Fed - 3.4.1 It is not clear what is meant by A( )
Issue #1035
closed
In 3.4.1,
A(ms_B + SK[B])
appears suddenly. The notation A( ) should be explained before using it.
Comments (4)
-
reporter
-
Thanks Nat, good suggestions. Will incorporate them in the next version of the draft.
-
Is this clearer ?
3.4. Compounded Metadata Statement
3.4.1. Basic Components
To describe Compounded Metadata Statements, we need a way of describing the different components in such a statement. These are the basic components:
M_X Metadata Statement signing request by X without metadata signing keys and signed metadata statements.
Ks_X Metadata signing keys that belong to X.
S(M, Ks_X) Metadata Statement signed by X. In reality this is a signed JSON Web token. Ks_X in this case is one of the keys in the set of metadata signing keys that X has.
3.4.2. Constructing a compounded metadata statement
Using the above listed basic components, we can now describe how we can start with a simple metadata statement and then from that build a more complex compounded metadata statement. In this example I have 3 entities.
FO The federation operator.
O An organization that is a member of the federation.
E An entity (RP or OP) belonging to the organization O.
The start would then be for O to send a metadata signing request to the federation. This signing request MAY contain claims that are organization specific and MUST contain the metadata signing keys that the organization will use to signed metadata signing request from its entities. So, the FO gets this from the O:
M_O + Ks_O
'+' signifies a simple concatenation of information. M_O is a set of claims with values and Ks_O is O's keys by value (signing_keys) or by reference (signing_keys_uri). Signed by the FO this becomes:
S(M_O + Ks_O, Ks_FO)
Creating a compounded metadata statements involves adding previously signed metadata statements to a metadata signing request before signing it. So, when at some point in time O will get a metadata signing request from E that looks like this:
M_E + Ks_E
O will add the signed metadata statement produced by FO (As with the signing keys it may do it by value (metadata_statements) or by reference (metadata_statement_uris))
M_E + Ks_E + S(M_O + Ks_O, Ks_FO)
before O signs it.
This is the resulting compounded metadata statement:
S(M_E + Ks_E + S(M_O + Ks_O, Ks_FO), Ks_O)
Note that the level N requester is the level N+1 signer.
Note also that the key used to signed a metadata statement, unless it is one of the Federation Operators keys, MUST appear in an incorporated signed metadata statement.
-
- changed status to closed
The notion of Compounded Metadata Statements disappeared in a later version of the draft so this is not valid anymore.
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- closed
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 0
Ah, now I get it. A(ms_B + SK[B]) means the metadata statement signed by A... This is a bit cryptic because the form F() looks like a function.
Currently, the entity appears as _X, X(), [X]. It probably is better to come up with a consistent notation.
I would propose either sticking to _X, which resembles a subscript, to express the entity, and F() to represent a function or mapping.
So, SK[X] becomes SK_X. Actually, I prefer Ks_X, as K would represent K and s will signify that key is a signing key, and _X represent that it belongs to X. Similarly, a verification key associated with Ks_B will be Kv_B.
I would also represent message as M for the consistency and the signing operation with S( ), so that A(ms_B + SK[B]) becomes S(M_B + Ks_B, Ks_A).
For that matter, "+" should also be defined. Is it an abstract concept or a concatenation?