Hi Dave, Thanks for the review, support, and feedback.
I've already removed the extraneous "can" in the source. The easy part... I did struggle with terminology for many of the reasons you point out about there being somewhat established terms that aren't quite the same as those defined in the RFC. And apparently I wasn't terribly consistent with the terminology I did use. I think the phrasing you suggest is pretty good and yes possibly more clear. I'd happily take a pull request with such changes. Thank you. The XML source of the document currently in a bitbucket git repo at https://bitbucket.org/b_c/internet-drafts/src/master/draft-campbell-oauth-mtls.xml?at=master&fileviewer=file-view-default Thanks, Brian On Fri, Mar 31, 2017 at 10:07 AM, Dave Tonge <[email protected]> wrote: > Hi Brian > > Thanks for this - it will be very useful for open banking in Europe where > cert based auth is required by law. > > I have a few suggestions around wording. > Happy to submit these via pull request if it's helpful. > > 1. Typo - remove can from 1: > > Mutual TLS sender constrained access tokens and mutual TLS client > authentication are distinct mechanisms that *can* don't necessarily > need to be deployed together. > > > 2. Consistency of terminology in 2 (and throughout the document). > In section 2 the following phrases are used: > > - Mutual TLS for Client Authentication > - Mutual TLS Client Authentication to the Token Endpoint > - mutual TLS as client credentials > - mutual X.509 certificate authentication > > Interestingly RFC5246 does not refer to "mutual authentication" at all, > but does refer to "client authentication". > From an OAuth perspective, surely we are more interested in the fact that > it is TLS client auth - than the fact that it is mutual. However referring > to TLS Client Authentication would bring confusion as we would have two > client definitions in play: the TLS Client and the OAuth Client > > "TLS Mutual Auth" and "Mutual TLS" are established phrases in the industry > - even though they don't seem to be defined in any of the relevant specs, > however, "Mutual TLS Client Auth" isn't. > > I'm not sure of the best solution for this, but would be interested as to > whether the authors considered this phrasing to be clearer? > > - Mutual TLS for Client Authentication > -> TLS Mutual Auth for Client Authentication > > - Mutual TLS Client Authentication to the Token Endpoint > -> TLS Mutual Auth for Client Authentication to the Token Endpoint > > - mutual TLS as client credentials > -> TLS X509 client certificate as client credentials > > Or alternatively, a definition of "Mutual TLS" could be provided earlier > on in the document. > > Thanks again for your work on this spec. > > Dave Tonge > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
