[Openid-specs-ab] Issue #2156: Notes on metadata policy operators (openid/connect)
Gabriel Zachmann
issues-reply at bitbucket.org
Mon May 27 11:46:45 UTC 2024
New issue 2156: Notes on metadata policy operators
https://bitbucket.org/openid/connect/issues/2156/notes-on-metadata-policy-operators
Gabriel Zachmann:
Hi,
while going through the metadata policies operators of the newest spec version and found some things to comment on. I wanted to hear your opinion on them, if those are valid points or might already have been discussed before.
* `value`: Why can it only be combined with `essential`? I think it should be possible to combine with all value checks, e.g. one IA might set a `one_of` policy value check and another IA/TA sets a `value`, this could still work perfectly fine.
* `add`: Combination with `superset_of`: I don't think we should have the requirement that the values from `add` MUST be a superset of `superset_of`. Only after `add` is done the result MUST be a superset of the values in `superset_of`. I'd argue we could just strip the stated requirement, since the consistency with value checks is checked anyway later.
* `default`: Merging: Personally, I would like to have the possibility to merge `default` in the sense that superiors overwrite subordinate policies. This would enable a national federation to set another default than an intra-national-fed. Since default is rather weak \(it's just a default, if the value is something else it's still fine\) - I don't feel like a "conflict" between different IAs, is something critical/incompatible\)
* `superset_of`: Combination with `add`: See above
* `essential`: Merging: The spec states that "If a Superior has specified `essential=true`, then a Subordinate MUST NOT change that." It's not completely clear to me what the meaning of 'MUST NOT change' is:
a\) `essential` is true as soon as any entity in the chain says so, i.e. subordinates cannot overwrite true with false - if they try it does not matter, the chain is still valid
b\) if a subordinate defines `essential=false` and a superior defined `essential=true` this MUST result in a policy error.
More information about the Openid-specs-ab
mailing list