0009795: Clarify how the client should validate the application uri

ID	Project	Category	View Status	Date Submitted	Last Update

0009795	10000-004: Services	Spec	public	2024-08-22 09:29	2024-08-22 09:29

Reporter	Martin Regen	Assigned To
Priority	normal	Severity	minor	Reproducibility	sometimes
Status	new	Resolution	open
Product Version	1.05.03

Summary	0009795: Clarify how the client should validate the application uri
Description	Currently the text in https://reference.opcfoundation.org/Core/Part4/v105/docs/5.4.1 states: A Client shall be careful when using the information returned from a DiscoveryEndpoint since it has no security. A Client does this by comparing the information returned from the DiscoveryEndpoint to the information returned in the CreateSession response. A Client shall verify that: The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription. The topic was discussed in the sec group on August 21st 2024: The text above should mention that the application Uri to compare with the cert should be the one returned in the create session response, and not the one returned from the discovery endpoint. Is the check still a shall? Can the check be ignored? If yes, when can the check be ignored?
Steps To Reproduce	.NET client implemented it in https://github.com/OPCFoundation/UA-.NETStandard/pull/2583 but checked the discovered server description. It caused a lot of IOP issues. Fix: Moving check after the endpoint check of the create session response.
Tags	No tags attached.

Commit Version
Fix Due Date

Date Modified	Username	Field	Change
2024-08-22 09:29	Martin Regen	New Issue