- edited description
Require HSTS for authorization server
Discussion on today’s call mentioned that some analysis of FAPI assume that HTTP Strict Transport Security is enabled for the authorization server, to prevent some attacks like user’s clicking through warnings about invalid TLS certificates in some scenarios.
This isn’t mentioned in FAPI currently. Daniel mentioned he saw this as a basic web security. Dave checked several UK banks and it appeared it several hadn’t enabled HSTS.
We should probably add text to FAPI requiring HSTS. This should probably apply to web based clients as well?
Comments (15)
-
reporter -
reporter Not sure if there’s already tickets about other websec hygiene type factors, but it also seems worthy to mention:
- DNSSEC
- Certificate pinning (which in turn would mean the AS owner needs to communicate how a cert should be pinned), or alternatively using ecosystem specific roots/CAs (as OB UK did, but I believe eIDAS etc probably derailed their efforts).
-
there is an existing openID draft spec to handle this sort of information, it is the entity statement in the federation spec.
-
reporter Hi Tom, that appears to be a third option (a JWKS based trust chain) rather than describing either how to communicate pinning or ecosystem specific PKI, did I miss anything?
-
you can send the leaf node without any chain - i am doing that in a system i am building
-
HSTS is interesting in particular for connections by browsers. Server-to-server communication should be limited to TLS-only anyway.
DNSSEC makes sense for all endpoints to protect against rogue domain-validated certificates and to provide additional protection in case of TLS failures.
I added a section re HSTS and DNSSEC to FAPI 2.0 Baseline.
Certificate pinning is interesting for server-to-server comms, but HPKP in browsers is dead. I’m not sure what the concrete advice would be.
-
For 1.0, put it in the Security Consideration as a recommendation (should).
For 2.0, consider making it a requirement (shall).
-
- changed status to open
-
Assigned to Daniel.
-
- assigned issue to
-
-
- changed status to resolved
PR merged in
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment