[Openid-specs-ab] Issue #1597: [Federation] Omission of trust chain validation in the case of PAR + self-signed certificate (openid/connect)
Takahiko Kawasaki
issues-reply at bitbucket.org
Sat Aug 13 08:13:55 UTC 2022
New issue 1597: [Federation] Omission of trust chain validation in the case of PAR + self-signed certificate
https://bitbucket.org/openid/connect/issues/1597/federation-omission-of-trust-chain
Takahiko Kawasaki:
The section “Using Pushed Authorization” of OpenID Connect Federation 1.0 says as follows.
> Note that if mTLS is used, TLS client authentication MUST be configured and, in case of self-signed certificates, the server must omit Trust Chain validation.
Why does trust chain validation have to be omitted in the case of PAR \+ self-signed certificate? It seems to me that omission of trust chain validation is kind of a security hole, isn’t it?
More information about the Openid-specs-ab
mailing list