Skip to content

Trust Anchor Mix-Up (Federation Integrity Property) #100

@SECtim

Description

@SECtim

Consider the following excerpt from the example of two Federations rooted at two different Trust Anchors as given in Section 1:

.-----------------.            .-----------------.
|  Trust Anchor A |            |  Trust Anchor B |
'------.--.-------'            '----.--.--.------'
       |  |                         |  |
    .--'  '---. .-------------------'  |
    |         | |                      |
.---v.  .-----v-v------.   .-----------'
|    |  | Intermediate |   |
'----'  '--.--.--.-----'   |
           |  |  |         |
   .-------'  |  '------.  |
   |          |         |  |
.--v-.      .-v--.     .v--v.
| RP |      |    |     | OP |
'----'      '----'     '----'

Now, suppose that RP only trusts Trust Anchor A, whereas OP only trusts Trust Anchor B.
A user of RP requests to authenticate with OP, so RP initiates an automatic registration with OP (Section 12.1):

  1. RP uses the process defined in Section 10 to learn OP's metadata, i.e., fetches OP's Entity Configuration and then resolving a Trust Chain, starting with OP's authority_hints (i.e., Intermediate and B). Following the Intermediate path, RP assembles a Trust Chain from OP to A, i.e., the chain [OP, Intermediate, A].
  2. RP validates that Trust Chain and uses it to resolve OP's openid_provider metadata, in particular, its authorization endpoint.
  3. RP sends an authentication request with a signed request object (that does not contain a Trust Chain) to OP's authentication endpoint.
  4. OP processes this request as described in Section 12.1.1. I.e., among other things, OP fetches RP's Entity Configuration and, starting with RP's authority_hints, resolves a Trust Chain, say [RP, Intermediate, B].
  5. OP validates that Trust Chain and uses it to resolve RP's openid_relying_party metadata, which OP then uses to automatically register RP.

I.e., both OP and RP "trust" each other without having a Trust Anchor in common (actually, RP "trusts" OP already in Step 3).

Unless we overlooked something, the Federation specification does not prevent this from happening.

Note: Such a situation may also lead to disagreement on the openid_... metadata if the different Trust Anchors employ different Federation Policies.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions