[openid-specs-rande] Route of denial of service in OIDC Federation?
Nick Roy
nroy at internet2.edu
Thu Sep 26 15:47:14 UTC 2019
Is there a need for a minimum metadata validity parameter that can be set by federation operators, to ensure that entities aren’t setting their validity time so low that everyone is always re-evaluating the trust chain? I can definitely see the utility in setting this "TTL" low during key rollover, but don’t want it to get absurdly low.
Nick
On 25 Sep 2019, at 0:46, Roland Hedberg wrote:
> I would assume that software the collects trust chains apart from checking for loops also would have a maximum depth check included.
>
> authority_hints was discussed at the NTW hackathon 2 days ago and we came to the conclusion that authority_hints would still be optional for the time being.
> None of us felt strongly about it though.
> What we did talk about changing was that authority_hints would be JSON arrays instead of JSON objects (Python dictionaries).
> The reasoning behind that being that a leaf would not be able to keep the list of trust anchors, possible to reach through an intermediate, up-to-date
> so the extra value that would bring was debatable.
>
>> On 24 Sep 2019, at 23:43, Nick Roy <nroy at internet2.edu> wrote:
>>
>> Is it possible for a malicious party to generate an arbitrarily long trust chain that an OpenID Connect Federation implementation spends a lot of time verifying? Would making authority_hints mandatory circumvent this? See also: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
>>
>> Nick--
>> openid-specs-rande mailing list
>> openid-specs-rande at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>
> — Roland
>
> The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style.
> -Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190926/76d386b4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190926/76d386b4/attachment.asc>
More information about the openid-specs-rande
mailing list