Closed reinkrul closed 1 year ago
Analysing pros and cons of using PKIOverheid Private Services or publicly trusted CAs:
We originally wanted to use the auth.publicurl
endpoint (meant for public access to auth means services, by mobile devices/browsers) since it's already there and configured, but that means we'll be used publicly trusted CA anchors. Unless we ask parties to configure TLS renegotiation on their reverse proxies to support multiple server certificates on the same server+port, but that's going be really inconventient.
Parties already have a PKIOverheid Private Services HTTP endpoint for the existing OAuth2 flows (everything under /n2n
), so PKIo Private or publicly trusted CA are probably equally easy to setup on another endpoint.
Leftover considerations:
Options:
Given how well understood OAuth2 and OpenID are, I think we can build a safe enough implementation, it'll just take more effort. We can refer to documented threat models, e.g. https://www.rfc-editor.org/rfc/rfc6819
@woutslakhorst @stevenvegt
I think OIDC is supposed to be 'open', so no client certificates. We mainly use the PKIOverheid certs for accountability, blocking and as a delaying factor when blocked.
Main security concern would be DoS style attacks for the credential_offer endpoint. An offer isn't signed so it can be spoofed and then if enough are sent, the DB can be overloaded. If this can't be secured then PKIOverheid is still needed.
I think OIDC is supposed to be 'open', so no client certificates. We mainly use the PKIOverheid certs for accountability, blocking and as a delaying factor when blocked.
Main security concern would be DoS style attacks for the credential_offer endpoint. An offer isn't signed so it can be spoofed and then if enough are sent, the DB can be overloaded. If this can't be secured then PKIOverheid is still needed.
We could do client authentication, with client_id (e.g. lookup issuer in Nuts registry, or some other means for other clients)
We could do client authentication, with client_id (e.g. lookup issuer in Nuts registry, or some other means for other clients)
I do not believe the offer uses access tokens?
We could do client authentication, with client_id (e.g. lookup issuer in Nuts registry, or some other means for other clients)
I do not believe the offer uses access tokens?
Indeed, I was confused.
After discussion:
/public
says that an interaction between user and issuer is already underway. This hints on an existing security session. solutions for us:
Discussed this today, considerations:
Decision: all OpenID4VCI endpoints will require the Nuts node certificate (PKIOverheid Private Services). They will be put under the /n2n
interface.
See last comment for solution: move to /n2n
There currently is no trust store configured, so it falls back to the OS certbundle.
We should decide which certificates parties should use to secure their OIDC4VCI endpoints and integrate the correct trust store.
Also consider integrating CRL validation.