[Federation] Adjust "constraints" claim requirements for Subordinate Statements and Entity Configurations

To guarantee that the “constraints” claim can be picked up and observed, whenever a Trust Anchor or an Intermediate Authority has defined one, it must place it in the Subordinate Statement. If it’s placed in an Entity Configuration the “constraints” will not get picked up in trust_chain params because they contain only Subordinate Statements (and the TA EC at the end of the chain is optional).

The current spec doesn’t clarify this, which can lead to the “constraints” not being “seen”. Current implementers, to ensure the “constraints” don’t get missed must fetch the EC.

https://openid.bitbucket.io/connect/openid-federation-1_0.html#name-constraints

I suspect when the trust_chain got introduced this particular section was not updated and hence the spec was left with this discrepancy.

Comments (2)