[openid-specs-rande] Route of denial of service in OIDC Federation?

[Nick Roy]

One other thing - also in section 7.1:

"If there is no path from the remote peer to at least one of the trusted trust anchors, then the list will be empty and there is no way of establishing trust in the remote peer's information. How the Consumer deals with this is out of scope for this specification."

I thought about how federation operators could make failure in this case mandatory, using a deployment profile, but realized that since it’s a software limitation, it probably should be called out here, something like:

"Software which claims to support this profile, when encountering an entity statement defined by this profile, MUST return an error and stop processing the request if this process results in an empty trust chain list."

Otherwise, there is no way to ensure that the trust model isn’t being circumvented.

Nick

On 25 Sep 2019, at 0:47, Roland Hedberg wrote:

> It seems we have reasons to schedule at least one session at IIW.
>
>> On 25 Sep 2019, at 07:18, Mike Jones <Michael.Jones at microsoft.com> wrote:
>>
>> Will you be at IIW next week?  It would be great to talk about this there.
>>
>> 				-- Mike
>>
>> -----Original Message-----
>> From: openid-specs-rande <openid-specs-rande-bounces at lists.openid.net> On Behalf Of Nick Roy
>> Sent: Tuesday, September 24, 2019 2:43 PM
>> To: openid-specs-rande at lists.openid.net
>> Subject: [openid-specs-rande] Route of denial of service in OIDC Federation?
>>
>> Is it possible for a malicious party to generate an arbitrarily long trust chain that an OpenID Connect Federation implementation spends a lot of time verifying? Would making authority_hints mandatory circumvent this? See also: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frjhansen%2F67ab921ffb4084c865b3618d6955275f&data=02%7C01%7CMichael.Jones%40microsoft.com%7C249ec521a0044788414a08d7413ceb16%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637049602211416829&sdata=qi5oAcUzpbKptyXrNOLxWd737ETCY7V50FSB2rwRb0w%3D&reserved=0
>>
>> Nick
>
> — Roland
> Scratch a pessimist and you find often a defender of privilege. -William Beveridge, economist and reformer (5 Mar 1879-1963)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190926/f71b5704/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190926/f71b5704/attachment-0001.asc>