openid / federation

9 stars 5 forks source link

`trust_mark_owners` and `trust_mark_issuers` with delegation #123

Open zachmann opened 1 month ago

zachmann commented 1 month ago

Section 7.3. "Validating a Trust Mark" contains the following paragraph:

If a Trust Mark issuer is issuing Trust Marks on behalf of a Trust Mark owner, then the Trust Anchor MUST publish the connection between the Trust Mark identifier and the corresponding Trust Mark issuer in the trust_mark_issuers claim. This signifies that the Trust Anchor has validated the Trust Mark owner and that the Trust Mark owner has delegated the right to issue Trust Marks with a designated Trust Mark identifier to a specified Trust Mark issuer.

I have my problems with this paragraph and want to have a discussion on it.

First of all I think it is placed weirdly in the "Validating a Trust Mark" section. While the information is also relevant for validation, it's more a requirement about what/when the TA has to publish certain claims.

Section 7.2. "Trust Mark Delegation" does talk about trust_mark_owners but not about trust_mark_issuers.

Also the claim description for trust_mark_owners and trust_mark_issuers in section 3 does not talk about a linkage between them. This is only the case in the quoted paragraph from section 7.3

I see use-cases where a TA wants to have more control over who can issue a trust mark within their federation also in the case of delegation and limit the list of trust mark issuers down to a subset of what the trust mark owner delegated. However, I think there are equally valid use cases where the TA just wants to use a trust mark that is owned outside the federation, with various TMIs within the federation, and the TA does not want to list them all, because it wants to rely on the delegation.

Section 7.2. has the example of vehicle inspection as a reasoning for delegation. I think this is a very good example where the TA would publish the trust mark in the trust_mark_owners claim, but would not publish all the individual TMIs in the trust_mark_issuers. Because then it would need to (periodically) ask the TMO who all the TMIs are.

TL;DR: I don't see the reason for having the requirement (MUST) to publish trust_mark_issuers in the case of a delegated trust mark, but I see use cases where this is not desired. Can we enable those cases, where the TA just wants to use a delegated trust mark and rely on the delegation from the TMO to the TMIs?

rohe commented 3 weeks ago

Presently if there is no delegation involved the TA publishes the list of trust mark ids it accepts in trust_mark_issuers Like this:

"trust_mark_issuer": {
  "ID1": [ "https://swamid.se"]
}

If the TA doesn't know or care who issues trust marks with a specific ID it can say:

"trust_mark_issuer": {
  "ID1": []
}

Regarding delegation the order is turned around so a delegation is expressed, with the trust mark issuers entity_id as key, like this:

"trust_mark_owners": {
  "https://swamid.se": {
    "sub": "DELEGATED_ID.1",
    "jwks: {
        "keys": [
          {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
          }
        ]
      }
   }
}

To express that anyone can issue a delegated trust mark could then be expressed by instead of having the trust mark issuers entity_id you could use "*". In which case you would get:

"trust_mark_owners": {
  "*": {
    "sub": "DELEGATED_ID.1",
    "jwks: {
        "keys": [
          {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
          }
        ]
      }
   }
}
zachmann commented 3 weeks ago

Regarding delegation the order is turned around so a delegation is expressed, with the trust mark issuers entity_id as key, like this:

No this is not correct, still the trust mark id is used as the key, and the trust mark owner's issuer id is in "sub". The following is hte example from figure 3 in the spec:

{
  "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf":
    {
      "sub": "https://refeds.org/sirtfi",
      "jwks" : {
        "keys": [
          {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
          }
        ]
      }
    }
}

But that's not my point. My point is that the cited paragraph requires TAs in the case of delegated trust marks to publish a list of trust mark issuers additionally to having trust_mark_owners. I think this should not be a requirement.

selfissued commented 23 hours ago

I'm in the process of reworking the Trust Mark validation text in #153. Let's resolve this there. Can you please review it, @zachmann?