Section 12.2.2.1 describes how an OP processes an RP's explicit client registration request.
Scenario to illustrate the problem
For the purpose of a simpler explanation, let's assume that RP sent an Entity Configuration (instead of a Trust Chain).
Now, in step 2, OP collects and validates several Trust Chains from RP to several TAs.
Say, chain1 = [RP, Im1, TA1], chain2 = [RP, Im2, Im3, TA2], and chain3 = [RP, Im4, TA2] (all are valid).
If the OP finds more than one acceptable Trust Chain, it MUST choose one Trust Anchor from those chains as the one to proceed with.
Hence, OP selects TA2 to proceed with.
Trust Chain in step 6
Step 6 in Section 12.2.2.1 says:
The OP MUST assign an expiration time to the created registration. This time MUST NOT exceed the expiration time of the Trust Chain that the OP selected to process the request.
Which Trust Chain? OP never selected one, it just selected a Trust Anchor.
This can of course be fixed by requiring OP to select a Trust Chain instead of a Trust Anchor in step 2 (and adapting the text around trust_anchor_id in step 7 accordingly).
Trust Chain in step 7
The 2nd paragraph of step 7 says:
[...] The authority_hints claim MUST be set to the OP's Immediate Superior in the selected Trust Chain.
Which Trust Chain? Even assuming that OP selects a Trust Chain (instead of just a Trust Anchor) in step 2, this is still unclear - OP (or OP's immediate superior) may or may not be part of the chain selected in step 2 (say, OP selected chain3 - it does not contain OP).
I.e., the set of possible Trust Chains from OP to the selected Trust Anchor TA2 is (can be) disjoined from the set of possible Trust Chains from RP to TA2, and Section 12.2.2.1 does not seem to mention that OP has to collect, validate, and select one of them.
selfissued
commented
2 weeks ago
Section 12.2.2.1 describes how an OP processes an RP's explicit client registration request.
Scenario to illustrate the problem
For the purpose of a simpler explanation, let's assume that RP sent an Entity Configuration (instead of a Trust Chain).
Now, in step 2, OP collects and validates several Trust Chains from RP to several TAs. Say,
chain1 = [RP, Im1, TA1],chain2 = [RP, Im2, Im3, TA2], andchain3 = [RP, Im4, TA2](all are valid).Hence, OP selects
TA2to proceed with.Trust Chain in step 6
Step 6 in Section 12.2.2.1 says:
Which Trust Chain? OP never selected one, it just selected a Trust Anchor.
This can of course be fixed by requiring OP to select a Trust Chain instead of a Trust Anchor in step 2 (and adapting the text around
trust_anchor_idin step 7 accordingly).Trust Chain in step 7
The 2nd paragraph of step 7 says:
Which Trust Chain? Even assuming that OP selects a Trust Chain (instead of just a Trust Anchor) in step 2, this is still unclear - OP (or OP's immediate superior) may or may not be part of the chain selected in step 2 (say, OP selected
chain3- it does not contain OP). I.e., the set of possible Trust Chains from OP to the selected Trust AnchorTA2is (can be) disjoined from the set of possible Trust Chains from RP toTA2, and Section 12.2.2.1 does not seem to mention that OP has to collect, validate, and select one of them.