Hi Mike and others, During the ACE session at the IETF meeting in Prague I presented draft-erdtman-ace-rpcc and Mike asked how it relates to RFC7521.
Here comes a short summary, hope is clarify things. One could probably achieve something similar to what we want by creating a profile of the RFC7521 framework. However I think we would end up with something much more complex than what we need with much more work. The case we want to solve is authentication of the client for interactions with endpoints such as token and introspection (with something more suitable for constrained devices than client_secret i.e. a password). We assume that the client has a key to use for the authentication a Raw-Public-Key (RPK) or a Pre-Shared-Key (PSK) If we look at draft-ietf-oauth-mtls it defines how to do client authentication with a certificate. The functionality for client authentication with certificates are wide spread and well understood, i.e. cheep to implement. In our case we similarly want to piggyback on the availability of RPK and PSK authentication, we do not want to define a new Holder-of-Key schema and put it on top of (D)TLS. RFC7521 does not define a solution for holder of the Holder-of-Key Assertions, so we would have to do that. Based on this we think it would be valuable to have a specification that defines how to use RPK and PSK for client authentication before it becomes defined in the wild (like with certificates). Best regards //Samuel
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
