- edited description
[FAPI 2.0] Move "MTLS Protection of all endpoints" from [Message Signing] to [Security Profile]
I believe this section should be replicated, or moved to, FAPI 2.0 Security Profile. It is currently in FAPI 2.0 Message Signing.
https://openid.bitbucket.io/fapi/fapi-2_0-message-signing.html#name-mtls-protection-of-all-endp
Also, editorial, the private_key_jwt gets turned to privatekeyjwt with key
in italics due to, well, markdown, and should probably be updated to be `private_key_jwt`
(in backtics)
Comments (19)
-
reporter -
reporter - edited description
-
i went looking on the open banking site for mtls but found nothing. Is mtls actually in live use anywhere?
-
I agree that this should be moved. I can’t find the Issue or PR for the original text - where did we agree to add this?
-
reporter @Daniel Fett the PR is https://bitbucket.org/openid/fapi/pull-requests/329
-
Discussed on today’s call, we agreed to move the text from message signing to security profile, but to do it after SP ID2 and MS ID1 are in process. (i.e. we want to make sure that in the implementer’s drafts we’re starting to vote on imminently that it appears in at least one of them)
-
reporter - changed milestone to FINAL
-
- changed component to FAPI2: Security Profile
-
-
assigned issue to
-
assigned issue to
-
Wait until message signing is published, then action this ticket
-
My brain randomly decided to recall a possible reason why we’d put this in message signing - I think there may have been logic that MTLS protection of all endpoints isn’t necessary to meet the FAPI2 Attacker Model, and the working group wanted to keep FAPI2 Security Profile as a highly interoperable profile with little optionality. Allowing people to MTLS protect all endpoints and still be considered compliant with “FAPI2 Security Profile” perhaps works against that aim.
-
reporter @Joseph Heenan That’s a good insight. Do you think it would be out of place in the Security Profile? Message Signing does not suggest that MTLS should be used everywhere and neither does this text. It feels more cautionary so I’d still side with placing it in the Security Profile.
-
- changed status to open
-
@Filip Skokan @Joseph Heenan what do you think we should do with this ticket?
-
reporter As per your previous message, when MS ID is released we’ll move (or replicate) this in SP.
-
We did get the MS ID out, so we probably could move it now.
-
reporter -
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
pr merged
- Log in to comment