draft-ietf-oauth-mtls-09.txt | draft-ietf-oauth-mtls-10.txt | |||
---|---|---|---|---|
OAuth Working Group B. Campbell | OAuth Working Group B. Campbell | |||
Internet-Draft Ping Identity | Internet-Draft Ping Identity | |||
Intended status: Standards Track J. Bradley | Intended status: Standards Track J. Bradley | |||
Expires: December 5, 2018 Yubico | Expires: January 18, 2019 Yubico | |||
N. Sakimura | N. Sakimura | |||
Nomura Research Institute | Nomura Research Institute | |||
T. Lodderstedt | T. Lodderstedt | |||
YES Europe AG | YES Europe AG | |||
June 3, 2018 | July 17, 2018 | |||
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access | OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access | |||
Tokens | Tokens | |||
draft-ietf-oauth-mtls-09 | draft-ietf-oauth-mtls-10 | |||
Abstract | Abstract | |||
This document describes OAuth client authentication and certificate | This document describes OAuth client authentication and certificate | |||
bound access tokens using mutual Transport Layer Security (TLS) | bound access tokens using mutual Transport Layer Security (TLS) | |||
authentication with X.509 certificates. OAuth clients are provided a | authentication with X.509 certificates. OAuth clients are provided a | |||
mechanism for authentication to the authorization sever using mutual | mechanism for authentication to the authorization sever using mutual | |||
TLS, based on either self-signed certificates or public key | TLS, based on either self-signed certificates or public key | |||
infrastructure (PKI). OAuth authorization servers are provided a | infrastructure (PKI). OAuth authorization servers are provided a | |||
mechanism for binding access tokens to a client's mutual TLS | mechanism for binding access tokens to a client's mutual TLS | |||
skipping to change at page 1, line 45 ¶ | skipping to change at page 1, line 45 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on December 5, 2018. | This Internet-Draft will expire on January 18, 2019. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 13, line 30 ¶ | skipping to change at page 13, line 30 ¶ | |||
o Confirmation Method Value: "x5t#S256" | o Confirmation Method Value: "x5t#S256" | |||
o Confirmation Method Description: X.509 Certificate SHA-256 | o Confirmation Method Description: X.509 Certificate SHA-256 | |||
Thumbprint | Thumbprint | |||
o Change Controller: IESG | o Change Controller: IESG | |||
o Specification Document(s): Section 3.1 of [[ this specification ]] | o Specification Document(s): Section 3.1 of [[ this specification ]] | |||
6.2. OAuth Authorization Server Metadata Registration | 6.2. OAuth Authorization Server Metadata Registration | |||
This specification requests registration of the following value in | This specification requests registration of the following value in | |||
the IANA "OAuth Authorization Server Metadata" registry | the IANA "OAuth Authorization Server Metadata" registry | |||
[IANA.OAuth.Parameters] established by [I-D.ietf-oauth-discovery]. | [IANA.OAuth.Parameters] established by [RFC8414]. | |||
o Metadata Name: "tls_client_certificate_bound_access_tokens" | o Metadata Name: "tls_client_certificate_bound_access_tokens" | |||
o Metadata Description: Indicates authorization server support for | o Metadata Description: Indicates authorization server support for | |||
mutual TLS client certificate bound access tokens. | mutual TLS client certificate bound access tokens. | |||
o Change Controller: IESG | o Change Controller: IESG | |||
o Specification Document(s): Section 3.3 of [[ this specification ]] | o Specification Document(s): Section 3.3 of [[ this specification ]] | |||
6.3. Token Endpoint Authentication Method Registration | 6.3. Token Endpoint Authentication Method Registration | |||
This specification requests registration of the following value in | This specification requests registration of the following value in | |||
skipping to change at page 16, line 5 ¶ | skipping to change at page 16, line 5 ¶ | |||
7.2. Informative References | 7.2. Informative References | |||
[DangerousCode] | [DangerousCode] | |||
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, | Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, | |||
D., and V. Shmatikov, "The Most Dangerous Code in the | D., and V. Shmatikov, "The Most Dangerous Code in the | |||
World: Validating SSL Certificates in Non-Browser | World: Validating SSL Certificates in Non-Browser | |||
Software", | Software", | |||
<http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf>. | <http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf>. | |||
[I-D.ietf-oauth-discovery] | ||||
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 | ||||
Authorization Server Metadata", draft-ietf-oauth- | ||||
discovery-10 (work in progress), March 2018. | ||||
[I-D.ietf-oauth-token-binding] | [I-D.ietf-oauth-token-binding] | |||
Jones, M., Campbell, B., Bradley, J., and W. Denniss, | Jones, M., Campbell, B., Bradley, J., and W. Denniss, | |||
"OAuth 2.0 Token Binding", draft-ietf-oauth-token- | "OAuth 2.0 Token Binding", draft-ietf-oauth-token- | |||
binding-06 (work in progress), March 2018. | binding-06 (work in progress), March 2018. | |||
[IANA.JWT.Claims] | [IANA.JWT.Claims] | |||
IANA, "JSON Web Token Claims", | IANA, "JSON Web Token Claims", | |||
<http://www.iana.org/assignments/jwt>. | <http://www.iana.org/assignments/jwt>. | |||
[IANA.OAuth.Parameters] | [IANA.OAuth.Parameters] | |||
skipping to change at page 17, line 5 ¶ | skipping to change at page 16, line 48 ¶ | |||
<https://www.rfc-editor.org/info/rfc7591>. | <https://www.rfc-editor.org/info/rfc7591>. | |||
[RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", | [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", | |||
RFC 7662, DOI 10.17487/RFC7662, October 2015, | RFC 7662, DOI 10.17487/RFC7662, October 2015, | |||
<https://www.rfc-editor.org/info/rfc7662>. | <https://www.rfc-editor.org/info/rfc7662>. | |||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 | ||||
Authorization Server Metadata", RFC 8414, | ||||
DOI 10.17487/RFC8414, June 2018, | ||||
<https://www.rfc-editor.org/info/rfc8414>. | ||||
[X509Pitfalls] | [X509Pitfalls] | |||
Wong, D., "Common x509 certificate validation/creation | Wong, D., "Common x509 certificate validation/creation | |||
pitfalls", September 2016, | pitfalls", September 2016, | |||
<https://www.cryptologie.net/article/374/ | <https://www.cryptologie.net/article/374/ | |||
common-x509-certificate-validationcreation-pitfalls>. | common-x509-certificate-validationcreation-pitfalls>. | |||
Appendix A. Relationship to Token Binding | Appendix A. Relationship to Token Binding | |||
OAuth 2.0 Token Binding [I-D.ietf-oauth-token-binding] enables the | OAuth 2.0 Token Binding [I-D.ietf-oauth-token-binding] enables the | |||
application of Token Binding to the various artifacts and tokens | application of Token Binding to the various artifacts and tokens | |||
skipping to change at page 18, line 17 ¶ | skipping to change at page 18, line 17 ¶ | |||
Beryozkin, Vladimir Dzhuvinov, Samuel Erdtman, Leif Johansson, | Beryozkin, Vladimir Dzhuvinov, Samuel Erdtman, Leif Johansson, | |||
Michael Jones, Phil Hunt, Benjamin Kaduk, Takahiko Kawasaki, Sean | Michael Jones, Phil Hunt, Benjamin Kaduk, Takahiko Kawasaki, Sean | |||
Leonard, Kepeng Li, Neil Madden, James Manger, Jim Manico, Nov | Leonard, Kepeng Li, Neil Madden, James Manger, Jim Manico, Nov | |||
Matake, Sascha Preibisch, Justin Richer, Dave Tonge, and Hannes | Matake, Sascha Preibisch, Justin Richer, Dave Tonge, and Hannes | |||
Tschofenig. | Tschofenig. | |||
Appendix C. Document(s) History | Appendix C. Document(s) History | |||
[[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
draft-ietf-oauth-mtls-10 | ||||
o Update draft-ietf-oauth-discovery reference to RFC8414 | ||||
draft-ietf-oauth-mtls-09 | draft-ietf-oauth-mtls-09 | |||
o Change "single certificates" to "self-signed certificates" in the | o Change "single certificates" to "self-signed certificates" in the | |||
Abstract | Abstract | |||
draft-ietf-oauth-mtls-08 | draft-ietf-oauth-mtls-08 | |||
o Incorporate clarifications and editorial improvements from Justin | o Incorporate clarifications and editorial improvements from Justin | |||
Richer's WGLC review | Richer's WGLC review | |||
o Drop the use of the "sender constrained" terminology per WGLC | o Drop the use of the "sender constrained" terminology per WGLC | |||
skipping to change at page 20, line 49 ¶ | skipping to change at page 21, line 5 ¶ | |||
draft-ietf-oauth-mtls-00 | draft-ietf-oauth-mtls-00 | |||
o Created the initial working group version from draft-campbell- | o Created the initial working group version from draft-campbell- | |||
oauth-mtls | oauth-mtls | |||
draft-campbell-oauth-mtls-01 | draft-campbell-oauth-mtls-01 | |||
o Fix some typos. | o Fix some typos. | |||
o Add to the acknowledgements list. | o Add to the acknowledgements list. | |||
draft-campbell-oauth-mtls-00 | ||||
o Add a Mutual TLS sender constrained protected resource access | o Add a Mutual TLS sender constrained protected resource access | |||
method and a x5t#S256 cnf method for JWT access tokens (concepts | method and a x5t#S256 cnf method for JWT access tokens (concepts | |||
taken in part from draft-sakimura-oauth-jpop-04). | taken in part from draft-sakimura-oauth-jpop-04). | |||
o Fixed "token_endpoint_auth_methods_supported" to | o Fixed "token_endpoint_auth_methods_supported" to | |||
"token_endpoint_auth_method" for client metadata. | "token_endpoint_auth_method" for client metadata. | |||
o Add "tls_client_auth_subject_dn" and "tls_client_auth_issuer_dn" | o Add "tls_client_auth_subject_dn" and "tls_client_auth_issuer_dn" | |||
client metadata parameters and mention using "jwks_uri" or "jwks". | client metadata parameters and mention using "jwks_uri" or "jwks". | |||
o Say that the authentication method is determined by client policy | o Say that the authentication method is determined by client policy | |||
regardless of whether the client was dynamically registered or | regardless of whether the client was dynamically registered or | |||
statically configured. | statically configured. | |||
End of changes. 9 change blocks. | ||||
11 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |