[Federation] FAPI prohibits RS256
Issue #1681
resolved
The OIDC Federation specification requires that entities support RS256 as a signing algorithm for entity statements. However, Section 8.6. Algorithm considerations of FAPI 1 Advanced prohibits the algorithm for security reasons. It is better to modify descriptions about RS256 in the OIDC Federation specification so that the specification can be used with FAPI without conflicts.
History: Section 3.1 of RFC 7518 (JWA) (published in 2015) recommends RS256 and some descriptions of client metadata in OIDC Dynamic Client Registartion 1.0 (published in 2014) refer to RS256 as the default algorithm or should-support algorithm. However, the algorithm lacks forward secrecy, so the algorithm is not recommended these days. TLS 1.3 has removed algorithms that lack forward secrecy.
Comments (10)
-
-
On the basis of how a leaf signs its EC, it should be known which signature algs it uses.
In a mixed approach different participants may sign their statements differently and the statements that compose a chain may be signed with different algs, it’s up to the trust verifier dealing with all these (and supporting all these). We know that many federations may support different algs and that a leaf may join to more than a single federation.
To allow the extendibility of the Federation implementations during the time I agree that a TA MAY force the signature alg to be adopted by descendants BUT at the same time multiple TAs, from multiple Federations, may require different signature algs. The leafs don’t know how they should sign their EC because the EC must work for many federations.
So, I’d be for force the support for the legacy algs like RS256 (to establish in the specs the basis of the minimum requirement for interoperability) and also enable the mixed approach.
So we may say that all the participants MUST support RS256 for legacy support and, if the federation permits, they SHOULD support also ES and P. But the problem remains until we say that the following algs MUST be supported by all the participants:
RS256 and superiors (384, 512)
ES256 and superiors (384, 512)
PS256 and superiors (384, 512)if we have this asset then it would be up to the participants establish their level of security with the signatures issued by themself, but at the same time the participant with the highest level of security will force the other participants to adapt and support it. Once we got its EC we know if we’re able to deal with it or not
-
I think Mike’s second option broadens the scope for interoperability.
-
- changed status to open
-
Just for posterity, message signatures and forward secrecy are really distinct concepts. A signature by itself cannot provide forward secrecy. It shouldn’t be a consideration in this issue.
-
yes, option 2 seems the simplest one
-
On the 21-Oct-22 Federation Editors' call, we agreed to use language along the lines of “Implementations SHOULD support signature verification with RS256 because OpenID Connect Core requires support for RS256; Federations MAY also specify different mandatory-to-implement algorithms.”
-
The PR below aims to close this issue
https://bitbucket.org/openid/connect/pull-requests/349 -
-
assigned issue to
Giuseppe De Marco
-
assigned issue to
-
- changed status to resolved
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Federation
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 3
There’s a few different things we could do here.
I’m sure there are other possibilities as well. Thanks for bringing this up, Taka!