[Federation] Omission of trust chain validation in the case of PAR + self-signed certificate
Issue #1597
resolved
The section “Using Pushed Authorization” of OpenID Connect Federation 1.0 says as follows.
Note that if mTLS is used, TLS client authentication MUST be configured and, in case of self-signed certificates, the server must omit Trust Chain validation.
Why does trust chain validation have to be omitted in the case of PAR + self-signed certificate? It seems to me that omission of trust chain validation is kind of a security hole, isn’t it?
Comments (6)
-
-
I suspect what was meant was “certificate chain”. Do you agree, @Roland Hedberg ?
-
Yes!
-
-
assigned issue to
Giuseppe De Marco
-
assigned issue to
-
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
I dont see how the trust chain shouldnt be evaluated with a self signed certificate.
@Roland Hedberg is this a typo, did you mean certificate chain?