Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the source file.
1) <!-- [rfced] Would you like the references to be alphabetized or left in their current order? --> 2) <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> 3) <!-- [rfced] In the text below, should "as defined in Section 6.4" be "as defined in Section 6.1" instead? We ask because "exp" appears to be defined in Section 6.1, not Section 6.4. Original: - Implementing mechanisms to update the published federation metadata, ensuring it adheres to the expiration time (exp as defined in Section 6.4) and cache TTL (cache_ttl as defined in Section 6.1) specifications. Perhaps: - Implementing mechanisms to update the published federation metadata, ensuring it adheres to the expiration time (exp as defined in Section 6.1) and cache TTL (cache_ttl as defined in Section 6.1) specifications. --> 4) <!-- [rfced] Should "federation members entities" be updated as follows (to indicate that multiple federation members possess multiple entities)? Original: The payload contains statements about federation members entities. Perhaps: The payload contains statements about entities of federation members. --> 5) <!-- [rfced] For clarity, may we update this sentence as follows? Original: The client then uses the selected server claims base_uri, pins and if needed issuers to establish a connection. Perhaps: To establish a connection, the client then uses the base_uri, pins, and, if needed, issuers of the selected server claims. --> 6) <!-- [rfced] Sections 6.1 and 6.1.1: We note mixed use of quotation marks and/or <tt> tags around the "Example" list items in these sections. Should any of these items be updated for consistency? --> 7) <!-- [rfced] How may we update "PEM-encoded" in the two instances below for clarity? In addition, note that we have expanded "PEM"; please review and let us know if any corrections are needed. Original: For each issuer, the issuer's root CA certificate MUST be included in the x509certificate property, PEM- encoded. - Syntax: Each object contains a issuer certificate, PEM-encoded. Perhaps: For each issuer, the issuer's root CA certificate MUST be included in the x509certificate property and be encoded by Privacy-Enhanced Mail (PEM). - Syntax: Each object contains a PEM-encoded issuer certificate. --> 8) <!-- [rfced] FYI - We have adjusted the items below to make them complete sentences. Please review. Original: 7.3. SPKI Generation Example of how to use OpenSSL to generate a SPKI fingerprint from a PEM-encoded certificate. 7.4. Curl and Public Key Pinning Example of public key pinning with curl. Line breaks are for readability only. Current: 7.3. SPKI Generation The following is an example of how to use OpenSSL to generate a SPKI fingerprint from a PEM-encoded certificate. 7.4. Curl and Public Key Pinning The following is an example of public key pinning with curl. Line breaks are for readability only. --> 9) <!-- [rfced] References: a) FYI - We updated the date for the [Moa] reference from "2022" to "6 October 2025" to match the most recent date provided at the URL. Please let us know if you would like to point to a version from 2022. The page history for this page is available here: https://wiki.federationer.internetstiftelsen.se/pages/viewpreviousversions.action?pageId=20545581 Original: [Moa] The Swedish Internet Foundation, "Machine and Organization Authentication", 2022, <https://wiki.federationer.internetstiftelsen.se/x/ LYA5AQ>. Current: [Moa] Internetstiftelsens Federationer [The Swedish Internet Foundation], "Machine and Organization Authentication", 6 October 2025, <https://wiki.federationer.internetstiftelsen.se/x/ LYA5AQ>. b) FYI - We updated the date for the [SkolverketMATF] reference from "2023" to "4 September 2025" to match the most recent commit made to this README file. We have also added the commit hash to this reference. Please let us know if you would prefer to point to a commit from 2023. A list of commits for this README is available here: https://github.com/skolverket/dnp-usermanagement/commits/main/authentication-api/README.md Original: [SkolverketMATF] Swedish National Agency for Education, "Authentication API for User Management", 2023, <https://github.com/skolverket/dnp- usermanagement/blob/main/authentication-api/README.md>. Current: [SkolverketMATF] Skolverket [Swedish National Agency for Education], "API för autentisering" [Authentication API for User Management], commit f8c2e93, 4 September 2023, <https://github.com/skolverket/dnp- usermanagement/blob/main/authentication-api/README.md>. --> 10) <!-- [rfced] Please review whether any of the notes in this document should be in the <aside> element. It is defined as "a container for content that is semantically less important or tangential to the content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside). --> 11) <!-- [rfced] Abbreviations and Terminology: a) For brevity and for a closer 1:1 relationship between abbreviation and expansion, may we adjust the expansion of MATF throughout this document as follows? Original: Mutually Authenticating TLS in the context of Federations (MATF) Perhaps: Mutually Authenticating TLS in Federations (MATF) b) Per Section 3.6 of RFC 7322 ("RFC Style Guide"), abbreviations should be expanded upon first use. FO appears twice in the paragraph below, and is not used elsewhere. Perhaps this should be replaced with "federation operator"? Otherwise, please let us know how may we expand "FO". The community plays a crucial role in this type of federation. Members are active participants, and the FO ensures the federation runs smoothly and serves their needs. Moa's success highlights the importance of collaboration, with members and the FO working together to maintain trust, security, and interoperability in the education sector. c) To define "RESTful", may we adjust the text below as follows? Original: MATF is designed specifically for secure authentication in machine- to-machine contexts, such as RESTful APIs and service-to-service interactions, and is not intended for browser-based authentication. Perhaps: MATF is designed specifically for secure authentication in machine- to-machine contexts, such as RESTful APIs (where "RESTful" refers to the Representational State Transfer (REST) architecture) and service-to-service interactions, and is not intended for browser-based authentication. d) FYI - We have updated the following abbreviation to the form on the right to match its usage in RFC 7517. JSON Web Key Set (JWKS) -> JSON Web Key (JWK) Set JWKS -> JWK Set e) FYI - We have added expansions for abbreviations upon first use per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion in the document carefully to ensure correctness. Security Assertion Markup Language (SAML) JSON Web Signature (JWS) Certificate Authorities (CAs) System for Cross-domain Identity Management (SCIM) --> 12) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. Updates of this nature typically result in more precise language, which is helpful for readers. For example, please consider whether the following terms should be updated in the instances below: a) "man-in-the-middle (perhaps "on-path attacks"): * Public key pinning [RFC7469] and preloading to thwart man-in-the- middle attacks by ensuring validated certificates. b) "native" (perhaps "built in") Implementations SHOULD, when possible, rely on libraries with native support for pinning. c) In addition, please consider whether "tradition" should be updated for clarity. While the NIST website <https://web.archive.org/web/20250214092458/https://www.nist.gov/nist-research-library/nist-technical-series-publications-author-instructions#table1> indicates that this term is potentially biased, it is also ambiguous. "Tradition" is a subjective term, as it is not the same for everyone. This approach eliminates reliance on traditional certificate revocation mechanisms and shifts the trust relationship to the specific, updated public key identified by its pin. --> Thank you. Kaelin Foody and Sandy Ginoza RFC Production Center On Feb 6, 2026, at 1:34 PM, [email protected] wrote: *****IMPORTANT***** Updated 2026/02/06 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * [email protected] (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * [email protected], which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, [email protected] will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9932.xml https://www.rfc-editor.org/authors/rfc9932.html https://www.rfc-editor.org/authors/rfc9932.pdf https://www.rfc-editor.org/authors/rfc9932.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9932-diff.html https://www.rfc-editor.org/authors/rfc9932-rfcdiff.html (side by side) Diff of the XML: https://www.rfc-editor.org/authors/rfc9932-xmldiff1.html Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9932 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC 9932 (draft-halen-fedae-03) Title : Mutually Authenticating TLS in the context of Federations Author(s) : J. Schlyter, S. Halen WG Chair(s) : Area Director(s) : -- auth48archive mailing list -- [email protected] To unsubscribe send an email to [email protected]
