[Federation] max_path_length review
Issue #1610
resolved
I suggest to simplify the meaning of max_path_length here https://openid.net/specs/openid-connect-federation-1_0.html#section-5.2.1
When I talk with the implementers I just use the following formula:
max_path_length defines the maximum number of Federation Intermediaries between a Leaf and its Trust Anchor.
If equal to 1 it means that only one intermediary is allowed along the path.
If zero, any.
I’d propose to remove all those text with something simple as above, without any examples.
ps = to easily shown an implementation approach: we just have to count the EC in a trust chain, excluding the first (Leaf’s) and the TA. The count of the remaining ECs must be minor or equal to max_path_length.
Comments (18)
-
-
reporter
My bad Misha
-
Hi Giuseppe,
I think 0 means no intermediaries MAY be present, while the absence of a max_path_length indicates no limit?
That actually also means that 0 is not a special case.
-
reporter
Sorry for the mess, anwering from mobile phone is not a proper way to analyze the questions and give anwers.
Well, max_path_length = 0 means any intermediary between leaf an TA, max_path_length absent means any limit imposed.This is actually well explained in the text, while I’m suggesting a simplification of the example with a hint that sounds to me more easy to me to be get by implementers
-
I’m pretty sure you misread. I must say the example in the spec is confusing and possibly not correct I think.
The spec says:
A
max_path_lengthconstraint of zero indicates that no Entity Statement MAY appear between this Entity Statement and the leaf Entity Statement.that is definitely NOT the same as what you say “max_path_length = 0 means any intermediary between leaf and TA” ? According to the spec there may not be any intermediary between them.
Also it says
Where
max_path_lengthdoes not appear, no limit is imposed.that means there is no limit, which is not the same as any limit. Any limit means there can be a limit but it’s not defined which one. OTOH the spec says it indicates that there is no limit, i.e. it is essentially infinite. Perhaps the confusion is because of inherited max lengths from higher up in the chain?
In the example below there (in https://openid.net/specs/openid-connect-federation-1_0.html#section-5.2.1) in the second bullet, I would change “I1 specifies no
max_path_lengthconstraint.” into “I1 specifiesmax_path_lengthof 1.”. Both are valid: nomax_path_lengthis also ok since it doesn’t impose a limit (but inherits it from the previous one minus 1), but I think it would be clearer from the perspective of the reader.The third bullet is also a bit misleading.
I think there are additional combinations possible that would satisfy the different constraints which is why the example is confusing I think.
-
reporter
Well, the scope of this issue if to simplify the max_path_len explainatory text
regarding my english, well, the “any” is a typo due to my language level, thank you (and sorry) for the time spent reading my pathcy language, I’ll ask you a revision in the PR if we’ll decide to create it
-
Don’t worry about it, and happy to help out on cleaning up a PR.
-
reporter
This is the PR that hopefully will close this issue
https://bitbucket.org/openid/connect/pull-requests/298/fix-federation-max_path_length-explanatory@Misha Salle please feel free to add your comments, I’d be glad to have you as a reviewer in this
-
reporter
-
assigned issue to
Giuseppe De Marco
-
assigned issue to
-
reporter
- changed status to open
-
On the 9-Sep-22 Federation Editors' call, we decided to decline https://bitbucket.org/openid/connect/issues/1610/federation-max_path_length-review. But we also agreed that we should review Mischa’s comments and determine if clarifications should be made as a result of them.
-
Mischa, are there changes you’d still like to see, and if so, what are they? Thanks.
-
Hi,
I think the text above the “Assuming that we have…” is probably fine.
The example is confusing though: in particular, in the second bullet, I’d change the last part into “I1specifies a
max_path_length` of 0”. I think each of them could leave out themax_path_length` since that doesn’t impose a limit? Or do we mean that not specifying a `max_path_length` overrides whatever is imposed by the one closer to the TA? I think that latter option is probably not a good idea: it’s better to have the whole path parsed and then check that each `max_path_length` is satisfied.In any case the options are not exhaustively listed. TA could also specify 15, I2 10, and I1 2 or something like that. So probably good to insert an “for example” into “Then the Trust Chain fulfills the constraints if”.
And also the second list is not exhaustive: if either TA or I2 specified `
max_path_length` of 0, the Trust Chain is also not fulfilled.
-
max_path_length = 0 do impose a restriction. An absent max_path_length constraint that means that no extra restriction is set. You can not override a set max_path_length higher up in the chain by not setting a max_path_length closer to the leaf.
Not adding a max_path_length constrain just means that there is no extra constraint apart from those already in effect.
-
reporter
I agree with Roland’s answer, do you think that we have to make it more clear in the text of the specification?
-
reporter
The PR that will resolve this issue:
https://bitbucket.org/openid/connect/pull-requests/311/federation-max-path-len -
As far as I can see the new text indeed completely covers how I think it was intended.
-
reporter
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 3
But your “if zero, any” doesn’t match the current spec:
In order to indicate “any” the spec says:
And the current spec is similar to what’s done in PKI for CA pathLenghtConstraints, see https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9