Require HSTS for authorization server

Comments (15)

1. 

   Joseph Heenan reporter

   • edited description

   • 2019-12-18T14:50:57+00:00
2. 

   Joseph Heenan reporter

   Not sure if there’s already tickets about other websec hygiene type factors, but it also seems worthy to mention:

   1. DNSSEC
   2. Certificate pinning (which in turn would mean the AS owner needs to communicate how a cert should be pinned), or alternatively using ecosystem specific roots/CAs (as OB UK did, but I believe eIDAS etc probably derailed their efforts).

   ‌

   • 2020-01-28T13:20:18+00:00
3. 

   Tom Jones

   there is an existing openID draft spec to handle this sort of information, it is the entity statement in the federation spec.

   • 2020-01-28T19:33:49+00:00
4. 

   Joseph Heenan reporter

   Hi Tom, that appears to be a third option (a JWKS based trust chain) rather than describing either how to communicate pinning or ecosystem specific PKI, did I miss anything?

   • 2020-01-29T14:52:24+00:00
5. 

   Tom Jones

   you can send the leaf node without any chain - i am doing that in a system i am building

   • 2020-02-02T02:46:26+00:00
6. 

   Daniel Fett

   HSTS is interesting in particular for connections by browsers. Server-to-server communication should be limited to TLS-only anyway.

   DNSSEC makes sense for all endpoints to protect against rogue domain-validated certificates and to provide additional protection in case of TLS failures.

   I added a section re HSTS and DNSSEC to FAPI 2.0 Baseline.

   Certificate pinning is interesting for server-to-server comms, but HPKP in browsers is dead. I’m not sure what the concrete advice would be.

   • 2020-03-03T12:34:46+00:00
7. 

   Nat Sakimura

   For 1.0, put it in the Security Consideration as a recommendation (should).

   For 2.0, consider making it a requirement (shall).

   • 2020-03-04T14:33:11+00:00
8. 

   Nat Sakimura

   • changed status to open

   • 2020-04-15T14:40:28+00:00
9. 

   Nat Sakimura

   Assigned to Daniel.

   • 2020-04-15T14:42:25+00:00
10. 

    Dave Tonge

    • assigned issue to

    • 2020-05-13T14:26:23+00:00
11. 

    Daniel Fett

    See https://bitbucket.org/openid/fapi/pull-requests/164/add-dnssec-and-hsts-considerations

    • 2020-06-02T11:14:48+00:00
12. 

    Dave Tonge

    • changed status to resolved

    PR merged in

    • 2020-07-15T13:47:58+00:00
13. 

    Nat Sakimura

    • changed component to Part 2: Advanced

    • 2022-12-14T15:36:13+00:00
14. 

    Nat Sakimura

    • changed component to FAPI 1 – Part 2: Advanced

    • 2022-12-14T15:36:47+00:00
15. 

    Nat Sakimura

    • changed component to FAPI 1: Advanced

    • 2022-12-14T15:38:56+00:00
16. Log in to comment