Naming constraints in Federation
There appears to be mismatch between two alternative descriptions of naming_constraints. Section 5.2 states the naming_constraints must be entity identifiers (URIs) and two examples are given: "https://.example.com"
and "https://east.example.com"
However section 5.2.2. says “The constraint MUST be specified as a fully qualified domain name”.
Can we have consistent text and examples please.
Comments (6)
-
-
I will create a PR making the description consistent with the examples and https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10.
-
- changed status to open
-
-
assigned issue to
-
assigned issue to
-
There are two subtle points here. First, Section 5.2 says that naming constraints restrict the allowable Entity Identifiers, not that they are Entity Identifiers.
Second, the fully-qualified domain names language comes from https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.10, which also includes example domain names such as
.example.com
. It’s fully-qualified because it ends in a top-level domain (TLD) name (in this casecom
).An example of a non-fully-qualified domain name would be
horta
, which was the local hostname of my primary machine in graduate school. The fully-qualified domain name for that machine washorta.cs.cmu.edu
.I also created https://bitbucket.org/openid/connect/pull-requests/279/clarified-naming-constraints to clarify the description of naming constraints, and in particular, domain name constraints.
-
- changed status to resolved
- Log in to comment