[openid-specs-rande] Route of denial of service in OIDC Federation?
Roland Hedberg
roland at catalogix.se
Wed Sep 25 06:46:57 UTC 2019
I would assume that software the collects trust chains apart from checking for loops also would have a maximum depth check included.
authority_hints was discussed at the NTW hackathon 2 days ago and we came to the conclusion that authority_hints would still be optional for the time being.
None of us felt strongly about it though.
What we did talk about changing was that authority_hints would be JSON arrays instead of JSON objects (Python dictionaries).
The reasoning behind that being that a leaf would not be able to keep the list of trust anchors, possible to reach through an intermediate, up-to-date
so the extra value that would bring was debatable.
> On 24 Sep 2019, at 23:43, Nick Roy <nroy at internet2.edu> wrote:
>
> Is it possible for a malicious party to generate an arbitrarily long trust chain that an OpenID Connect Federation implementation spends a lot of time verifying? Would making authority_hints mandatory circumvent this? See also: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
>
> Nick--
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
— Roland
The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style.
-Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190925/64c986a6/attachment.html>
More information about the openid-specs-rande
mailing list