[Openid-specs-ab] Issue #2100: Federation Historical Keys (openid/connect)
David W Chadwick
issues-reply at bitbucket.org
Sun Dec 3 17:50:02 UTC 2023
New issue 2100: Federation Historical Keys
https://bitbucket.org/openid/connect/issues/2100/federation-historical-keys
David W Chadwick:
A superior entity publishes the keys of its subordinate entity in the Entity Statement that it signs for its subordinate. Therefore historical keys should be published by superior entities and not by the entities themselves. Section 7.6 says “Each Federation Entity MAY publish its previously used Federation Entity Keys at the historical keys endpoint”. This is wrong and it opens up the possibility of an attack. A fake entity statement can be published now, and the key can be published at the historical keys endpoint. No-one can tell this is fake because the superior is publishing a different key now for this entity.
More information about the Openid-specs-ab
mailing list