Re: [OAUTH-WG] Server cret verification in 10.9

Wed, 07 Mar 2012 17:18:14 -0800 

New text:

          In order to prevent man-in-the-middle attacks, the authorization 
server MUST implement
          and require TLS with server authentication as defined by <xref 
target='RFC2818' /> for
          any request sent to the authorization and token endpoints. The client 
MUST validate the
          authorization server's TLS certificate as defined by <xref 
target='RFC6125' />, and in
          accordance with its requirements for server identity authentication.

EH

> -----Original Message-----
> From: John Bradley [mailto:[email protected]]
> Sent: Tuesday, January 24, 2012 2:24 PM
> To: Peter Saint-Andre
> Cc: Eran Hammer; OAuth WG
> Subject: Re: [OAUTH-WG] Server cret verification in 10.9
> 
> We added the reference to RFC6125 in openID Connect.
> 
> The Client MUST perform a TLS/SSL server certificate check, per
>           <xref target="RFC6125">RFC 6125</xref>.
> 
> We wanted to be more general to allow for non http bindings in the future.
> 
> If you don't do it in core, every spec that references core will probably have
> to add it.
> 
> John B.
> 
> 
> On 2012-01-24, at 12:32 AM, Peter Saint-Andre wrote:
> 
> > On 1/20/12 4:46 PM, Eran Hammer wrote:
> >> Stephen asked:
> >>
> >>> (13) 10.9 says that the client MUST verify the server's cert which is
> >>> fine. However, does that need a reference to e.g. rfc 6125? Also, do
> >>> you want to be explicit here about the TLS server cert and thereby
> >>> possibly rule out using DANE with the non PKI options that that WG
> >>> (may) produce?
> >>
> >> Can someone help with this? I don't know enough to address.
> >
> > The OAuth core spec currently says:
> >
> >   The client MUST validate the authorization server's
> >   TLS certificate in accordance with its requirements
> >   for server identity authentication.
> >
> > RFC 2818 has guidance about endpoint identity, in Section 3.1:
> >
> > http://tools.ietf.org/html/rfc2818#section-3.1
> >
> > RFC 6125 attempts to generalize the guidance from RFC 2818 and many
> > similar specs for use by new application protocols. Given that OAuth as
> > defined by the core spec runs over HTTP, I think referencing RFC 2818
> > would make sense. So something like:
> >
> >   The client MUST validate the authorization server's
> >   TLS certificate in accordance with the rules for
> >   server identity authentication provided in Section 3.1
> >   of [RFC2818].
> >
> > Peter
> >
> > --
> > Peter Saint-Andre
> > https://stpeter.im/
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to