Question: client validation in the DCR process

[msauaia]

In the DCR client registration process, the authentication mechanism must validate the client through the SSA together with the client certificate presented in the mTLS, correct?

Will this validation occur more specifically through the validation of the fields software_client_id, extracted in the SSA, and tls_client_auth_subject_dn, extracted in the client's certificate?

One last question, should tls_client_auth_subject_dn contain which OID defined in the certificate standard? Would it be the UID (OID 0.9.2342.19200300.100.1.1)?

[RalphBragg]

1 - that's correct 2 - the client_id is the client id that is used by the directory for the client, you should use software_id which is the CN of the certificate issued by ICP and the cnpj

3. It should contain the entire DN of the certificate as per https://datatracker.ietf.org/doc/html/rfc8705 which references https://datatracker.ietf.org/doc/html/rfc4517. Because Brazil specifies OIDs that were not included in RFC4517, the specification explicitly requires banks to accept the subject dn in the short name, i.e not OIDs. This requirement is made in open-banking-brasil-dynamic-client-registration-1_ID1.html#section-7.1.2

[RalphBragg]

This will be covered further in the ASPSP user guide.

[DeiGratia33]

The current certificate standard, for the client (transport) certificate does not include custom OIDs. The Software Statement ID is included at the UID (OID 0.9.2342.19200300.100.1.1).

[ediemerson-br]

If you have further question, you can create a service desk ticket. https://servicedesk.openbankingbrasil.org.br/Login.jsp