bc-pi
commented
1 day ago What about the x509_san_uri Client Identifier Scheme?
Open martijnharing opened 1 day ago
bc-pi
commented
1 day ago What about the x509_san_uri Client Identifier Scheme?
martijnharing
commented
16 hours ago x509_san_uri has the same issues as x509_san_dns since the same reasons why an RP certificate may not have a DNS name can also apply to a URI.
The specification currently does not support RP authentication with X.509 certificates that do not have a DNS name.
There can be multiple reasons why an RP may not have a DNS name in their certificates, examples include re-using an existing certificate that does not have a DNS name, an RP certificate issuer that does not want or cannot verify binding to a DNS name or using the same certificate for in-person as well as remote.
Two possible solutions are to add another client identifier scheme, or to not use a client_id when such a certificate is used.