[Federation] Location and scope of application of metadata_policy_crit
The current metadata_policy_crit
spec is not clear where the claim may appear:
- In Entity Configurations?
- In Subordinate Statements?
- In both?
Since a metadata_policy
may only appear in a Subordinate Statement, and the metadata_policy_crit
guides how the metadata_policy
is to be processed, is it logical to require both to be in the same place, i.e. in Subordinate Statements?
This then leads to the following question:
When a metadata_policy_crit
lists a critical custom operator, e.g. lte
(less than or equal than), where does this apply to:
- To the
metadata_policy
in the same Subordinate Statement? - To any subordinate
metadata_policy
claims in the Trust Chain also?
https://openid.bitbucket.io/connect/openid-federation-1_0.html#section-3-5.22
metadata_policy_crit
OPTIONAL. The
metadata_policy_crit
(critical) Entity Statement claim indicates that extensions to the policy language defined by this specification are being used that MUST be understood and processed. It is used in the same way thatcrit
is used for extension JWS header parameters that MUST be understood and processed. Its value is an array listing the policy language extensions present in the policy language statements that use those extensions. If any of the listed extension policy language extensions are not understood and supported by the recipient, then the Entity Statement is invalid. Producers MUST NOT include policy language names defined by this specification or names that do not occur in metadata policy statements in the Entity Statement in themetadata_policy_crit
list. Producers MUST NOT use the empty array[]
as themetadata_policy_crit
value.
Comments (6)
-
-
reporter Likewise, for the
metadata_policy_crit
applies the waymetadata_policy
does.Custom operators defined in Subordinate statements MUST get added the resulting set is the one that MUST be used when processing the resolved
metadata_policy
.(discussed at F2F at TIIME 2024)
-
- changed milestone to Implementer's Draft
-
- changed status to open
-
reporter Proposed pull request to address this issue:
-
- changed status to resolved
- Log in to comment
In the definition of metadata_policy, we say:
We should likewise say: