[Openid-specs-ab] OpenID Connect Federation draft 09 ready for your review

Roland Hedberg roland at catalogix.se
Fri Nov 1 14:22:22 UTC 2019

Hi Marcos,

Sorry about the delay in answering.

I’ll take your issues a few at the time

> 29 okt. 2019 kl. 16:43 skrev Marcos Sanz via Openid-specs-ab <openid-specs-ab at lists.openid.net>:
> Issues
> - Section 2.1, about "aud": it leaves open the value of "aud" to be 
> something else than the entity identifier of the audience, and I wouldn't 
> see room for that. Section 6.1.1 clearly calls "aud" to be "The entity 
> identifier of the requester. ". I'd change the sentence in 2.1 to the 
> following: "If present, the entity identifier for that entity MUST appear 
> in this claim”.


> - Section 2.1, "metadata": It says "If the entity is a non-leaf entity it 
> MUST contain a metadata object with a federation_entity object inside". 
> This leaves open if a _leaf entity_ is allowed to publish a metadata with 
> a "federation_entity' inside. This is specially relevant now that section 
> 3.6 has defined leaf entities to be also participants of the federation. 
> Btw: the example in section 2.1 is lacking the now mandatory metadata 
> element.

This has to be rewritten.

First, I think we better refer to the ’subject’ instead of the ’entity’.

Secondly, whether there MUST be an ’metadata’ claim or not depends on the relationship between the
issuer and the subject. Two cases:

(1) If the entity statement is issued by en entity
about itself (iss==sub) then there MUST be a ’metadata’ claim and if the subject is 
(a) NOT a _leaf entity_ then the ’metadata’ claim MUST have a ’federation_entity’ object inside. If the subject is
(b) a _leaf_entity_ then the metadata claim MAY contain a ’federation_entity’ object inside.

None _leaf_entities_ MUST publish the federation API endpoint somewhere and that somewhere is
inside a ’federation_entity’ object inside a ’metadata’ object.

A self-issued entity statement by a _leaf_entity_ MUST NOT contain a ’metadata_policy’ claim.
Because it does not make any sense having one. 

(2) If the issuer and the subject is not the same entity (iss != sub) then the entity statement
MAY contain ’metadata’ and ’metadata_policy’ claims.
The entity statement will contain a ’metadata_policy’ claims if the issuer wants to publish a metadata policy for
a specific branch of the federation (that starts with the subject). 
If it doesn’t want to publish any policy, it MUST omit ’metadata_policy’ from the statement.
The entity statement MAY contain a ’metadata’ claim if the issuer wants to take every opportunity 
to publish information about itself. Normally it would suffice to wait for the requestor of the entity statement
to ask for a new self-issued entity statement by the issuer but in some cases, like key rotation, 
it might be wise to grab every chance to publish changed information.

> - Section 2.1: "metadata_policy": It says "If the metadata type identifier 
> is federation_entity, then the policy MUST be applied to the immediate 
> subordinate in the trust chain _unless that is a leaf entity_". Again: 
> leaf entities are now also federation entities. The exclusion seems a bit 
> arbitrary to me (see point before).

Right !

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain

More information about the Openid-specs-ab mailing list