We added the reference to RFC6125 in openID Connect.
The Client MUST perform a TLS/SSL server certificate check, per
<xref target="RFC6125">RFC 6125</xref>.We wanted to be more general to allow for non http bindings in the future. If you don't do it in core, every spec that references core will probably have to add it. John B. On 2012-01-24, at 12:32 AM, Peter Saint-Andre wrote: > On 1/20/12 4:46 PM, Eran Hammer wrote: >> Stephen asked: >> >>> (13) 10.9 says that the client MUST verify the server's cert which is >>> fine. However, does that need a reference to e.g. rfc 6125? Also, do >>> you want to be explicit here about the TLS server cert and thereby >>> possibly rule out using DANE with the non PKI options that that WG >>> (may) produce? >> >> Can someone help with this? I don’t know enough to address. > > The OAuth core spec currently says: > > The client MUST validate the authorization server's > TLS certificate in accordance with its requirements > for server identity authentication. > > RFC 2818 has guidance about endpoint identity, in Section 3.1: > > http://tools.ietf.org/html/rfc2818#section-3.1 > > RFC 6125 attempts to generalize the guidance from RFC 2818 and many > similar specs for use by new application protocols. Given that OAuth as > defined by the core spec runs over HTTP, I think referencing RFC 2818 > would make sense. So something like: > > The client MUST validate the authorization server's > TLS certificate in accordance with the rules for > server identity authentication provided in Section 3.1 > of [RFC2818]. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
