Re: [OAUTH-WG] DPoP and MTLS - friends or foes?

I’m not smart enough to remember in what context I might have said this, but I’d hazard a guess it was somehow related to service mesh. Generally, we allow both to be specified largely because of our support for macaroon access tokens: a proxy could transparently add a mtls binding (for ex)

Re: [OAUTH-WG] Invitation: OAuth Security Workshop 2021

Hi all, this is just a reminder that the OAuth Security Workshop 2021 takes place in a little more than two weeks. You can still register for the event and propose sessions at https://barcamps.eu/osw2021 . -Daniel Am 23.08.21 um 10:46 schrieb Daniel Fett: > > Hi

Re: [OAUTH-WG] DPoP and MTLS - friends or foes?

I would expect them to be able to co-exist in an implementation, but not both be used on the same token. One of the implementations that I work on supports both DPoP and MTLS on access tokens (as well as bearer tokens), and we use metadata stored in the token objects to switch between these.

Re: [OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate

On Nov 12, 2021, at 8:30 AM, Dmitry Telegin wrote: > > Just to make sure I understand the process, is it going to be something like > draft-XX-oauth-mtls-rfc8705-bis -> draft-ietf-oauth-mtls-rfc8705-bis -> > new RFC that will obsolete the current one? CCing my colleague Takashi >

Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-iss-auth-resp-02

Hi Yoav, thank you for your suggestion. We think its a valid point and followed it in a local branch. Best regards, Karsten On 06.11.2021 23:06, Yoav Nir via Datatracker wrote: Reviewer: Yoav Nir Review result: Ready I have reviewed this document as part of the security directorate's

Re: [OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02

Hi Julian, thank you for your comments. Answers inline We mostly addressed them locally and will publish a new version when all IESG reviews are available and addressed by us. Best regards, Karsten On 01.11.2021 11:33, Julian Reschke via Datatracker wrote: Review is partially done. Another