That's fair. I'll see if maybe I can piece together some reasonable text about it and/or will also try to discuss it with the WG this week in Bangkok.
On Fri, Nov 2, 2018, 3:18 AM John-Mark Gurney <j...@newcontext.com wrote: > I do not have a good enough understanding of OAuth nor how it is used > in this draft to be able to write a proper security considerations > section about it. You mention that the OAuth certification is > different than one for client cert authentication, but as I don't know > the standard well enough, I do not know the implications of it. > > Even if the paragraph reads something like: Though client certs are > public in TLS versions 1.2 and before, they are not a privacy concern > because of x, y and z. This would allow people who are reviewing it > to understand why it is not a privacy issue. > > I only briefly reviewed this document because a coworker asked about > it, but I raised this concern because it was not mentioned in the > security considerations section. > > On Thu, Nov 1, 2018 at 7:37 AM Brian Campbell > <bcampb...@pingidentity.com> wrote: > > > > To be honest, I thought that was a relatively well known aspect of TLS > 1.2 (and prior) and a noted difference of the new features in TLS 1.3. > Also, I'd note that we're well past WGCL for this document. But, with that > said, I suppose adding some privacy considerations text on the subject is > worthwhile. Would you propose some text for the WG to consider, John-Mark? > Bearing in mind that the implications of a certificate presented by, and > representing, an OAuth client are somewhat different than for an end-user > doing client cert authentication. > > > > > > > > > > On Wed, Oct 31, 2018 at 4:12 PM John-Mark Gurney < > jmg+oa...@newcontext.com> wrote: > >> > >> I would suggest that the security considerations section of > >> draft-ietf-oauth-mtls-12 be expanded to include the privacy > >> implications of using this on versions of TLS before 1.3. On all > >> versions of TLS before 1.3, the client cert is not encrypted and can > >> be used by third parties to monitor and track users. I recently > >> posted a blog entry about this: > >> > https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html > >> > >> Thanks. > >> > >> John-Mark Gurney > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you. > > > > -- > John-Mark Gurney > Principal Security Architect > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
