Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted
Issue #184
closed
This blog post has appeared recently:
https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html
Assuming it is correct this seems to have implications for privacy when following the FAPI specs, particularly part 2. Probably mainly in the case where a mobile device is doing dynamic client registration. We should probably mention this privacy consideration.
Comments (7)
-
-
- changed status to open
TLS certs is in general provided as part of re-negotiation and thus gets encrypted. For the case with TPP, it does not matter.
-
- changed status to closed
The above comment is not accurate.
TLS 1.3 should have fixed this issue. Perhaps we can weaken the requirement for the servers to support TLS 1.2.
Add statement in Privacy considerations.
There is a mention in RFC so we can close it.
-
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
i don't see nat's comments on kyc. Legally kyc only applies to depository institutions, although it seems like other cash transfer companies got included in the patriot act in the us. This is for money laundering issues and privacy is explicitly prohibited there. It was not meant to apply to payment initiators, but it seems that the UKOB and PSD2 have sucked all that into their protocols. As i have said elsewhere, these two efforts are not going to help the user in any way. Privacy is just a part of that problem.