<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 24 Sep 2019, at 23:43, Nick Roy <<a href="mailto:nroy@internet2.edu" class="">nroy@internet2.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Is it possible for a malicious party to generate an arbitrarily long trust chain that an OpenID Connect Federation implementation spends a lot of time verifying? Would making authority_hints mandatory circumvent this? See also: <a href="https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f" class="">https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f</a><br class=""></div></div></blockquote><br class=""></div><div>At the Nordunet Technical Workshop yesterday two related issues was raised.</div><div><br class=""></div><div>- Should a Trust anchor/Intermediate be able to limit the depth of the chain below itself ?</div><div>- Should a Trust anchor/intermediate be able to restrict the entity IDs ?</div><div class=""><br class=""></div>Reference was made to max path and name constraints as used in PKI.<div class=""><br class=""></div><div class="">The depth questions has been raised before but nothing has been added to the draft to support that functionality.</div><div class="">The name constraint is new.</div><div class=""><br class=""></div><div class="">If we want to add either constraint it should probably be added to metadata/federation_entity.</div><div class="">Like this (borrowing names/structure ideas from RFC5280):</div><div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); font-family: Menlo;" class=""><pre style="font-family: Menlo;" class="">"metadata": {<br class=""> "federation_entity": {<br class=""> "federation_api_endpoint":<br class=""> "<a href="https://example.com/federation_api_endpoint" class="">https://example.com/federation_api_endpoint</a>",<br class=""> "name": "The example cooperation",<br class=""> "homepage_uri": "<a href="https://www.example.com" class="">https://www.example.com</a>",<br class=""> "max_path_length": 2,<br class=""> "naming_constraints": {<br class=""> "permitted": [<br class=""> "<a href="https://.example.com" class="">https://.example.com</a>"<br class=""> ],<br class=""> "excluded": [<br class=""> "<a href="https://east.example.com" class="">https://east.example.com</a>"<br class=""> ]<br class=""> }<br class=""> }<br class="">} <br class=""></pre><div class=""><br class=""></div></pre><div class="">
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">— Roland</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">It is curious that physical courage should be so common in the world, and moral courage so rare. -Mark Twain, author and humorist (30 Nov 1835-1910)</div>
</div>
<br class=""></div></body></html>