1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Privacy implications of oauth-mtls due to tls 1.2 sending client certs unencrypted

Issue #184 closed
Joseph Heenan created an issue

This blog post has appeared recently:

https://blog.funkthat.com/2018/10/tls-client-authentication-leaks-user.html

Assuming it is correct this seems to have implications for privacy when following the FAPI specs, particularly part 2. Probably mainly in the case where a mobile device is doing dynamic client registration. We should probably mention this privacy consideration.

Comments (7)

  1. Tom Jones

    i don't see nat's comments on kyc. Legally kyc only applies to depository institutions, although it seems like other cash transfer companies got included in the patriot act in the us. This is for money laundering issues and privacy is explicitly prohibited there. It was not meant to apply to payment initiators, but it seems that the UKOB and PSD2 have sucked all that into their protocols. As i have said elsewhere, these two efforts are not going to help the user in any way. Privacy is just a part of that problem.

  2. Nat Sakimura
    • changed status to open

    TLS certs is in general provided as part of re-negotiation and thus gets encrypted. For the case with TPP, it does not matter.

  3. Nat Sakimura

    The above comment is not accurate.

    TLS 1.3 should have fixed this issue. Perhaps we can weaken the requirement for the servers to support TLS 1.2.

    Add statement in Privacy considerations.

    There is a mention in RFC so we can close it.

  8. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
FAPI 1: Advanced
Milestone
Votes
0
Watchers
1
Jira Software: the preferred issue tracker for Bitbucket. Join the team!