<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I understand. My point is different: the text seems to assume
everybody is using client registration, but that's not the case. I
would like to point out it makes sense to explicitely state the
assumption that it is determined by client policy (indepedent of the
way this policy is established).<br>
<br>
<div class="moz-cite-prefix">Am 13.11.2016 um 14:24 schrieb Justin
Richer:<br>
</div>
<blockquote cite="mid:2164E521-236F-46FC-AAF1-D2EE80F29BA9@mit.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
As part of the client’s registered data model. At least, based on
how our own implementation works (where we support
client_secret_basic, private_key_jwt, etc), that’s where we’d
check to see if the client was supposed to be using TLS auth or
not.
<div class=""><br class="">
</div>
<div class="">We don’t let clients switch away from their
registered auth mechanism.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Nov 13, 2016, at 2:21 PM, Torsten
Lodderstedt <<a moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""> Justin,<br
class="">
<br class="">
<div class="moz-cite-prefix">Am 13.11.2016 um 13:39
schrieb Justin Richer:<br class="">
</div>
<blockquote
cite="mid:4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu"
type="cite" class=""> Torsten, I believe this is
intended to be triggered by the tls_client_auth value
specified in §3. <br class="">
</blockquote>
<br class="">
in the token request?<br class="">
<br class="">
<blockquote
cite="mid:4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu"
type="cite" class="">
<div class=""><br class="">
</div>
<div class="">Nit on that section, the field name for
the client metadata in RFC7591 is
token_endpoint_auth_method, the _supported version
is from the corresponding discovery document.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
</div>
</blockquote>
Torsten.<br class="">
<blockquote
cite="mid:4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu"
type="cite" class="">
<div class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Nov 13, 2016, at 12:31 PM,
Torsten Lodderstedt <<a
moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net"
class=""><a class="moz-txt-link-abbreviated" href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a></a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
Hi John and Brian,<br class="">
<br class="">
thanks for writting this draft.<br class="">
<br class="">
One question: how does the AS determine the
authentication method is TLS authentication?
I think you assume this is defined by the
client-specific policy, independent of
whether the client is registered
automatically or manually. Would you mind to
explicitely state this in the draft?<br
class="">
<br class="">
best regards,<br class="">
Torsten.<br class="">
<br class="">
<div class="moz-cite-prefix">Am 11.10.2016
um 05:59 schrieb John Bradley:<br class="">
</div>
<blockquote
cite="mid:9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com"
type="cite" class=""> At the request of
the OpenID Foundation Financial Services
API Working group, Brian Campbell and I
have documented
<div class="">mutual TLS client
authentication. This is something that
lots of people do in practice though we
have never had a spec for it.</div>
<div class=""><br class="">
</div>
<div class="">The Banks want to use it for
some server to server API use cases
being driven by new open banking
regulation.</div>
<div class=""><br class="">
</div>
<div class="">The largest thing in the
draft is the IANA registration of
“tls_client_auth” Token Endpoint
authentication method for use in
Registration and discovery.</div>
<div class=""><br class="">
</div>
<div class="">The trust model is
intentionally left open so that you
could use a “common name” and a
restricted list of CA or a direct lookup
of the subject public key against a
reregistered value, or something in
between.</div>
<div class=""><br class="">
</div>
<div class="">I hope that this is non
controversial and the WG can adopt it
quickly.</div>
<div class=""><br class="">
</div>
<div class="">Regards</div>
<div class="">John B.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Begin forwarded
message:</div>
<br
class="Apple-interchange-newline">
<div style="margin-top: 0px;
margin-right: 0px; margin-bottom:
0px; margin-left: 0px;" class=""><span
style="font-family:
-webkit-system-font, 'Helvetica
Neue', Helvetica, sans-serif;"
class=""><b class="">From: </b></span><span
style="font-family:
-webkit-system-font, Helvetica
Neue, Helvetica, sans-serif;"
class=""><a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:internet-drafts@ietf.org"><a class="moz-txt-link-abbreviated" href="mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a></a><br
class="">
</span></div>
<div style="margin-top: 0px;
margin-right: 0px; margin-bottom:
0px; margin-left: 0px;" class=""><span
style="font-family:
-webkit-system-font, 'Helvetica
Neue', Helvetica, sans-serif;"
class=""><b class="">Subject: </b></span><span
style="font-family:
-webkit-system-font, Helvetica
Neue, Helvetica, sans-serif;"
class=""><b class="">New Version
Notification for
draft-campbell-oauth-tls-client-auth-00.txt</b><br
class="">
</span></div>
<div style="margin-top: 0px;
margin-right: 0px; margin-bottom:
0px; margin-left: 0px;" class=""><span
style="font-family:
-webkit-system-font, 'Helvetica
Neue', Helvetica, sans-serif;"
class=""><b class="">Date: </b></span><span
style="font-family:
-webkit-system-font, Helvetica
Neue, Helvetica, sans-serif;"
class="">October 10, 2016 at
5:44:39 PM GMT-3<br class="">
</span></div>
<div style="margin-top: 0px;
margin-right: 0px; margin-bottom:
0px; margin-left: 0px;" class=""><span
style="font-family:
-webkit-system-font, 'Helvetica
Neue', Helvetica, sans-serif;"
class=""><b class="">To: </b></span><span
style="font-family:
-webkit-system-font, Helvetica
Neue, Helvetica, sans-serif;"
class="">"Brian Campbell" <<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:brian.d.campbell@gmail.com"><a class="moz-txt-link-abbreviated" href="mailto:brian.d.campbell@gmail.com">brian.d.campbell@gmail.com</a></a>>,
"John Bradley" <<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com"
class=""><a class="moz-txt-link-abbreviated" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a></a>><br
class="">
</span></div>
<br class="">
<div class="">
<div class=""><br class="">
A new version of I-D,
draft-campbell-oauth-tls-client-auth-00.txt<br
class="">
has been successfully submitted
by John Bradley and posted to
the<br class="">
IETF repository.<br class="">
<br class="">
Name:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>draft-campbell-oauth-tls-client-auth<br
class="">
Revision:<span class="Apple-tab-span" style="white-space:pre"> </span>00<br
class="">
Title:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>Mutual
X.509 Transport Layer Security
(TLS) Authentication for OAuth
Clients<br class="">
Document date:<span class="Apple-tab-span" style="white-space:pre"> </span>2016-10-10<br
class="">
Group:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>Individual
Submission<br class="">
Pages:<span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>5<br
class="">
URL: <a
moz-do-not-send="true"
href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt"
class=""><a class="moz-txt-link-freetext" href="https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt">https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt</a></a><br
class="">
Status: <a
moz-do-not-send="true"
href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/"
class=""><a class="moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/">https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/</a></a><br
class="">
Htmlized: <a
moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00"
class=""><a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00">https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00</a></a><br
class="">
<br class="">
<br class="">
Abstract:<br class="">
This document describes X.509
certificates as OAuth client<br
class="">
credentials using Transport
Layer Security (TLS) mutual<br
class="">
authentication as a mechanism
for client authentication to the<br
class="">
authorization server's token
endpoint.<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
Please note that it may take a
couple of minutes from the time
of submission<br class="">
until the htmlized version and
diff are available at <a
moz-do-not-send="true"
href="http://tools.ietf.org/"
class="">tools.ietf.org</a>.<br
class="">
<br class="">
The IETF Secretariat<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">
OAuth mailing list<br class="">
<a moz-do-not-send="true"
href="mailto:OAuth@ietf.org" class="">OAuth@ietf.org</a><br
class="">
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<br>
</body>
</html>