Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Samuel Erdtman]

+1 for adoption

On Mon, Apr 24, 2017 at 9:02 AM, William Denniss 
wrote:

> I support the adoption of this draft by the working group.
>
>
> On Sun, Apr 23, 2017 at 9:11 AM, Torsten Lodderstedt <
> tors...@lodderstedt.net> wrote:
>
>> +1 for adoption
>>
>> Am 21.04.2017 um 21:43 schrieb Nat Sakimura :
>>
>> +1 for adoption
>>
>> On Apr 21, 2017 9:32 PM, "Dave Tonge" 
>> wrote:
>>
>>> I support adoption of draft-campbell-oauth-mtls
>>>
>>> As previously mentioned this spec will be very useful for Europe where
>>> there is legislation requiring the use of certificate-based authentication
>>> and many financial groups and institutions are considering OAuth2.
>>>
>>> The UK Open Banking Implementation Entity has a strong interest in using
>>> this spec.
>>>
>>> Dave
>>>
>>> On 20 April 2017 at 17:32, Hannes Tschofenig 
>>> wrote:
>>>
 Hi all,

 based on the strong support for this document at the Chicago IETF
 meeting we are issuing a call for adoption of the "Mutual TLS Profiles
 for OAuth Clients" document, see
 https://tools.ietf.org/html/draft-campbell-oauth-mtls-01

 Please let us know by May 4th whether you accept / object to the
 adoption of this document as a starting point for work in the OAuth
 working group.

 Ciao
 Hannes & Rifaat


 ___
 OAuth mailing list
 OAuth@ietf.org
 https://www.ietf.org/mailman/listinfo/oauth


>>>
>>>
>>> --
>>> Dave Tonge
>>> CTO
>>> [image: Moneyhub Enterprise]
>>> 
>>> 10 Temple Back, Bristol, BS1 6FL
>>> t: +44 (0)117 280 5120 <+44%20117%20280%205120>
>>>
>>> Moneyhub Enterprise is a trading style of Momentum Financial Technology
>>> Limited which is authorised and regulated by the Financial Conduct
>>> Authority ("FCA"). Momentum Financial Technology is entered on the
>>> Financial Services Register (FRN 561538) at fca.org.uk/register.
>>> Momentum Financial Technology is registered in England & Wales, company
>>> registration number 06909772 © . Momentum Financial Technology Limited
>>> 2016. DISCLAIMER: This email (including any attachments) is subject to
>>> copyright, and the information in it is confidential. Use of this email or
>>> of any information in it other than by the addressee is unauthorised and
>>> unlawful. Whilst reasonable efforts are made to ensure that any attachments
>>> are virus-free, it is the recipient's sole responsibility to scan all
>>> attachments for viruses. All calls and emails to and from this company may
>>> be monitored and recorded for legitimate purposes relating to this
>>> company's business. Any opinions expressed in this email (or in any
>>> attachments) are those of the author and do not necessarily represent the
>>> opinions of Momentum Financial Technology Limited or of any other group
>>> company.
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[William Denniss]

I support the adoption of this draft by the working group.

On Sun, Apr 23, 2017 at 9:11 AM, Torsten Lodderstedt <
tors...@lodderstedt.net> wrote:

> +1 for adoption
>
> Am 21.04.2017 um 21:43 schrieb Nat Sakimura :
>
> +1 for adoption
>
> On Apr 21, 2017 9:32 PM, "Dave Tonge"  wrote:
>
>> I support adoption of draft-campbell-oauth-mtls
>>
>> As previously mentioned this spec will be very useful for Europe where
>> there is legislation requiring the use of certificate-based authentication
>> and many financial groups and institutions are considering OAuth2.
>>
>> The UK Open Banking Implementation Entity has a strong interest in using
>> this spec.
>>
>> Dave
>>
>> On 20 April 2017 at 17:32, Hannes Tschofenig 
>> wrote:
>>
>>> Hi all,
>>>
>>> based on the strong support for this document at the Chicago IETF
>>> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
>>> for OAuth Clients" document, see
>>> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
>>>
>>> Please let us know by May 4th whether you accept / object to the
>>> adoption of this document as a starting point for work in the OAuth
>>> working group.
>>>
>>> Ciao
>>> Hannes & Rifaat
>>>
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>>
>> --
>> Dave Tonge
>> CTO
>> [image: Moneyhub Enterprise]
>> 
>> 10 Temple Back, Bristol, BS1 6FL
>> t: +44 (0)117 280 5120 <+44%20117%20280%205120>
>>
>> Moneyhub Enterprise is a trading style of Momentum Financial Technology
>> Limited which is authorised and regulated by the Financial Conduct
>> Authority ("FCA"). Momentum Financial Technology is entered on the
>> Financial Services Register (FRN 561538) at fca.org.uk/register.
>> Momentum Financial Technology is registered in England & Wales, company
>> registration number 06909772 © . Momentum Financial Technology Limited
>> 2016. DISCLAIMER: This email (including any attachments) is subject to
>> copyright, and the information in it is confidential. Use of this email or
>> of any information in it other than by the addressee is unauthorised and
>> unlawful. Whilst reasonable efforts are made to ensure that any attachments
>> are virus-free, it is the recipient's sole responsibility to scan all
>> attachments for viruses. All calls and emails to and from this company may
>> be monitored and recorded for legitimate purposes relating to this
>> company's business. Any opinions expressed in this email (or in any
>> attachments) are those of the author and do not necessarily represent the
>> opinions of Momentum Financial Technology Limited or of any other group
>> company.
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Torsten Lodderstedt]

+1 for adoption

> Am 21.04.2017 um 21:43 schrieb Nat Sakimura :
> 
> +1 for adoption
> 
> On Apr 21, 2017 9:32 PM, "Dave Tonge"  > wrote:
> I support adoption of draft-campbell-oauth-mtls
> 
> As previously mentioned this spec will be very useful for Europe where there 
> is legislation requiring the use of certificate-based authentication and many 
> financial groups and institutions are considering OAuth2.
>  
> The UK Open Banking Implementation Entity has a strong interest in using this 
> spec.
> 
> Dave
> 
> On 20 April 2017 at 17:32, Hannes Tschofenig  > wrote:
> Hi all,
> 
> based on the strong support for this document at the Chicago IETF
> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
> for OAuth Clients" document, see
> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01 
> 
> 
> Please let us know by May 4th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
> 
> Ciao
> Hannes & Rifaat
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> 
> 
> 
> -- 
> Dave Tonge
> CTO
>  
> 
> 10 Temple Back, Bristol, BS1 6FL
> t: +44 (0)117 280 5120 
> 
> Moneyhub Enterprise is a trading style of Momentum Financial Technology 
> Limited which is authorised and regulated by the Financial Conduct Authority 
> ("FCA"). Momentum Financial Technology is entered on the Financial Services 
> Register (FRN 561538) at fca.org.uk/register . 
> Momentum Financial Technology is registered in England & Wales, company 
> registration number 06909772 © . Momentum Financial Technology Limited 2016. 
> DISCLAIMER: This email (including any attachments) is subject to copyright, 
> and the information in it is confidential. Use of this email or of any 
> information in it other than by the addressee is unauthorised and unlawful. 
> Whilst reasonable efforts are made to ensure that any attachments are 
> virus-free, it is the recipient's sole responsibility to scan all attachments 
> for viruses. All calls and emails to and from this company may be monitored 
> and recorded for legitimate purposes relating to this company's business. Any 
> opinions expressed in this email (or in any attachments) are those of the 
> author and do not necessarily represent the opinions of Momentum Financial 
> Technology Limited or of any other group company.
> 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME cryptographic signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Nat Sakimura]

+1 for adoption

On Apr 21, 2017 9:32 PM, "Dave Tonge"  wrote:

> I support adoption of draft-campbell-oauth-mtls
>
> As previously mentioned this spec will be very useful for Europe where
> there is legislation requiring the use of certificate-based authentication
> and many financial groups and institutions are considering OAuth2.
>
> The UK Open Banking Implementation Entity has a strong interest in using
> this spec.
>
> Dave
>
> On 20 April 2017 at 17:32, Hannes Tschofenig 
> wrote:
>
>> Hi all,
>>
>> based on the strong support for this document at the Chicago IETF
>> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
>> for OAuth Clients" document, see
>> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
>>
>> Please let us know by May 4th whether you accept / object to the
>> adoption of this document as a starting point for work in the OAuth
>> working group.
>>
>> Ciao
>> Hannes & Rifaat
>>
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
> --
> Dave Tonge
> CTO
> [image: Moneyhub Enterprise]
> 
> 10 Temple Back, Bristol, BS1 6FL
> t: +44 (0)117 280 5120 <+44%20117%20280%205120>
>
> Moneyhub Enterprise is a trading style of Momentum Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Momentum Financial Technology is entered on the
> Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
> Financial Technology is registered in England & Wales, company registration
> number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
> This email (including any attachments) is subject to copyright, and the
> information in it is confidential. Use of this email or of any information
> in it other than by the addressee is unauthorised and unlawful. Whilst
> reasonable efforts are made to ensure that any attachments are virus-free,
> it is the recipient's sole responsibility to scan all attachments for
> viruses. All calls and emails to and from this company may be monitored and
> recorded for legitimate purposes relating to this company's business. Any
> opinions expressed in this email (or in any attachments) are those of the
> author and do not necessarily represent the opinions of Momentum Financial
> Technology Limited or of any other group company.
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Dave Tonge]

I support adoption of draft-campbell-oauth-mtls

As previously mentioned this spec will be very useful for Europe where
there is legislation requiring the use of certificate-based authentication
and many financial groups and institutions are considering OAuth2.

The UK Open Banking Implementation Entity has a strong interest in using
this spec.

Dave

On 20 April 2017 at 17:32, Hannes Tschofenig 
wrote:

> Hi all,
>
> based on the strong support for this document at the Chicago IETF
> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
> for OAuth Clients" document, see
> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
>
> Please let us know by May 4th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
>
> Ciao
> Hannes & Rifaat
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]

10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Phil Hunt (IDM)]

+1 for adoption 

Phil

> On Apr 20, 2017, at 10:40 AM, John Bradley  wrote:
> 
> I accept the adoption as a starting point.
> 
> John B.
> 
>> On Apr 20, 2017, at 1:32 PM, Hannes Tschofenig  
>> wrote:
>> 
>> Hi all,
>> 
>> based on the strong support for this document at the Chicago IETF
>> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
>> for OAuth Clients" document, see
>> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
>> 
>> Please let us know by May 4th whether you accept / object to the
>> adoption of this document as a starting point for work in the OAuth
>> working group.
>> 
>> Ciao
>> Hannes & Rifaat
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Manger, James]

I support adoption of draft-campbell-oauth-mtls.

Now some comments on the doc:

1. [§2.3] The syntax of tls_client_auth_subject_dn is not specified. Perhaps 
LDAP's "String Representation of Distinguished Names" [RFC4514]? Perhaps a 
base64url-encoding of a DER-encoded DN?
It would actually be better to allow any subjectAltName to be specified, 
instead of a DN.

2. [§2.3] Change the name of tls_client_auth_issuer_dn (maybe 
tls_client_auth_root_dn). Given tls_client_auth_client_dn, it will be too easy 
to assume this pair refer to the issuer and subject fields of the cert.
PKI chains can be complex so the expected root might not be such a stable 
concept. For example, the Let's Encrypt CA chains to an ISRG Root and an 
IdenTrust DST Root [https://letsencrypt.org/certificates/].

3. [§2.3] If a client dynamically registers a "jwks_uri" does this mean the 
authz server MUST automatically cope when the client updates the key(s) it 
publishes there?

4. [§3] An access token is bound to a specific client certificate. That is 
probably ok, but does mean all access tokens die when the client updates their 
certificate (which could be every 2 months if using Let's Encrypt). This at 
least warrants a paragraph in the Security Considerations.

5. [§3.1] "exp" and "nbf" values in the example need to be numbers, not strings 
(drop the quotes).

6. An access token linked to a client TLS cert isn't a bearer token. The spec 
should really define a new token_type for responses from the token endpoint. 
That might not necessarily mean we needs a new HTTP authentication scheme as 
well (it might just hint that "Bearer" wasn't quite the right name).

--
James Manger
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[John Bradley]

I accept the adoption as a starting point.

John B.

> On Apr 20, 2017, at 1:32 PM, Hannes Tschofenig  
> wrote:
> 
> Hi all,
> 
> based on the strong support for this document at the Chicago IETF
> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
> for OAuth Clients" document, see
> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
> 
> Please let us know by May 4th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
> 
> Ciao
> Hannes & Rifaat
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Brian Campbell]

I accept adoption of this document as a starting point for work in the
OAuth working group!

On Thu, Apr 20, 2017 at 10:32 AM, Hannes Tschofenig <
hannes.tschofe...@gmx.net> wrote:

> Hi all,
>
> based on the strong support for this document at the Chicago IETF
> meeting we are issuing a call for adoption of the "Mutual TLS Profiles
> for OAuth Clients" document, see
> https://tools.ietf.org/html/draft-campbell-oauth-mtls-01
>
> Please let us know by May 4th whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
>
> Ciao
> Hannes & Rifaat
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Call for Adoption: Mutual TLS Profiles for OAuth Clients

[Hannes Tschofenig]

Hi all,

based on the strong support for this document at the Chicago IETF
meeting we are issuing a call for adoption of the "Mutual TLS Profiles
for OAuth Clients" document, see
https://tools.ietf.org/html/draft-campbell-oauth-mtls-01

Please let us know by May 4th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.

Ciao
Hannes & Rifaat



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth