[Openid-specs-fapi] Issue #184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted (openid/fapi)

n-sakimura n-sakimura at nri.co.jp
Thu Nov 1 16:38:51 UTC 2018


I actually replied this to the OAuth mailing list. It may be a good idea to follow that thread.

For the mobile client, we were thinking of using Token Binding instead for sure, due to the correlation issues. But as far as the financial transactions are concerned, correlation is not a big privacy issue because we have KYC requirement to start with. Then, the problem precipitates to the information disclosure through unencrypted channel, but as Neil mentioned in the above thread, the standard practice is to present the certificate in the re-negotiation only, which is encrypted.

Best,

Nat Sakimura

Nat Sakimura / n-sakimura at nri.co.jp / +81-90-6013-6276

このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、誠に申し訳ございませんが、送信者までお知らせ頂き、また受信されたメールは削除してくださいますようお願い申し上げます。

PLEASE READ :This e-mail is confidential and intended for the named recipient only.
If you are not an intended recipient, please notify the sender and delete this e-mail.

________________________________
差出人: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> (Joseph Heenan via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> の代理)
送信日時: 木曜日, 11月 1, 2018 6:40 午後
宛先: openid-specs-fapi at lists.openid.net
Cc: Joseph Heenan
件名: [Openid-specs-fapi] Issue #184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted (openid/fapi)

New issue 184: Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted
https://bitbucket.org/openid/fapi/issues/184/privacy-implications-of-oauth-mtls-due-to

Joseph Heenan:

This blog post has appeared recently:

https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html

Assuming it is correct this seems to have implications for privacy when following the FAPI specs, particularly part 2. Probably mainly in the case where a mobile device is doing dynamic client registration. We should probably mention this privacy consideration.


_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20181101/da1f2ce9/attachment.html>


More information about the Openid-specs-fapi mailing list