1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Issue when building an entity chain from entity to trust anchor when entity is trusted by multiple intermediates

Issue #2144 closed
Michael Fraser created an issue

In the below example, we have a set of entities that are both trusted and can have entities issued for by the Banking Authority and the Insurance Authority. In this scenario, the banking authority will issue a metadata policy dictating what is allowed/needed to act as a bank and the insurance provider will do the same providing what's required to act as an insurance provider.

The concern arises when an entity wishes to produce a statement when its acting as both. Currently, the spec requires two chains to be built either manually or through the use of the resolve endpoint and then manually combined to produce the final entity statement.

How should this be best addressed/communicated?

Comments (6)

  2. Michael Jones

    There’s nothing preventing implementations from building multiple trust chains in parallel, potentially ending at multiple mutually trusted trust anchors. At most, we might want to relax the language about choices made while following authority hints to explicitly say that multiple options can be explored if desired.

    Would that do the job?

  3. Roland Hedberg

    I think the key point in your description is “acting as both”.

    It’s easy to verify that an entity is both a bank and an insurance provider but that is not the same as proving that it is acting as both.

    Right ?

  4. Michael Fraser reporter

    Yes the key point as as you say, when an entity is acting as both. As you both pointed out above we can have the two chains built and then combined after the fact if a desired “insurance AND banking” statement is to be produced. Though todo this the chains must be constructed manually.

    Another point though and I’m not sure if it fully qualifies as a hole, but, in the above scenario, if an entity were to use a resolve endpoint to construct a chain between any of the entities and the trust anchor, there isn’t a way in the resolve endpoint to specify which path the chain would be produced for? I.e. one implementation may go via the banking authority intermediate and another would go via the insurance authority intermediate - both would produce different entity statements as a result

  5. Ralph Bragg

    All, please note that there are very large banking groups that do a lot of international settlements that are looking at exactly this challenge. Cross border open banking. There are also ecosystems domestically with multiple federations / regulators where attributes (scopes, claims etc) are authorised and granted by different federation controllers to the same relying party. Solving this problem or somehow indicating that the trust chains / anchors need to be completely resolved along all trees is a requirement that we have now so i’m keen to see this problem resolved within this WG rather than having ecosystems come up with fragmented profiles of federation to meet this need.

  7. Log in to comment
Assignee
Type
proposal
Priority
major
Status
closed
Component
Federation
Milestone
Version
Votes
0
Watchers
5
Jira: the preferred issue tracker for Bitbucket. Join the team!