Require HSTS for authorization server

Issue #274 resolved
Joseph Heenan created an issue

Discussion on today’s call mentioned that some analysis of FAPI assume that HTTP Strict Transport Security is enabled for the authorization server, to prevent some attacks like user’s clicking through warnings about invalid TLS certificates in some scenarios.

This isn’t mentioned in FAPI currently. Daniel mentioned he saw this as a basic web security. Dave checked several UK banks and it appeared it several hadn’t enabled HSTS.

We should probably add text to FAPI requiring HSTS. This should probably apply to web based clients as well?

Comments (12)

  1. Joseph Heenan reporter

    Not sure if there’s already tickets about other websec hygiene type factors, but it also seems worthy to mention:

    1. DNSSEC
    2. Certificate pinning (which in turn would mean the AS owner needs to communicate how a cert should be pinned), or alternatively using ecosystem specific roots/CAs (as OB UK did, but I believe eIDAS etc probably derailed their efforts).

  2. Tom Jones

    there is an existing openID draft spec to handle this sort of information, it is the entity statement in the federation spec.

  3. Joseph Heenan reporter

    Hi Tom, that appears to be a third option (a JWKS based trust chain) rather than describing either how to communicate pinning or ecosystem specific PKI, did I miss anything?

  4. Daniel Fett

    HSTS is interesting in particular for connections by browsers. Server-to-server communication should be limited to TLS-only anyway.

    DNSSEC makes sense for all endpoints to protect against rogue domain-validated certificates and to provide additional protection in case of TLS failures.

    I added a section re HSTS and DNSSEC to FAPI 2.0 Baseline.

    Certificate pinning is interesting for server-to-server comms, but HPKP in browsers is dead. I’m not sure what the concrete advice would be.

  5. Nat Sakimura

    For 1.0, put it in the Security Consideration as a recommendation (should).

    For 2.0, consider making it a requirement (shall).

  6. Log in to comment