--- 1/draft-ietf-oauth-mtls-08.txt 2018-06-04 07:14:08.684233603 -0700 +++ 2/draft-ietf-oauth-mtls-09.txt 2018-06-04 07:14:08.760235424 -0700 @@ -1,54 +1,54 @@ OAuth Working Group B. Campbell Internet-Draft Ping Identity Intended status: Standards Track J. Bradley -Expires: November 7, 2018 Yubico +Expires: December 5, 2018 Yubico N. Sakimura Nomura Research Institute T. Lodderstedt YES Europe AG - May 6, 2018 + June 3, 2018 OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens - draft-ietf-oauth-mtls-08 + draft-ietf-oauth-mtls-09 Abstract This document describes OAuth client authentication and certificate bound access tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization sever using mutual - TLS, based on either single certificates or public key infrastructure - (PKI). OAuth authorization servers are provided a mechanism for - binding access tokens to a client's mutual TLS certificate, and OAuth - protected resources are provided a method for ensuring that such an - access token presented to it was issued to the client presenting the - token. + TLS, based on either self-signed certificates or public key + infrastructure (PKI). OAuth authorization servers are provided a + mechanism for binding access tokens to a client's mutual TLS + certificate, and OAuth protected resources are provided a method for + ensuring that such an access token presented to it was issued to the + client presenting the token. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 7, 2018. + This Internet-Draft will expire on December 5, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -804,20 +804,25 @@ Beryozkin, Vladimir Dzhuvinov, Samuel Erdtman, Leif Johansson, Michael Jones, Phil Hunt, Benjamin Kaduk, Takahiko Kawasaki, Sean Leonard, Kepeng Li, Neil Madden, James Manger, Jim Manico, Nov Matake, Sascha Preibisch, Justin Richer, Dave Tonge, and Hannes Tschofenig. Appendix C. Document(s) History [[ to be removed by the RFC Editor before publication as an RFC ]] + draft-ietf-oauth-mtls-09 + + o Change "single certificates" to "self-signed certificates" in the + Abstract + draft-ietf-oauth-mtls-08 o Incorporate clarifications and editorial improvements from Justin Richer's WGLC review o Drop the use of the "sender constrained" terminology per WGLC feedback from Neil Madden (including changing the metadata parameters from mutual_tls_sender_constrained_access_tokens to tls_client_certificate_bound_access_tokens) o Add a new security considerations section on X.509 parsing and validation per WGLC feedback from Neil Madden and Benjamin Kaduk