-interchange-newline">

<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">

<span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(0, 0, 0);" class=""><b class="">From:

</b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class=""><a href="mailto:internet-drafts@ietf.org" class="">internet-drafts@ietf.org</a><br class="">

</span></div>

<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">

<span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(0, 0, 0);" class=""><b class="">Subject:

</b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class=""><b class="">New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt</b><br class="">

</span></div>

<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">

<span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(0, 0, 0);" class=""><b class="">Date:

</b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">October 10, 2016 at 5:44:39 PM GMT-3<br class="">

</span></div>

<div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class="">

<span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(0, 0, 0);" class=""><b class="">To:

</b></span><span style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;" class="">"Brian Campbell" <<a href="mailto:brian.d.campbell@gmail.com" class="">brian.d.campbell@gmail.com</a>>, "John Bradley" <<a href="mailto:ve7jtb@ve7jtb.com" class="">ve7jtb@ve7jtb.com</a>><br class="">

</span></div>

<br class="">

<div class="">

<div class=""><br class="">

A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt<br class="">

has been successfully submitted by John Bradley and posted to the<br class="">

IETF repository.<br class="">

<br class="">

Name:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"></span>draft-campbell-oauth-tls-client-auth<br class="">

Revision:<span class="Apple-tab-span" style="white-space:pre"> </span>00<br class="">

Title:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"></span>Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients<br class="">

Document date:<span class="Apple-tab-span" style="white-space:pre"> </span>2016-10-10<br class="">

Group:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"></span>Individual Submission<br class="">

Pages:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"></span>5<br class="">

URL:            <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_internet-2Ddrafts_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth-2D00.txt&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=260YDXh2PcZARRiXTxOl8pc5v0ziWSLzLiG9CI0OOlI&e=" class="">https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt</a><br class="">

Status:         <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth_&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=NOkb8avw2ZN74wW-gLDbuZfXskqV9xRqyYvV5Fg18_Y&e=" class="">https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/</a><br class="">

Htmlized:       <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth-2D00&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=9z770xRpUnNkMOo9UDUj5gYGUZXwQljipKvN0VfMC74&e=" class="">https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00</a><br class="">

<br class="">

<br class="">

Abstract:<br class="">

  This document describes X.509 certificates as OAuth client<br class="">

  credentials using Transport Layer Security (TLS) mutual<br class="">

  authentication as a mechanism for client authentication to the<br class="">

  authorization server's token endpoint.<br class="">

<br class="">

<br class="">

<br class="">

<br class="">

Please note that it may take a couple of minutes from the time of submission<br class="">

until the htmlized version and diff are available at <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=kqP8TZStoJyWhk2OJiXgoNTWIsNvNH5qgGX7QBWBHWA&e=" class="">

tools.ietf.org</a>.<br class="">

<br class="">

The IETF Secretariat<br class="">

<br class="">

</div>

</div>

</blockquote>

</div>

<br class="">

</div>

</div>

</div>

</span>

</body>

</html>