<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 26 Sep 2019, at 17:40, Nick Roy <<a href="mailto:nroy@internet2.edu" class="">nroy@internet2.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8" class="">
<div class="">
<div style="font-family:sans-serif" class=""><div style="white-space:normal" class=""><p dir="auto" class="">One other thing - also in section 7.1:</p><p dir="auto" class="">"If there is no path from the remote peer to at least one of the trusted trust anchors, then the list will be empty and there is no way of establishing trust in the remote peer's information. How the Consumer deals with this is out of scope for this specification."</p><p dir="auto" class="">I thought about how federation operators could make failure in this case mandatory, using a deployment profile, but realized that since it’s a software limitation, it probably should be called out here, something like:</p><p dir="auto" class="">"Software which claims to support this profile, when encountering an entity statement defined by this profile, MUST return an error and stop processing the request if this process results in an empty trust chain list."</p><p dir="auto" class="">Otherwise, there is no way to ensure that the trust model isn’t being circumvented.</p></div></div></div></div></blockquote>Yeah, if the consumer can’t find a trust chain it can trust the process MUST fail.</div><div>The text in the draft alludes to what the consumer could then do.</div><div>Like if either of the OIDC core registration options (static/dynamic) are available it could revert to using one of them.</div><div>Should be more explicit.</div><div><blockquote type="cite" class=""><div class=""><div class=""><div style="font-family:sans-serif" class=""><div style="white-space:normal" class=""><p dir="auto" class="">Nick</p><p dir="auto" class="">On 25 Sep 2019, at 0:47, Roland Hedberg wrote:</p>
</div>
<blockquote style="border-left:2px solid #777; color:#777; margin:0 0 5px; padding-left:5px" class=""><div id="D721414F-B550-46B8-AA13-2DD95156B8A8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">It seems we have reasons to schedule at least one session at IIW.<br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On 25 Sep 2019, at 07:18, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" class="">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Will you be at IIW next week? It would be great to talk about this there.<br class=""><br class=""><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span><span class="Apple-tab-span" style="white-space:pre"> </span>-- Mike<br class=""><br class="">-----Original Message-----<br class="">From: openid-specs-rande <<a href="mailto:openid-specs-rande-bounces@lists.openid.net" class="">openid-specs-rande-bounces@lists.openid.net</a>> On Behalf Of Nick Roy<br class="">Sent: Tuesday, September 24, 2019 2:43 PM<br class="">To: <a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">Subject: [openid-specs-rande] Route of denial of service in OIDC Federation?<br class=""><br class="">Is it possible for a malicious party to generate an arbitrarily long trust chain that an OpenID Connect Federation implementation spends a lot of time verifying? Would making authority_hints mandatory circumvent this? See also: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frjhansen%2F67ab921ffb4084c865b3618d6955275f&data=02%7C01%7CMichael.Jones%40microsoft.com%7C249ec521a0044788414a08d7413ceb16%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637049602211416829&sdata=qi5oAcUzpbKptyXrNOLxWd737ETCY7V50FSB2rwRb0w%3D&reserved=0" class="">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frjhansen%2F67ab921ffb4084c865b3618d6955275f&data=02%7C01%7CMichael.Jones%40microsoft.com%7C249ec521a0044788414a08d7413ceb16%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C637049602211416829&sdata=qi5oAcUzpbKptyXrNOLxWd737ETCY7V50FSB2rwRb0w%3D&reserved=0</a><br class=""><br class="">Nick<br class=""></div></div></blockquote></div><br class=""><div class="">
<div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">— Roland</div><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Scratch a pessimist and you find often a defender of privilege. -William Beveridge, economist and reformer (5 Mar 1879-1963) </div>
</div>
<br class=""></div></div></blockquote>
<div style="white-space:normal" class=""><blockquote style="border-left:2px solid #777; color:#777; margin:0 0 5px; padding-left:5px" class="">
</blockquote></div>
</div>
</div>
-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">— Roland</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter. -Thomas Jefferson, third US president, architect, and author (1743-1826) </div></div>
</div>
<br class=""></body></html>