[openid-specs-rande] Route of denial of service in OIDC Federation?

Fri Sep 27 14:28:40 UTC 2019

> On 26 Sep 2019, at 17:40, Nick Roy <nroy at internet2.edu> wrote:
> 
> One other thing - also in section 7.1:
> 
> "If there is no path from the remote peer to at least one of the trusted trust anchors, then the list will be empty and there is no way of establishing trust in the remote peer's information. How the Consumer deals with this is out of scope for this specification."
> 
> I thought about how federation operators could make failure in this case mandatory, using a deployment profile, but realized that since it’s a software limitation, it probably should be called out here, something like:
> 
> "Software which claims to support this profile, when encountering an entity statement defined by this profile, MUST return an error and stop processing the request if this process results in an empty trust chain list."
> 
> Otherwise, there is no way to ensure that the trust model isn’t being circumvented.
> 
Yeah, if the consumer can’t find a trust chain it can trust the process MUST fail.
The text in the draft alludes to what the consumer could then do.
Like if either of the OIDC core registration options (static/dynamic) are available it could revert to using one of them.
Should be more explicit.
> Nick
> 
> On 25 Sep 2019, at 0:47, Roland Hedberg wrote:
> 
> It seems we have reasons to schedule at least one session at IIW.
> 
>> On 25 Sep 2019, at 07:18, Mike Jones <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>> wrote:
>> 
>> Will you be at IIW next week?  It would be great to talk about this there.
>> 
>> 				-- Mike
>> 
>> -----Original Message-----
>> From: openid-specs-rande <openid-specs-rande-bounces at lists.openid.net <mailto:openid-specs-rande-bounces at lists.openid.net>> On Behalf Of Nick Roy
>> Sent: Tuesday, September 24, 2019 2:43 PM
>> To: openid-specs-rande at lists.openid.net <mailto:openid-specs-rande at lists.openid.net>
>> Subject: [openid-specs-rande] Route of denial of service in OIDC Federation?
>> 
>> Is it possible for a malicious party to generate an arbitrarily long trust chain that an OpenID Connect Federation implementation spends a lot of time verifying? Would making authority_hints mandatory circumvent this? See also: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frjhansen%2F67ab921ffb4084c865b3618d6955275f&data=02%7C01%7CMichael.Jones%40microsoft.com%7C249ec521a0044788414a08d7413ceb16%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637049602211416829&sdata=qi5oAcUzpbKptyXrNOLxWd737ETCY7V50FSB2rwRb0w%3D&reserved=0 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frjhansen%2F67ab921ffb4084c865b3618d6955275f&data=02%7C01%7CMichael.Jones%40microsoft.com%7C249ec521a0044788414a08d7413ceb16%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637049602211416829&sdata=qi5oAcUzpbKptyXrNOLxWd737ETCY7V50FSB2rwRb0w%3D&reserved=0>
>> 
>> Nick
> 
> — Roland
> Scratch a pessimist and you find often a defender of privilege. -William Beveridge, economist and reformer (5 Mar 1879-1963) 
> 
> -- 
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande

— Roland

Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter. -Thomas Jefferson, third US president, architect, and author (1743-1826) 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190927/8f78da4b/attachment.html>