[Openid-specs-ab] Issue #1510: [Federation] optional_no_ca (openid/connect)
Takahiko Kawasaki
issues-reply at bitbucket.org
Thu May 26 01:15:35 UTC 2022
New issue 1510: [Federation] optional_no_ca
https://bitbucket.org/openid/connect/issues/1510/federation-optional_no_ca
Takahiko Kawasaki:
A paragraph in [Section 10.1.1.2](https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.10.1.1.2) of [OpenID Connect Federation 1.0](https://openid.net/specs/openid-connect-federation-1_0.html) mentions `optional_no_ca` in an abrupt manner like below.
> Note that if mTLS is used, TLS client authentication MUST be configured and, in case of self-signed certificates, the server must omit trust chain validation \(**optional\_no\_ca**\).
`optional_no_ca` has a meaning in the [ngx\_http\_ssl\_module](http://nginx.org/en/docs/http/ngx_http_ssl_module.html) for NGINX and the [mod\_ssl](https://httpd.apache.org/docs/current/mod/mod_ssl.html) module for Apache. However, I’m not sure that `optional_no_ca` is generic enough to be referenced in the OIDC Federation spec without any explanation. Shouldn’t the spec mention ngx\_http\_ssl\_module/NGINX and mod\_ssl/Apache in some way or other?
More information about the Openid-specs-ab
mailing list