0009427: Security – No Application Authentication needs to require client authentciation.

ID	Project	Category	View Status	Date Submitted	Last Update

0009427	10000-007: Profiles	Spec	public	2024-02-16 10:52	2024-03-12 15:58

Reporter	Randy Armstrong	Assigned To	Randy Armstrong
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.05.03
Target Version	1.05.04 RC1

Summary	0009427: Security – No Application Authentication needs to require client authentciation.
Description	The CU needs to be updated to state explicitly that clients are required to verify that it trusts the Server before sending any user credential information. Add text: The Client shall not send any secrets associated with credentials to any Server which it cannot authenticate. The would allow the use of user certificate tokens but preclude the use of username tokens or issued tokens that are not bound to the Client certificate.
Tags	No tags attached.

Commit Version
Fix Due Date

Randy Armstrong 2024-02-16 10:57 administrator ~0020841	https://profiles.opcfoundation.org/conformanceunit/3781 (Draft) The Client shall not send secrets associated with credentials to any Server which it cannot authenticate and trust. The would allow the use of Certificate tokens but preclude the use of Username tokens or Issued tokens that are not bound to the Client certificate.

Jim Luth 2024-03-12 15:58 administrator ~0020896	We moved this CU to the Server category and added a note to CU to state this exception to authenticate is only for Servers.

Date Modified	Username	Field	Change
2024-02-16 10:52	Randy Armstrong	New Issue
2024-02-16 10:57	Randy Armstrong	Assigned To	=> Randy Armstrong
2024-02-16 10:57	Randy Armstrong	Status	new => resolved
2024-02-16 10:57	Randy Armstrong	Resolution	open => fixed
2024-02-16 10:57	Randy Armstrong	Note Added: 0020841
2024-03-12 15:58	Jim Luth	Status	resolved => closed
2024-03-12 15:58	Jim Luth	Note Added: 0020896