Hi Phil I believe this is a question that William and John may be able to answer.
Should MTLS be added to a future version of the Native Apps BCP? If the answer is “no”, why not? Ciao Hannes From: OAuth <oauth-boun...@ietf.org> On Behalf Of Phil Hunt Sent: Donnerstag, 2. Mai 2019 20:41 To: oauth <oauth@ietf.org> Subject: [OAUTH-WG] MTLS and Native apps Best practices I was wondering if anyone had any recommended MTLS best practices for mobile apps and native browsers. Considering Section 6 of RFC8252… After constructing the authorization request URI, the app uses platform-specific APIs to open the URI in an external user-agent. Typically, the external user-agent used is the default browser, that is, the application configured for handling "http" and "https" scheme URIs on the system; however, different browser selection criteria and other categories of external user-agents MAY be used. What choices do developers have to ensure the authorization (and subsequent user authentication) occur over MTLS? Can the app provide its own key for MTLS or can it ask that an embedded X.509 cert be used (assuming one is available)? Are there any platform issues or best practices? Phil Hunt | Cloud Security and Identity Architect Oracle Corporation, Oracle Cloud Infrastructure @independentid www.independentid.com<http://www.independentid.com> phil.h...@oracle.com<mailto:phil.h...@oracle.com> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
