I would suggest that the security considerations section of draft-ietf-oauth-mtls-12 be expanded to include the privacy implications of using this on versions of TLS before 1.3. On all versions of TLS before 1.3, the client cert is not encrypted and can be used by third parties to monitor and track users. I recently posted a blog entry about this: https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
Thanks. John-Mark Gurney _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
