Hi Samuel, as far as I understand your draft, it utilizes results of the (D)TLS client authentication for authentication towards the tokens endpoint - similar to https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html. Do you intend to also utilize the binding of the access token to a certain key pair as described in oauth-ietf-mtls?
best regards, Torsten. > Am 12.05.2017 um 10:03 schrieb Samuel Erdtman <sam...@erdtman.se>: > > Hi ACE and OAuth WGs, > > I and Ludwig submitted a new draft yesterday defining how to use Raw Public > Key and Pre Shared Key with (D)TLS as OAuth client credentials, > https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/. > > We think this is valuable to the ACE work since the ACE framework is based on > OAuth, but client credentials as defined in the OAuth framework are not the > best match for embedded devices. > > We think Raw Public Keys and Pre Shared Keys are more suitable credentials > for embedded devices for the following reasons: > * Better security by binding to transport layer. > * If PSK DTLS is to be used a key need to be distributed any way, why not > make use of it as credential. > * Client id and client secret accommodates for manual input by a humans. This > does not scale well and requires some for of input device. > * Some/many devices will have crypto-hardware that can protect key material, > to not use that possibility would be a waste. > * There are probably more reasons these was just the once on top of my head. > > This is not the first resent initiative to create new client credential > types, the OAuth WG adopted a similar draft for certificate based client > credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). That > work is also valuable to ACE but not all devices will be able to work with > certificates or even asymmetric cryptos . > > Please review and comment. > > Cheers > //Samuel > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
