Dear all,
I would like to clarify and agree with John Bradley that there is a confusion
here.
In the setting that I was discussing in my presentation, I was looking at
OpenID Connect, where we have:
An end-user with his user agent (browser) that wishes to log in at an RP
service (and this
On 07/08/17 19:09, Salz, Rich wrote:
>> A while ago, if I'm not mistaken, I glimpsed some report of vulnerabilities
>> caused by incorrect public key comparison.
> There was a recent issue raised by Hanno about incorrect public/private key
> matching leading to incorrect revocation of a certific
On 07/08/17 18:53, John Bradley wrote:
> The AS always gets the client cert from the TLS stack. Validating the
> certificate cain is something people get wrong all the time. However that
> is what the DN names are for. Using those requires validating the certs.
For the self-signed certs (pu
This is a classic case for the BCP:
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/230/x5c-path-validation
Developer expects that checking the signature of a JWT with a given JWK
will also validate the x5c of the JWK. How the developer obtained the
JWK in the first place is not clear fro
