Re: [OAUTH-WG] MTLS and SAN

2019-04-09 Thread Brian Campbell
Thanks Justin. On Mon, Apr 8, 2019 at 5:49 PM Justin Richer wrote: > Thanks for the clarifications everyone. Since I didn’t catch the > one-and-only-one sentiment when reading the updates, I would recommend > altering the text as follows in §2.1: > >The PKI (public key infrastructure) method

Re: [OAUTH-WG] MTLS and SAN

2019-04-08 Thread Justin Richer
Thanks for the clarifications everyone. Since I didn’t catch the one-and-only-one sentiment when reading the updates, I would recommend altering the text as follows in §2.1: The PKI (public key infrastructure) method of mutual TLS OAuth client authentication adheres to the way in which X.

Re: [OAUTH-WG] MTLS and SAN

2019-04-08 Thread Brian Campbell
Yes, the intent is that the client be configured (dynamically or statically or however that comes to be) with one and only one expected subject, which also includes the location in the certificate that subject will be. And that is checked against at authentication time. As the writer of the questi

Re: [OAUTH-WG] MTLS and SAN

2019-04-05 Thread Jim Willeke
I may not be completely up to date in this discussion, However, RFC 6125 "In general, *this specification recommends and prefers* use of subjectAltName entries (DNS-ID, SRV-ID, URI-ID, etc.) over use of the subject field (CN-ID) where possible,

Re: [OAUTH-WG] MTLS and SAN

2019-04-04 Thread Filip Skokan
Yes. S pozdravem, *Filip Skokan* On Thu, 4 Apr 2019 at 22:36, Justin Richer wrote: > Thank you, I did miss that text. This should be called out more explicitly > in §2.1, perhaps by specifying that it is only one field. This still > doesn’t set precedence, but it implies that it’s an error for

Re: [OAUTH-WG] MTLS and SAN

2019-04-04 Thread Justin Richer
Thank you, I did miss that text. This should be called out more explicitly in §2.1, perhaps by specifying that it is only one field. This still doesn’t set precedence, but it implies that it’s an error for a client to have more than one field set of the available options. Is that your read on th

Re: [OAUTH-WG] MTLS and SAN

2019-04-04 Thread Filip Skokan
Justin, I had the exact same question off list and believe draft 13 clarified this. https://tools.ietf.org/html/draft-ietf-oauth-mtls-13#section-2.1.2 A client using the "tls_client_auth" authentication method MUST use exactly one of the below metadata parameters to indicate the certificate subje