Versions Compared

Old Version 20

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version 21

changes.mady.by.user Niels van Dijk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OpenID Federation provides a number of elements which can be used to describe the trust properties of Entities. These include the Entity Configuration, Subordinate statements and Trust Marks. Evaluation Core assumption of the OpenID federation Sspecification is that evaluation of these statements by a Trust Anchor results in a description of the trust between an Entity, potentially Intermediates, and the TA, as expressed in the the Trust Chain. The Trust Anchor may publicly express policies which they apply on its their Subordinates in the form of Federation Policy.

While all of the aforementioned elements are publicly discoverable via Entity Configuration or by querying the available APIs, there are also several policy aspects that are NOT defined in the specification:

  • Federation membership eligibility: the criteria that define if and how Entities (or better: the organization operating such Entities) are eligible to become members of a given federation are out of scope for the OpenID federation specification. Typically eligibility is a mix between technical requirements (some of which may likely be expressible present in Entity Configuration, at least in part), and organizational rules (e.g. "Must be an educational institution as indicated by the Ministry of Education"), some of which might be expressed in Entity Configuration also, e.g. by the use of Trust Marks. It is however equally feasible the TA has some additional "internal" rules it uses when assessing eligibility.
  • Trust Mark eligibility: It is the Trust Mark Issuer which decides the eligibility criteria for its Trust Marks. Again the eligibility criteria may be internally sourced.
  • No right to service: While a TA may be capable of building a trust chain, it is not mandated to do so for everyone who asks for it. The specification already suggests authentication mechanisms which could be required, but more generally also other authorization might be in place. (e.g. IP based). The same limitation also applies for trust Mark Issuers and Trust Mark Owners.
  • Federation hierarchy: The hierarchy of the federation may be such that certain Trust Paths cannot be walked at all.

...