Dear all,
I would like to clarify and agree with John Bradley that there is a confusion
here.
In the setting that I was discussing in my presentation, I was looking at
OpenID Connect, where we have:
An end-user with his user agent (browser) that wishes to log in at an RP
service (and this
On 07/08/17 19:09, Salz, Rich wrote:
>> A while ago, if I'm not mistaken, I glimpsed some report of vulnerabilities
>> caused by incorrect public key comparison.
> There was a recent issue raised by Hanno about incorrect public/private key
> matching leading to incorrect revocation of a
On 07/08/17 18:53, John Bradley wrote:
> The AS always gets the client cert from the TLS stack. Validating the
> certificate cain is something people get wrong all the time. However that
> is what the DN names are for. Using those requires validating the certs.
For the self-signed certs
