[Openid-specs-ab] OpenID Connect Federation updated in preparation for third Implementer’s Draft review

Roland Hedberg roland at catalogix.se
Thu Jul 1 06:36:40 UTC 2021



> On 30 Jun 2021, at 12:18, Pawel Kowalik <pawel.kowalik at ionos.com> wrote:
> 
> > It also means that the specification allows the leaf entity to update its metadata without asking all its superiors if it can.
> True and this is fine in many respects when it comes to "technical" metadata, like encryption, capabilities etc.
> I think it's not fitting well when it comes to trust related information, which can be expected to be vetted by the federation in some way.

Trust as defined in the specification on to encompass trust in that the information you receive is what was sent by another entity to you and that the other entity belongs to a specific federation.

If the federation has other rules around trust issues like having everyone sign an legal agreement or rules about every 
intermediate promising to vet their subordinates metadata that has been defined to outside the specification.

We where looking at the least common denominator.

> > Whether that is how it will work in reality is anyones guess. In some contexts it’s absolutely OK in other maybe not.
> > It’s your choice the specification doesn’t force you to do it in one specific way.
> The issue I see is that by not allowing metadata object in the case of sub != iss it's difficult to express trusted relations other than binary: is part of federation or not.
> It can also be that the trust is not in the scope of Federations spec, or metadata is not the right place to express it.
> From my perspective trust is an important part of any Federation and we should think how the specification can support it the best way.

For every federation I’ve been involved in trust has been important.
And it’s been expressed in signed documents processes for verification of compliance.
What’s also true is that everyone does things a bit differently.

> > Now if an intermediate feels responsible for it’s subordinates I would expect it to regularly check that the subordinates metadata
> > is within the prescribed boundaries.
> Yes, this is possible, as well as it's possible to express things via metadata_policy.
> None of these approaches is straightforward and IMHO an expression of an intermediate to tell sth about subordinate could be more direct and simple.


I don’t think it would be simpler.

- Roland

Otium cum dignitate - latin proverb

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210701/db9c3485/attachment.html>


More information about the Openid-specs-ab mailing list