Thanks John. This is what I suspected but wanted to confirm. Phil
> On May 7, 2019, at 7:02 AM, John Bradley <ve7...@ve7jtb.com> wrote: > > The mtls spec doesn't cover the authorization endpoint. > > Mtls via the browser is a whole world of pain. > > I believe that for a native app to use mtls via a chrome custom tab or Safari > view controller you need to provision a certificate and private key to the > system keystore. It is not something that can happen dynamically from the > app. > > That in practice is generally done by proprietary EMM (Enterprise Mobility > Management) systems like mobile Iron etc. > > I think there are also some issues with the app using the same key, it may > need to be separately provisioned to the app as well. > > Each OS and browser has its own twists. > > It is probably better to explain how to do WebAuthn based authentication via > the browser and app. > > I think there is likely more value in having a WebAuthn based authentication > of the app that also attests to the identity of the app than trying to > document all the implimented issues with MTLS via the browser. > > It depends on what the working group thinks is important. > > John B. > >> On Tue, May 7, 2019, 4:33 AM Hannes Tschofenig <hannes.tschofe...@arm.com> >> wrote: >> Hi Phil >> >> >> >> I believe this is a question that William and John may be able to answer. >> >> >> >> Should MTLS be added to a future version of the Native Apps BCP? If the >> answer is “no”, why not? >> >> >> >> Ciao >> >> Hannes >> >> >> >> >> >> From: OAuth <oauth-boun...@ietf.org> On Behalf Of Phil Hunt >> Sent: Donnerstag, 2. Mai 2019 20:41 >> To: oauth <oauth@ietf.org> >> Subject: [OAUTH-WG] MTLS and Native apps Best practices >> >> >> >> I was wondering if anyone had any recommended MTLS best practices for mobile >> apps and native browsers. >> >> >> >> Considering Section 6 of RFC8252… >> >> After constructing the authorization request URI, the app uses >> platform-specific APIs to open the URI in an external user-agent. >> Typically, the external user-agent used is the default browser, that >> is, the application configured for handling "http" and "https" scheme >> URIs on the system; however, different browser selection criteria and >> other categories of external user-agents MAY be used. >> >> >> What choices do developers have to ensure the authorization (and subsequent >> user authentication) occur over MTLS? Can the app provide its own key for >> MTLS or can it ask that an embedded X.509 cert be used (assuming one is >> available)? >> >> >> >> Are there any platform issues or best practices? >> >> >> >> Phil Hunt | Cloud Security and Identity Architect >> >> Oracle Corporation, Oracle Cloud Infrastructure >> >> @independentid >> >> www.independentid.com >> >> phil.h...@oracle.com >> >> >> >> >> >> >> >> >> >> >> >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose the >> contents to any other person, use it for any purpose, or store or copy the >> information in any medium. Thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
