[Openid-specs-fapi] Issue #550: Should Network Layer Protections be server-side enforced? (openid/fapi)
panva
issues-reply at bitbucket.org
Mon Oct 31 11:57:41 UTC 2022
New issue 550: Should Network Layer Protections be server-side enforced?
https://bitbucket.org/openid/fapi/issues/550/should-network-layer-protections-be-server
Filip Skokan:
Currently, the language in [https://openid.net/specs/fapi-2\_0-baseline-01.html#name-network-layer-protections](https://openid.net/specs/fapi-2_0-baseline-01.html#name-network-layer-protections) and [https://openid.net/specs/openid-financial-api-part-2-1\_0.html#tls-considerations](https://openid.net/specs/openid-financial-api-part-2-1_0.html#tls-considerations) does not mention the party responsible for the cipher enforcement.
The FAPI certification suite currently fails clients that make a connection using a cipher that falls outside of the 4 allowed. But in its TLS configuration it does not rank the four allowed as the most preferred.
This means that a client which cannot control its allowed ciphersuite fails certification because it chooses a cipher that isn’t amongst the 4 allowed but ranks higher in preferrence by the certification server.
I thinks it’s unreasonable to assume that every client software is capable of controlling the allowed TLS ciphers and that this should be made a server-side requirement to enforce.
This affects both FAPI1 and FAPI2
More information about the Openid-specs-fapi
mailing list