[Openid-specs-ab] Issue #2094: Size explosion using trust_chain header (openid/connect)

Thu Nov 16 13:14:40 UTC 2023

New issue 2094: Size explosion using trust_chain header
https://bitbucket.org/openid/connect/issues/2094/size-explosion-using-trust_chain-header

Stefan Santesson:

I see a potential serious problem with the trust\_chain header and its potential to generate a size explosion due to its recursive application in headers.

Consider a chain of entity statements using a common TA: Leaf → IE3 →  IE2 → IE1 → TA

If all these entities issue Entity Statement containing a trust\_chain header size this could result in this:

IE1 Entity statement trust\_chain header\( TA1\) → ES Size = 2 Entity statements  
IE2 Entity statement trust\_chain header\( IE1\(TA\), TA\) → ES Size = 4 Entity statements  
IE3 Entity statement trust\_chain header\( IE2\(IE1\(TA\), TA\), IE1\(TA\), TA\) → ES Size = 8 Entity statements  

Full chain = Entity statements from Leaf \+ IE3 \+ IE2 \+ IE1 \+ TA → Chain size = 1 \+ 8 \+ 4 \+ 2 \+ 1 = 16 Entity statements

**Explaining calculation**

IE3 includes in its header the Entity Statement from IE2, which in turn includes the Entity Statement from IE1, which in turn includes the Entity Statement from TA. Then it includes the Entity Statement from IE1, which in turn includes the Entity Statement from TA, and finally it adds the Entity Statement of the TA. This makes a total of 7 Entity Statements in the header \+ then plus the Entity Statement that contains the header, making this 8.

‌

**Why is this chain header parameter needed?**

I struggle to see the need or even point of the trust\_chain header. A chain of Entity Statements can be validated without this header by applying the of the key of the entity statement. This is also reflected by the fact that the header is optional. The question is why it is there at all, given its potential size explosion potential.

A problem is that if it is present, there are requirements in the specification that it must be processed \(se section 10\). So allowing it causes implementation requirements for many entities.

This issue also highlights why we define an option to include a trust\_chain in OIDC requests. If it is not needed, perhaps it should never be sent. Especially if it can grow very big.