[Openid-specs-ab] federation spec

Roland Hedberg roland at catalogix.se
Tue Oct 30 20:29:13 UTC 2018

The format of authority_hints are <superior>: [*<trust_root>]

So you should be able to figure out which paths you need to walk by checking if one of your trusted roots are in the list of roots for a 
specific superior.

The format was chosen specifically to aid in the weeding out of unusable paths (paths ending in trust roots you don’t trust).

> On 30 Oct 2018, at 19:34, Nick Roy via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> Taking this back to the list because I am not an expert at this point.
> Good point about DoS - Roland and Andreas, it would be really nice to know what federation(s) you are working with before you have to walk the tree. Any thoughts about that?
> Nick
> On 30 Oct 2018, at 12:25, Tom Jones wrote:
> yes i know that it is possible to find the root, but i want to know before i even start doing any crypto.
> That method is too prone to dos attacks.
> I must get delayed email from oid as i have yet to see his response.
> Peace ..tom
> On Tue, Oct 30, 2018 at 11:22 AM Nick Roy <nroy at internet2.edu <mailto:nroy at internet2.edu>> wrote:
> Hi Tom,
> We won’t start implementing this within Internet2 quite yet. I need to free up some of my time to work on federation operation requirements/tooling needs, but I am still working on that (I hired two new people to take over federation operations, but they are still getting up to speed). I believe there are others at GÉANT who will implement it sooner. Looping in Davide Vaghetti from Consortium GARR/GÉANT to let you know about their plans.
> As Roland said in his reply to you on the list, the Federation Operator still exists in version 5. You discover the FO by walking the signed statement tree to its root, if I recall.
> Best,
> Nick
> On 30 Oct 2018, at 12:18, Tom Jones wrote:
> > Nick: Nice chatting with you at IIW. I reviewed draft 5 again and could not
> > determine why they think trust model and federation office should be
> > removed. I think we will stick with draft 4 now.
> > I also didn't see any version or other doc id.
> > I will use a mandatory field stating both version and FO in the body of the
> > json.
> > something like this
> > ver:OID FED 0.04
> > fo:IDEF
> >
> > how has the internet 2 version progressed?
> >
> > Peace ..tom
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

— Roland

The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style. 
-Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20181030/04468506/attachment.html>

More information about the Openid-specs-ab mailing list