solid-oidc icon indicating copy to clipboard operation
solid-oidc copied to clipboard
verified publisher icon solid

Security considerations reated to trusting the TLS certificate

Open elf-pavlik opened this issue 3 years ago • 0 comments

Capturing from https://github.com/solid/solid-oidc/pull/18/files#r781105146

@leifj: A general comment is that this is not strictly true. Since the AS fetches the WebID document of the user it relies on being able to trust the TLS certificate of the WebID URL. This implies that the AS shares a common trust-anchor with the OP. This assumption should at the very least be called out. There are deployment scenarios where trusting the "normal web trust anchors" (aka webpki) is not desirable.

@acoburn: It is true that the AS may share the same the same trust-anchor as the OP w.r.t the TLS certificate chain. But that is different than relying on a pre-existing (direct) trust relationship between the the AS and OP.

In other words, given a certificate chain X

AS --> trusts X cert chain OP --> trusts X cert chain

But this does not imply

AS --> trusts OP

@leifj: trust is in this case transitive. It is probably best to clarify this point in the text.

elf-pavlik avatar Jan 10 '22 16:01 elf-pavlik