[Federation] optional_no_ca
Issue #1510
resolved
A paragraph in Section 10.1.1.2 of OpenID Connect Federation 1.0 mentions optional_no_ca in an abrupt manner like below.
Note that if mTLS is used, TLS client authentication MUST be configured and, in case of self-signed certificates, the server must omit trust chain validation (optional_no_ca).
optional_no_ca has a meaning in the ngx_http_ssl_module for NGINX and the mod_ssl module for Apache. However, I’m not sure that optional_no_ca is generic enough to be referenced in the OIDC Federation spec without any explanation. Shouldn’t the spec mention ngx_http_ssl_module/NGINX and mod_ssl/Apache in some way or other?
Comments (4)
-
-
I agree with Roland
-
Dealt with in https://bitbucket.org/openid/connect/pull-requests/184
-
- changed status to resolved
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
I agree it’s not generic enough. My bad.
The easiest remedy is to remove optional_no_ca completely