Validate the incoming TLS connection against the incoming DAT #439
Comments
|
Would have to be specified here first (can't identify a matching claim): https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/Components/IdentityProvider/DAPS#request-token-that-is-handed-in-at-daps-side |
|
I think it's an ongoing discussion?! |
|
Waiting for a reference implementation in EDC as this is on the schedule there for current milestone planning. Will then adapt that here when the solution is available. (Issue 1152 in EDC) |
|
For reference, here is the current proposal for specifying the claims as a request parameter (private repo): |
|
Here's the link to the EDC issue, which is part of the Milestone 4 for the end of the month: |
Currently, the Messaging Services only validates whether the DAT is correct and valid. However, the identity of the sender is not validated.
To do this, the transportCertsSha256 from the DAT must be matched with the fingerprint of the TLS certificate.
Therefore the IDS-Messaging Services (and also all other IDS implementations) must dynamically specify their TLS certifacte fingerprint in a DAT request so that the DAT is issued correctly. The DAT is returned only if the identity of the sender has been validated by the DAPS. Therefore, by matching the DAT with the transport certificate fingerprint, we can ensure, that the identity is checked by the DAPS.
Additionally, the hostname specified under referring Connector in the DAT should match the hostname of the TLS connection. This should also be checked.
The text was updated successfully, but these errors were encountered: