Inconsistency regarding possibility of trust chain loops

[zachmann]

Section 10.1 says

Federation participants MUST NOT attempt to fetch Entity Statements they already have obtained during this process to prevent loops. An invalid_trust_chain error SHOULD be returned if a loop is encountered.

Section 16.1 Federation topologies states

Also, as described in Section 10.1 Federation topologies MUST NOT contain loops.

However, I cannot see that 10.1 forbids loops in the federation topology. It only states that participants MUST NOT fetch stmts they already have, i.e. this is a mechanism to deal with the possibility of loops.

Do we want to forbid trust chain loops? Then this should be made more prominent in the spec and 10.1 should be adapted. If not, the statement should be removed from 16.1

[cicnavi]

This is from #161, addressed with PR #164

[selfissued]

This was addressed by PR #164.

[zachmann]

No this was not addressed but only introduced with #164.

That PR added the sentence

Also, as described in Section 10.1 Federation topologies MUST NOT contain loops.

My problem is that I cannot find that statement in 10.1. Glad if anyone can point me to it.

The only thing I can find in there is:

Federation participants MUST NOT attempt to fetch Entity Statements they already have obtained during this process to prevent loops. An invalid_trust_chain error SHOULD be returned if a loop is encountered.

But this does not forbid chains in the federation topology. Actually, I see this sentence as a strategy how clients have to deal with the possibility that there might be loops.

[selfissued]

Fetching Entity Statements to Establish a Trust Chain says:

Also, as described in Section 10.1 Federation topologies MUST NOT contain loops.

Does this resolve the issue for you, @zachmann ?

[zachmann]

Unfortunately, I do not exactly get what you are pointing to.

I'll try to explain my point again:

I'm only referring to the latest spec draft (42, not yet published): https://openid.github.io/federation/main.html

This includes #164, which introduces the following sentence to 16.1

Also, as described in Section 10.1 Federation topologies MUST NOT contain loops.

This states that section 10.1 would forbid the existence of trust chain loops in federation topologies.

However, I cannot find any statement in 10.1 that would say that. The only statement in 10.1 regarding trust chain loops is the one quoted:

Federation participants MUST NOT attempt to fetch Entity Statements they already have obtained during this process to prevent loops. An invalid_trust_chain error SHOULD be returned if a loop is encountered.

But this statement does not forbid that trust chain loops exist in the federation topology. To the contrary, I would argue this statements says that there might be loops, so you must be able to handle them and the strategy to do so is do not fetch entity statements twice.

[jcmelati]

In my view, the federation topology is an abstract concept that only becomes meaningful once a trust chain is successfully resolved. Therefore, if you encounter a loop, that loop is not part of the trust context being evaluated because you never actually reached the defined Trust Anchor.

In other words, if a loop is not addressed during trust chain resolution, it has the potential to isolate entities. Consequently, you must handle this situation when resolving a trust chain, as there is no way to completely prevent loops from being found. This is probably why the specification defines the mitigation strategy of not fetching the same Entity Statement twice, ensuring that a specific path is not processed repeatedly.

Furthermore, it does not make sense to forbid the creation of loops entirely, as it is impossible to prevent them from occurring. Ultimately, it is the responsibility of federation governance to establish a structure that makes sense and reflects reality. I fail to see how loops could be caused by anything other than misconfiguration.

[zachmann]

In my mind - and this is also how I see the term used in the spec - federation topology refers to the general "architecture": how entities are connected as seen by an outside viewer.

Indeed, there is a difference between the actual built trust chains.
I fully agree also with @cicnavi in #161: The actual trust chain MUST NOT contain a loop and the resolving entity MUST ensure that.

However, I also see the possibility that the topology can contain loops. I also agree with @jcmelati that this should be allowed. Marco suggested in #161 to include a sentence using SHOULD NOT in section 16.
That's something that I think is reasonable.

My suggestion would be to replace the sentence:

Also, as described in Section 10.1 Federation topologies MUST NOT contain loops.

in section 16.1
with:

Also, Federation topologies SHOULD NOT contain loops.

while keeping the statements in 10.1