[Federation] What a trust chain contains.

Issue #1634 resolved

Roland Hedberg created an issue 2022-09-09

When a trust chain is collected a well defined pattern is used.

collect leaf Entity Configuration
for each entity_id in authority_hints collect the superiors Entity Configuration
Fetch the Entity Statement from the superior about the subordinate
Repeat from 2

This will result in collecting something like this

Leaf Entity Configuration
Intermediate (A) Entity Configuration
Intermediate (A) Entity Statement about Leaf
Intermediate (B) Entity Configuration
Intermediate (B) Entity Statement about Intermediate (B)
Trust Anchor’s Entity Configuration
Trust Anchor’s Entity Statement about Intermediate (B)

Alternative Entity Configurations and Entity Statements.

The trust chain is presently defined to contain the element 1, 3, 5 and 7

Given that the entity that collects the trust chain has the key of the Trust Anchor the trust chain can be verified and the metadata can be constructed.

Now, it is assumed that the Trust Anchor rotates its signing keys. The new keys can be distributed to the federation entities in some out-of-bands way or possibly by adding the Trust Anchor’s Entity Configuration to the trust chain.

Adding the Trust Anchor’s Entity Configuration should be optional and if done should be added as the last element in the trust chain.

Comments (12)

Roland Hedberg reporter
- edited description
- 2022-09-09T17:18:42+00:00
Michael Jones
Should we revert the example in https://openid.net/specs/openid-connect-federation-1_0-22.html#name-trust-chain to the text in https://openid.net/specs/openid-connect-federation-1_0-21.html#name-trust-chain ?
- 2022-09-09T19:44:45+00:00
Roland Hedberg reporter
I think we should make clearer in the text the difference between what needs to be collected and what needs to be in the trust chain.
- 2022-09-10T07:02:34+00:00
Roland Hedberg reporter
The reason for putting the TA’s EC at the end of the trust chain is that the necessary components of the trust chain (Leaf EC + possible intermediates ESs + Trust Anchor ES) should form a continues ordered sequence irrespective of whether the TA EC is part of the trust chain or not. Adding the TA EC to the end makes it easy to first detect if it’s there or not and then remove it before the chain is verified and the metadata computed.
- 2022-09-10T07:08:07+00:00
Michael Jones
I agree with Roland’s “continuous ordered sequence” observation.
- 2022-09-10T07:15:27+00:00
Giuseppe De Marco
- changed title to [Federation] What a trust chain contains.
- 2022-09-10T21:47:19+00:00
Giuseppe De Marco
I agree too, I also think that including the TA’s EC in the trust_chain parameter, as used in the authz request or in the client registration request, would hint a trust verifier if the TA’s EC has been updated in the meantime
- 2022-09-10T21:56:19+00:00
Giuseppe De Marco
@Roland Hedberg considering the importance of the difference between what’s collected (metadata discovery) and what’s it’s included to be evaluated (trust chain) I’d suggest to add Metadata Discovery in the defined terms and have a small editorial review where the term metadata discovery has been used.

‌
- 2022-09-10T22:00:11+00:00
Giuseppe De Marco
Two PRs for the resolution of this issue:
- https://bitbucket.org/openid/connect/pull-requests/302
- https://bitbucket.org/openid/connect/pull-requests/303/fix-federation-metadata-discovery-in-the
- 2022-09-11T22:01:47+00:00
Vladimir Dzhuvinov
including the TA’s EC in the trust_chain parameter, as used in the authz request or in the client registration request, would hint a trust verifier if the TA’s EC has been updated in the meantime

I suppose by a TA EC update here you mean the addition of a new signing key?

If the TA has immediately switched to the new signing key the hinted entity has no way to proceed if its key update involves a manual (out of band) intervention by an admin. The signature validation will fail and the admin will need to intervene to verify and update its record of the TA’s signing key. In such a scenario there is not much value in having a TA EC in the trust_chain.

If the TA adds a new signing key but doesn’t switch to it immediately, the hinted entity will have a mean to detect that without an outbound HTTP call to the TA, and either alert the administrator (given some sensible reaction time) or update its TA keys automatically (by directly adopting the new key from the TA EC jwks, by doing a fetch, or a mix of both). Is this what you had in mind? For planned key rollovers this can definitely work. In a case when all TA keys get revoked and need to be replaced at once, an outbound HTTP call to the TA cannot be prevented.
- 2022-09-13T07:05:32+00:00
Giuseppe De Marco
The rollover strategy is something covered in our implementations and led to how the good TA should behave.
When a key is rolled out, then the new one will be used when times will permits and the old one will be pruned, otherwise the jwks list in a EC may increase during the years.
That’s why I want to prune the deprecated keys from the EC and have a new endpoint for the TA where it publishes the registry of the hystorical jwks.

The reasons why we should have also the EC in the TC is explained here: https://bitbucket.org/openid/connect/pull-requests/302#comment-331647190
- 2022-09-19T20:04:29+00:00
Giuseppe De Marco
- changed status to resolved
Closed by https://bitbucket.org/openid/connect/pull-requests/302
- 2022-09-23T15:10:24+00:00
Log in to comment

Assignee: Roland Hedberg

Type: proposal

Priority: major

Status: resolved

Component: Federation

Milestone: –

Version: –

Votes: 0

Watchers: 1