Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

+1 Phil > On Nov 4, 2016, at 6:11 PM, John Bradley wrote: > > I can easily see Research and education publishing self signed certs in > meta-data that is then used for client authentication and other things. > I don’t want to limit this to only CA issued certs where the

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

I can easily see Research and education publishing self signed certs in meta-data that is then used for client authentication and other things. I don’t want to limit this to only CA issued certs where the client_id is in the DN.Client_id tend not to be domain names currently. Looking up a

Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

few little things inline... On Thu, Nov 3, 2016 at 6:41 AM, Justin Richer wrote: > I agree that the client_id is unlikely to be found inside the certificate > itself. The client_id is issued by the authorization server for the client > to use at that single AS. The certificate

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

You could also sign the client_id with your private cert and send it like normal OAuth requests... But I like the idea of mapping the client_id server-side to the cert as well. Now we're talking real security. Bearer tokens are so Q1-2016. :) Aloha, Jim On 11/3/16 1:11 PM, Sergey Beryozkin