[Openid-specs-fapi] Issue #184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted (openid/fapi)
n-sakimura at nri.co.jp
Thu Nov 1 16:38:51 UTC 2018
I actually replied this to the OAuth mailing list. It may be a good idea to follow that thread.
For the mobile client, we were thinking of using Token Binding instead for sure, due to the correlation issues. But as far as the financial transactions are concerned, correlation is not a big privacy issue because we have KYC requirement to start with. Then, the problem precipitates to the information disclosure through unencrypted channel, but as Neil mentioned in the above thread, the standard practice is to present the certificate in the re-negotiation only, which is encrypted.
Nat Sakimura / n-sakimura at nri.co.jp / +81-90-6013-6276
PLEASE READ :This e-mail is confidential and intended for the named recipient only.
If you are not an intended recipient, please notify the sender and delete this e-mail.
差出人: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> (Joseph Heenan via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> の代理)
送信日時: 木曜日, 11月 1, 2018 6:40 午後
宛先: openid-specs-fapi at lists.openid.net
Cc: Joseph Heenan
件名: [Openid-specs-fapi] Issue #184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted (openid/fapi)
New issue 184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted
This blog post has appeared recently:
Assuming it is correct this seems to have implications for privacy when following the FAPI specs, particularly part 2. Probably mainly in the case where a mobile device is doing dynamic client registration. We should probably mention this privacy consideration.
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi