[Openid-specs-fapi] Issue #184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted (openid/fapi)
Joseph Heenan
issues-reply at bitbucket.org
Thu Nov 1 09:40:32 UTC 2018
New issue 184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted
https://bitbucket.org/openid/fapi/issues/184/privacy-implications-of-oauth-mtls-due-to
Joseph Heenan:
This blog post has appeared recently:
https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
Assuming it is correct this seems to have implications for privacy when following the FAPI specs, particularly part 2. Probably mainly in the case where a mobile device is doing dynamic client registration. We should probably mention this privacy consideration.
More information about the Openid-specs-fapi
mailing list