[openid-specs-rande] Route of denial of service in OIDC Federation?

Nick Roy nroy at internet2.edu
Thu Sep 26 15:35:36 UTC 2019 

Yep - I will be at both the OpenID Foundation workshop and IIW, would love to chat. Also I just read this:

7.1

"The Consumer should never attempt to fetch entity statements it already has fetched during this process (loop prevention)."

That works, should probably be in the test suite.

Best,

Nick

On 25 Sep 2019, at 0:47, Roland Hedberg wrote:

> It seems we have reasons to schedule at least one session at IIW.
>
>> On 25 Sep 2019, at 07:18, Mike Jones <Michael.Jones at microsoft.com> wrote:
>>
>> Will you be at IIW next week?  It would be great to talk about this there.
>>
>> 				-- Mike
>>
>> -----Original Message-----
>> From: openid-specs-rande <openid-specs-rande-bounces at lists.openid.net> On Behalf Of Nick Roy
>> Sent: Tuesday, September 24, 2019 2:43 PM
>> To: openid-specs-rande at lists.openid.net
>> Subject: [openid-specs-rande] Route of denial of service in OIDC Federation?
>>
>> Is it possible for a malicious party to generate an arbitrarily long trust chain that an OpenID Connect Federation implementation spends a lot of time verifying? Would making authority_hints mandatory circumvent this? See also: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frjhansen%2F67ab921ffb4084c865b3618d6955275f&data=02%7C01%7CMichael.Jones%40microsoft.com%7C249ec521a0044788414a08d7413ceb16%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637049602211416829&sdata=qi5oAcUzpbKptyXrNOLxWd737ETCY7V50FSB2rwRb0w%3D&reserved=0
>>
>> Nick
>
> — Roland
> Scratch a pessimist and you find often a defender of privilege. -William Beveridge, economist and reformer (5 Mar 1879-1963)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190926/5aaecd67/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 512 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190926/5aaecd67/attachment.asc>

More information about the openid-specs-rande mailing list