-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatic X.509 certificate issuance and publication using Federation API #509
Comments
This approaches enables:
|
This would require every participants issuing X.509 certificates about itself, to provide X.509 certificates revocations (CRL) and any other certificate transparency endpoints. |
Am I correct to assume that this is an attempt to get around the requirements in the implementing acts enforcing entities to be represented by a certificate? I don't think this will do it, as each issuer must be a trustworthy CA. My thinking along these lines is that we would setup one CA that issues certificates to all entities that needs a certificate according to the regulation. This will only require one certificate in the trusted list (The one CA:s certificate). I think this will satisfy the requirements and allows participants to choose what trust infrastructure they want to use. But I may have completely missed the reason for this proposal. But making every entity a CA seems like a lot of overhead. |
this is the solution allowing an automatic issuance of X.509 certificates, required for legacy applications, using the trust established using federation.
using the proposed solution each federation entity is free to issue a signed statement, therefore an X.509 certificate, about itself because this is verifiable using a trust chain about it. This is the same approach we use for the Entity Configurations.
this doesn't scale, it is problematic thinking about a PKI without intermediaries. For this level of awareness I might leave to you the floor as the author of RFC5280
the reasons are:
|
Thank you. I still struggle to understand the use-case. I feel that I got invited in the middle of a conversation where I don't understand the problem at hand. My understanding of the current situation is that we all want to use OpenID federation. When you use that, no certificates are needed. The trust in each entity certificate is provided by signed Entity Statements. I'm not fully sure what you mean by "Legacy applications here". In the context of wallets I'm not sure what that is. But if I would interpret that as an application that is not using OpenID federation, and expects a certificate to represent an entity that they can validate using Trusted List instead, then my thinking applies. An application that is not using OpenID federation will have a hard time validating chains according to your proposal, and it creates a huge number of entities that have to be acting as a CA. This makes me believe that your use-case is something else. If you elaborate, then perhaps I can provide more relevant thoughts. |
@Razumain the CA is still and always the trust anchor. Every entity that issues a certificate must exposes the required and typical resources about X.509 for revocation checks. entities such as federation leaves that issues certificates are not CA, but intermediates for the issuance of certificates about themselves, using an appropriate naming constraint. Naming constraints used by immediate superiors within the certificates issued to the leaf that issues certificates only about itself
To revoke a leaf's certificate the Intermediate revokes the certificate about the leaf, invalidating the entire chain. This is the |
Alternative method of issuance if also this: https://peppelinux.github.io/draft-demarco-acme-openid-federation/draft-demarco-acme-openid-federation.html |
According to @fmarino-ipzs 's perspective, the most smart proposal appears to be the following below:
During the entity registration (onboarding procedure) we issue one X.509 certificate for all the Federation Entity Keys, providing therefore one or more JWK including the
x5c
parameter valued with the X.509 Certificates in Base64(DER) format.The application specific jwks, included in each application specific metadata, would be self-issued by leafs using the private cryptographic key of one of the Federation Entity Keys with
x5c
.This approach makes every leaf as an X.509 certificate issuer about itself.
Below an X.509 Certificate Chain example:
The text was updated successfully, but these errors were encountered: