...
- What does it mean to have a federation policy in OIDFed? https://openid.net/specs/openid-federation-1_0.html#name-federation-policy
HOMEWORK: read section 6 of the OIDFed spec above and bring your thoughts and ideas to the next meeting. You can also note these below:
| Questions | |
|---|---|
| 1 | There is a signed JWKS endpoint (signed_jwks_uri) we might want to require, rather than just TLS in the normal JWKS endpoint. Maybe we want to require that? |
| 2 | |
| 3 |
- Report on slack conversation regarding registration and scopes.
...
Alex Stuart will share a word document on proposals for techtechnical checks that could be made to support scope usage.
What do we care about in terms of metadata registration:
- We care that the entity has some sort of (legal?) claim over the domains / scope that they publish - own or delegated control.
- We care that this information is changed in a managed way.
- We care that the entity has some sort of formalised relationship with the federation ("member").
- We care that the federation has taken some responsibility for the statements made.
This could form part of the Registration section in policy, and then a MRPS can be more focused on HOW each federation might implement those checks.
ACTION: consider adding statements around these elements to technical profiles (both SAML and OpenID).
- Elements of the policy:
- OpenID Technical Profile Mapping
- Metadata Registration
- Metadata Production (entity not federation, everything is an entity). Is this simply statements around entity statement: https://openid.net/specs/openid-federation-1_0.html#name-entity-statement.
- Metadata Signing - are there any parameters we want to put on a sign JWT beyond algorithim?
- Participant requirements - out of scope, take up to metadata registration?
- Mandatory entity requirements (mandatory trust marks?). Is this just part of registration?