What will happen if I pin Singpass/Myinfo leaf certificate?

In our OIDC specs, we highlighted the importance of not pinning TLS leaf certificates on the various endpoints in the OIDC flow. Here's why: 

1. TLS certificates have a set expiry date and they are meant to be rotated regularly.
2. Certificates are revoked and reissued for any number of reasons before the expiry dates.
3. When this happens, and if your network depends on leaf certificate pinning to establish traffic with Singpass/Myinfo endpoints, your service will be disrupted.

So what should you do instead?

1. The preferred way is to trust all certificates issued by established Certificate Authorities (CAs). Singpass is based on AWS and AWS is the issuing CA for its TLS certificates.
2. If you must maintain your own trust store and operate based on whitelisting, you should add AWS root certs to your trust store (available at https://amazontrust.com/repository/), and configure your network to trust certificates attributable to these root certs.

In summary, we are unable to give advance notice to our partners for TLS certificate rotation, which is a routine maintenance activity. Relying Parties (RPs) are advised to take measures to prevent service disruptions arising from pinning of leaf certificates.