openid / OpenID4VP

56 stars 19 forks source link

Support for RP authentication with X.509 certificates that do not contain a dns name #320

Open martijnharing opened 1 day ago

martijnharing commented 1 day ago

The specification currently does not support RP authentication with X.509 certificates that do not have a DNS name.

There can be multiple reasons why an RP may not have a DNS name in their certificates, examples include re-using an existing certificate that does not have a DNS name, an RP certificate issuer that does not want or cannot verify binding to a DNS name or using the same certificate for in-person as well as remote.

Two possible solutions are to add another client identifier scheme, or to not use a client_id when such a certificate is used.

bc-pi commented 1 day ago

What about the x509_san_uri Client Identifier Scheme?

martijnharing commented 16 hours ago

x509_san_uri has the same issues as x509_san_dns since the same reasons why an RP certificate may not have a DNS name can also apply to a URI.