So I reviewed the security considerations text which basically sais
that the server can avoid being spoofed by managing its set of trust
anchors. The text is better than nothing.
However this lead me to ask another question about the use of
SubjectDN as an identifier for the subject in client metadata: don't
we expect certificates to be issued as short-term credentials from
an STS-like thing?
If so the SubjectDN is probably going to change every time the STS
gets called (say by including a serial number) and such a SubjectDN
probably isn't the best thing to put in client metadata.
Would it make sense to make it possible to identify subjects based
on (say) SubjectAltName as an alternative for this case?
I don't want to hold up the process on this but I'm curious if this
has been raised or just overlooked...?
Cheers Leif
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
