1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Bring fapi1-adv request object signing requirements into fapi2-adv

Issue #488 resolved
Joseph Heenan created an issue

fapi1-adv has a few clauses around request object nbf/exp that should be pulled across to fapi2-adv in order to provide “non-repudiation” (or at least to narrow the time a request was signed down to a narrower window and prevent the creation of request objects with unreasonably long lifetimes).

Comments (9)

  2. Filip Skokan

    Non-repudiation is already given through the use of private key utilizing digital signatures. IIRC Nbf/Exp in Fapi1-adv was required to limit replayability since the request object was sent in the front channel.

    In FAPI 2.0 Adv. the signed request object is only sent to the PAR endpoint in a client-authenticated request which seems to not require such treatment.

    I guess it wouldn’t hurt but is there justification for it? Let’s not lose track of why these measures were added in the first place.

  3. Joseph Heenan reporter

    Non-repudiation is already given through the use of private key utilizing digital signatures.

    I may have got entirely the wrong end of the stick, but I thought the non-repudiation needed to include some element of when the message was signed, and a bog standard JAR request object doesn’t have that.

  4. Filip Skokan

    FYI I am likewise outside of my comfort zone here. The signer cannot refute they are the ones who signed the request object, or rather that their private key was used to do so. A claim present in the signed assertion does not guarantee it reflects an honest value anyway and so IMHO adds nothing to non-repudiation itself?

  5. Joseph Heenan reporter

    I agree that it does not guarantee that, but as/if the server rejects objects where nbf/exp are not close to the current time, it gives you some sort of proof of at least when the sender intended to sign the message. It’s not cast iron, but it’s something. Whether it’s useful enough I don’t know, but e.g. I’m presuming there’s similar logic behind why the signed introspection responses draft requires iat.

  6. Joseph Heenan reporter
    • changed status to open

    Discussed on today's call.

    There is some question mark over the exact meaning of non-repudiation. The general feeling on the call was probably that we do need some element of time in the message for non-repudiation purposes.

    Dave suggested we should write a bit of text to explain what use cases we intend the 'non-repudiation' to cover.

  7. Filip Skokan

    Furthermore we’ve agreed to move ahead with PR #320 while we still clear out this issue to avoid us having to question this topic in the future.

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
FAPI2: Message Signing
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!