[Openid-specs-fapi] Issue #404: Interoperability: Validation of tls_client_auth_subject_dn using RFC7591 (openid/fapi)
issues-reply at bitbucket.org
Wed Apr 28 14:49:18 UTC 2021
New issue 404: Interoperability: Validation of tls_client_auth_subject_dn using RFC7591
The European Union defined [https://www.etsi.org/deliver/etsi\_ts/119400\_119499/119495/01.03.01\_60/ts\_119495v010301p.pdf](https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.03.01_60/ts_119495v010301p.pdf) ETSI TS 119 495 V1.3.1 which defines the certificate profile being used as oAuth 2.0 client authentication. When used as part of DCR, the metadata property tls\_client\_auth\_subject\_dn needs to be provided by TPPs and then checked by the bank that it matches the corresponding certificate used for mutual tls.
The issue is that it is ambiguous with no discover mechanism avaiable that describes how both parties will process non standard oids.
This basically means that TPPs have to try a couple fo times to register their clients by guessing how a Bank will process their DN string. [https://tools.ietf.org/html/rfc4514](https://tools.ietf.org/html/rfc4514) describes how this should be performed.
Implementations MAY recognize other DN string representations.
However, as there is no requirement that alternative DN string
representations be recognized (and, if so, how), implementations
SHOULD only generate DN strings in accordance with of this
More information about the Openid-specs-fapi