[Openid-specs-fapi] Issue #184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Thu Nov 1 09:40:32 UTC 2018


New issue 184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted
https://bitbucket.org/openid/fapi/issues/184/privacy-implications-of-oauth-mtls-due-to

Joseph Heenan:

This blog post has appeared recently:

https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html

Assuming it is correct this seems to have implications for privacy when following the FAPI specs, particularly part 2. Probably mainly in the case where a mobile device is doing dynamic client registration. We should probably mention this privacy consideration.




More information about the Openid-specs-fapi mailing list