From 619daa57ff0cd9d4ee950fdb6bfee68648cc1951 Mon Sep 17 00:00:00 2001
From: Jesse Wright <63333554+jeswr@users.noreply.github.com>
Date: Sun, 26 Apr 2026 17:40:12 +0100
Subject: [PATCH] =?UTF-8?q?Add=20=C2=A7Issuer=20Trust=20to=20Security=20Co?=
 =?UTF-8?q?nsiderations?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two non-normative bullets, both raised by @csarven on solid/specification#776
(https://github.com/solid/specification/pull/776#discussion_r3136804650):

- Issuer trust is unconditional: a compromised / malicious / unavailable
  issuer can deny access, impersonate, or rewrite identity-related claims.
- Many agents on a single issuer is a single point of failure: concentration
  risk grows with the issuer's user base.
---
 index.bs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/index.bs b/index.bs
index a45dc31..aee856b 100644
--- a/index.bs
+++ b/index.bs
@@ -525,6 +525,24 @@ data leaks should an attacker gain access to Client credentials.
 Clients are ephemeral, client registration is optional, and most Clients cannot keep secrets. These,
 among other factors, are what makes Client trust challenging.
 
+## Issuer Trust ## {#security-issuer-trust}
+
+*This section is non-normative*
+
+A Solid-OIDC user's identity is asserted by the OpenID Provider listed in their WebID Profile via
+`solid:oidcIssuer`. Implementers and end-users should consider the trust they place in that issuer:
+
+* **Issuer trust is unconditional.** Every assertion of the user's identity comes from the issuer.
+    The user is fully reliant on it; a compromised, malicious, or unavailable issuer can deny access
+    to all of the user's data, impersonate the user, or selectively rewrite the WebID's
+    identity-related claims. A high degree of trust in the chosen issuer is therefore necessary.
+
+* **Many agents on a single issuer is a single point of failure.** Where many agents share a single
+    issuer, that issuer is a concentration point: a single compromise, outage, or service-level
+    decision affects every agent that depends on it. Attacks tend to focus on major centralisations,
+    so concentration risk grows with the issuer's user base. Implementations offering accounts under
+    a shared issuer should plan for this risk.
+
 # Privacy Considerations # {#privacy}
 
 ## OIDC ID Token Reuse ## {#privacy-token-reuse}