Hi all, I'm writing as an implementer working at the intersection of OAuth mTLS, PKI client certificates, and zero-trust access control. I'd like to raise a gap I've observed in RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication) as it relates to privileged transaction contexts, and ask whether the working group has considered normative guidance in this area.
RFC 8705 §3 establishes that a bearer token is bound to a client certificate at the time of token issuance or session establishment, by confirming the certificate thumbprint in the cnf claim. This binding is validated once — at the point where the token is presented — but RFC 8705 does not define any obligation or mechanism for a resource server or proxy to re-evaluate the structural consistency of the token-to-certificate binding on subsequent individual requests within the same session. Continuous Access Evaluation (CAE, RFC 9700) extends this model by allowing a resource server to receive backend signals (user disabled, credential change, IP change, etc.) and respond by revoking or re-checking the token. However, CAE's model is event-driven from an identity-provider signal. It does not define per-transaction structural re-evaluation as a normative option at the resource server or PKI proxy layer. -Thank You Brian Vicente CEO • Sanctum SecOps LLC Trust. Evidence. Identity. ✉ [email protected] 🌐 sanctumsecops.com 📞 (607) 703-1189 📍 Pine City, New York, USA
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
