[Openid-specs-ab] OpenID Connect Federation draft 09 ready for your review

Marcos Sanz sanz at denic.de
Wed Nov 6 12:38:03 UTC 2019


> > ok, I see. Simmilarly to what RFC 5280 does, though, I'd expect the 
> > Consumer to be explicitly configured with both, the TA-identifier and 
its 
> > public key, and not only the latter like the document currently does 
(at 
> > least, that's what it looks to me).
> 
> Ah, sorry I thought that went without saying. But one should be explicit 
about these things.

I agree. In that case I would suggest to change the final algorithm step 
in 7.2 from

* For j == i: verify the signature with the configured public key of the 
trust anchor. 

to something like

* For j == i: verify that a) the issuer matches the configured identifier 
of a trust anchor and b) its signature is valid with the likewise 
configured public key of said trust anchor.

> > > Well, it all starts with the TA. If you don’t trust the TA then 
you’re 
> > > smoked.
> > > The Federation spec hinges on the fact that you do trust the TA.
> 
> > I see it exactly the other way round: you start with a self-signed 
leaf 
> > statement and you walk your way up the trust chain via auth_hints 
*hoping 
> > to find* a TA.
> 
> I wasn’t talking about the process of gathering the trust chain. 
> Indeed what you’re describing is exactly how it must be done.
> 
> What I was alluding to was that if you don’t trust the trust anchor that 
you 
> find at the end of a chain, then of course you can’t trust the trust 
chain.

Absolutely. That also goes without saying ;-)

Best,
Marcos


More information about the Openid-specs-ab mailing list