To be honest, I thought that was a relatively well known aspect of TLS 1.2 (and prior) and a noted difference of the new features in TLS 1.3. Also, I'd note that we're well past WGCL for this document. But, with that said, I suppose adding some privacy considerations text on the subject is worthwhile. Would you propose some text for the WG to consider, John-Mark? Bearing in mind that the implications of a certificate presented by, and representing, an OAuth client are somewhat different than for an end-user doing client cert authentication.
On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <jmg+oa...@newcontext.com> wrote: > I would suggest that the security considerations section of > draft-ietf-oauth-mtls-12 be expanded to include the privacy > implications of using this on versions of TLS before 1.3. On all > versions of TLS before 1.3, the client cert is not encrypted and can > be used by third parties to monitor and track users. I recently > posted a blog entry about this: > https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html > > Thanks. > > John-Mark Gurney > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
