On Mon, Jan 07, 2019 at 10:21:51AM -0700, Brian Campbell wrote: > I don't honestly know for sure but I suspect that employees of big > corporations will likely have keys/certs on their devices/machines that are > issued by some internal CA and provisioned to them automatically (and in > many cases without the user knowing and/or understanding that they are > there and why). Those users would likely be prompted when TLS handshaking > with a server that presents an empty list of CAs in the > certificate_authorities of the CertificateRequest. > > I dunno. Maybe I was too quick to retract the proposal for the MTLS > supporting secondary token endpoint? > > What do folks (including Ben & Neil) think?
Sorry for the slow reply. I agree with Filip that we can't be confident that the affected population is a vanishingly small population, so it probably does make sense to continue thinking about how we can present a better UX. -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
