On 07/08/17 19:09, Salz, Rich wrote: >> A while ago, if I'm not mistaken, I glimpsed some report of vulnerabilities >> caused by incorrect public key comparison. > There was a recent issue raised by Hanno about incorrect public/private key > matching leading to incorrect revocation of a certificate; was that what you > were thinking of? Thanks Rich, I was able to find it now. The issue apparently affects public/private key matching, not public/public key matching, so it shouldn't be a concern for mTLS:
https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
