Hi
In our implementation we support the following scenario:
- the client registers its public certificate during the client registration
- next, mutual/two-way TLS is used, so AccessTokenService tries to
figure out the client_id. At the moment it assumes the client_id is
(Java) X509Certificate
I can see your point, maybe the client_id will not be in the certificate.
If I had an AS I would select to trust one or several CAs and then create
certificate mappings between certificate serial number (or some other
unique attribute in the certificate) and client_id. If I were to bind a
specific
> In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple services,
are they using multiple (different) client certificates?
Ah, good point. I hear you now. I personally like the idea of "one cert
per service" so I can selec
Jim,
In those circumstances, are the clients generally calling multiple different
services? Or just one? For those that call multiple services, are they using
multiple (different) client certificates?
I’m not saying the client would issue its own cert in all cases — much more
common is what I’
Thanks Justin. I use several security intel services and they all have
different cert delivery mechanisms for mutual TLS. It's •rare• for services to
let clients choose certs, they are usually assigned to users by each service
from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Edu
Yes, I elided the certificate issuance process. The point remains the
same: you're not going to be submitting a CSR to the same party you're
getting your client_id from, usually. If the draft assumes that, then
it's incredibly limiting.
Do people really use separate TLS client certs for separ
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to AS. The
authorities job is NOT to give the client the public key, but to sign the
public key for authenticity. It's bad practice to accept the full cert (pub
key+signature) from
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the authorization server
for the client to use at that single AS. The certificate is issued by
the CA for the client to use on any connection. The AS and CA are not
likely to be the same
