[Openid-specs-fapi] Issue #404: Interoperability: Validation of tls_client_auth_subject_dn using RFC7591 (openid/fapi)

Ralph Bragg issues-reply at bitbucket.org
Wed Apr 28 14:49:18 UTC 2021

New issue 404: Interoperability: Validation of tls_client_auth_subject_dn using RFC7591

Ralph Bragg:

The European Union defined [https://www.etsi.org/deliver/etsi\_ts/119400\_119499/119495/01.03.01\_60/ts\_119495v010301p.pdf](https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.03.01_60/ts_119495v010301p.pdf) ETSI TS 119 495 V1.3.1 which defines the certificate profile being used as oAuth 2.0 client authentication. When used as part of  DCR, the metadata property tls\_client\_auth\_subject\_dn needs to be provided by TPPs and then checked by the bank that it matches the corresponding certificate used for mutual tls.

The issue is that it is ambiguous with no discover mechanism avaiable that describes how both parties will process non standard oids. 

This basically means that TPPs have to try a couple fo times to register their clients by guessing how a Bank will process their DN string. [https://tools.ietf.org/html/rfc4514](https://tools.ietf.org/html/rfc4514) describes how this should be performed.

   Implementations MAY recognize other DN string representations.
   However, as there is no requirement that alternative DN string
   representations be recognized (and, if so, how), implementations
   SHOULD only generate DN strings in accordance with  of this



More information about the Openid-specs-fapi mailing list