Thanks, John B. On 2012-03-07, at 7:57 PM, Eran Hammer wrote:
> New text: > > In order to prevent man-in-the-middle attacks, the authorization > server MUST implement > and require TLS with server authentication as defined by <xref > target='RFC2818' /> for > any request sent to the authorization and token endpoints. The > client MUST validate the > authorization server's TLS certificate as defined by <xref > target='RFC6125' />, and in > accordance with its requirements for server identity authentication. > > EH > >> -----Original Message----- >> From: John Bradley [mailto:ve7...@ve7jtb.com] >> Sent: Tuesday, January 24, 2012 2:24 PM >> To: Peter Saint-Andre >> Cc: Eran Hammer; OAuth WG >> Subject: Re: [OAUTH-WG] Server cret verification in 10.9 >> >> We added the reference to RFC6125 in openID Connect. >> >> The Client MUST perform a TLS/SSL server certificate check, per >> <xref target="RFC6125">RFC 6125</xref>. >> >> We wanted to be more general to allow for non http bindings in the future. >> >> If you don't do it in core, every spec that references core will probably >> have >> to add it. >> >> John B. >> >> >> On 2012-01-24, at 12:32 AM, Peter Saint-Andre wrote: >> >>> On 1/20/12 4:46 PM, Eran Hammer wrote: >>>> Stephen asked: >>>> >>>>> (13) 10.9 says that the client MUST verify the server's cert which is >>>>> fine. However, does that need a reference to e.g. rfc 6125? Also, do >>>>> you want to be explicit here about the TLS server cert and thereby >>>>> possibly rule out using DANE with the non PKI options that that WG >>>>> (may) produce? >>>> >>>> Can someone help with this? I don't know enough to address. >>> >>> The OAuth core spec currently says: >>> >>> The client MUST validate the authorization server's >>> TLS certificate in accordance with its requirements >>> for server identity authentication. >>> >>> RFC 2818 has guidance about endpoint identity, in Section 3.1: >>> >>> http://tools.ietf.org/html/rfc2818#section-3.1 >>> >>> RFC 6125 attempts to generalize the guidance from RFC 2818 and many >>> similar specs for use by new application protocols. Given that OAuth as >>> defined by the core spec runs over HTTP, I think referencing RFC 2818 >>> would make sense. So something like: >>> >>> The client MUST validate the authorization server's >>> TLS certificate in accordance with the rules for >>> server identity authentication provided in Section 3.1 >>> of [RFC2818]. >>> >>> Peter >>> >>> -- >>> Peter Saint-Andre >>> https://stpeter.im/ >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
