IAS4ProfileValidator: validate if initiator party ID, signature certificate and TLS client certificate match #182
Comments
koes-soptim
added a commit
to koes-soptim/phase4
that referenced
this issue
Oct 17, 2023
…ficate and TLS client certificate match phax#182
phax
added a commit
that referenced
this issue
Oct 24, 2023
…d_sigCert_tlsCert IAS4ProfileValidator: new validation, relates to #182
|
Thanks, the PR was included basically as-is. Will be part of the 2.5.0 release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
for security reasons, it would be very helpful (especially for the BDEW profile) if
IAS4ProfileValidatorcould validate the following:In any given UserMessage, the ID of the initiator party, the ID in the signature certificate (market participant ID in the OU part) and the ID in the TLS client certificate (also OU part) should match. This is an implicit requirement of the BDEW AS4 profile. I think this could be also helpful for other profiles.
I'll suggest a potential solution (via pull request) for
BDEWCompatibilityValidatorin a few minutes. Would be very grateful if you'd take a look at it.Edit:
It is a requirement by the BSI that the OU (organisational unit) part in the subject DN of the certificates is filled with the market participant ID. (see BSI PKI Certificate Policy Appendix A.3)
The text was updated successfully, but these errors were encountered: