I do not have a good enough understanding of OAuth nor how it is used in this draft to be able to write a proper security considerations section about it. You mention that the OAuth certification is different than one for client cert authentication, but as I don't know the standard well enough, I do not know the implications of it.
Even if the paragraph reads something like: Though client certs are public in TLS versions 1.2 and before, they are not a privacy concern because of x, y and z. This would allow people who are reviewing it to understand why it is not a privacy issue. I only briefly reviewed this document because a coworker asked about it, but I raised this concern because it was not mentioned in the security considerations section. On Thu, Nov 1, 2018 at 7:37 AM Brian Campbell <bcampb...@pingidentity.com> wrote: > > To be honest, I thought that was a relatively well known aspect of TLS 1.2 > (and prior) and a noted difference of the new features in TLS 1.3. Also, I'd > note that we're well past WGCL for this document. But, with that said, I > suppose adding some privacy considerations text on the subject is worthwhile. > Would you propose some text for the WG to consider, John-Mark? Bearing in > mind that the implications of a certificate presented by, and representing, > an OAuth client are somewhat different than for an end-user doing client cert > authentication. > > > > > On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney <jmg+oa...@newcontext.com> > wrote: >> >> I would suggest that the security considerations section of >> draft-ietf-oauth-mtls-12 be expanded to include the privacy >> implications of using this on versions of TLS before 1.3. On all >> versions of TLS before 1.3, the client cert is not encrypted and can >> be used by third parties to monitor and track users. I recently >> posted a blog entry about this: >> https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html >> >> Thanks. >> >> John-Mark Gurney >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
