Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define entity_statement_signing_alg_values_supported metadata parameter #81

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Define entity_statement_signing_alg_values_supported metadata parameter #81

wants to merge 4 commits into from

Conversation

selfissued
Copy link
Member

Fix #65

Cc: @Razumain

vdzhuvinov
vdzhuvinov requested changes Sep 9, 2024
View reviewed changes
openid-federation-1_0.xml
JSON array containing a list of the JWS signing algorithms
(<spanx style="verb">alg</spanx> values)
supported by the Entity to sign Entity Statements.
If omitted, the default value is <spanx style="verb">["RS256"]</spanx>.
Copy link
Collaborator

@vdzhuvinov vdzhuvinov Sep 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On its own, the definition of this parameter is okay. However, having this parameter parameter defined would not be sufficient for the entities in a federation to be able to use a specific JWS algorithm when more than one is supported. People will ask - what do we do with this parameter? How do I get an ES signed with say ES256 when RS256 and ES256 are supported?

@peppelinux
Copy link
Member

Considering that this parameter would be at the end informational only, I approve it for the scopes proposed.

@vdzhuvinov
Copy link
Collaborator

Last time when we discussed this (and I was present), there were two solutions.

Both solutions have this metadata parameter, that lists the supported JWS algs for entity statements.

The difference is:

  1. Entities Statements can be signed with any of the supported JWS algs. There is no method to request the issue of an Entity Statement with a given JWS alg. This means consumers must be prepared to handle all JWS algs that are supported.

  2. Entity Statements are normally signed with a default JWS alg, but there is also the possibility to request a specific JWS alg using a query param like jws_alg=ES256. With that consumers have a mean to control the signature algorithm.

Solution 1 seems simpler, in terms of specification and API.

Solution 2 has the benefit that in multi anchored / lateral federations, where one of the federations supports additional JWS algs, but the algs still intersect (there is a commonly supported JWS alg, like RS256), consumers will be able to collect Entity Statements with an alg that they can work it. Otherwise they won't be able to do this.

@selfissued
Copy link
Member Author

As discussed on today's Federation editors' call, we would want actionable guidance on how and when to use this parameter before including this feature in the specification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vdzhuvinov vdzhuvinov vdzhuvinov requested changes

@peppelinux peppelinux peppelinux approved these changes

@ve7jtb ve7jtb Awaiting requested review from ve7jtb

@rohe rohe Awaiting requested review from rohe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Entity statement signing algorithm
3 participants
@selfissued @peppelinux @vdzhuvinov