Explicit registration and trust anchor usage

[zachmann]

So far I mostly ignored explicit registration; when I read a bit more about it in the spec I stumbled upon some things, mostly related to the used trust anchors:

• The spec requires that a common trust anchor is used. E.g. in 12.2.1 Point 1, 12.2.5 Point 3
  • For automatic registration we do not have this requirement; The only requirement is that both the OP and RP can resolve a trust chain from the other entity to a trust anchor they trust, this does not need to be the same trust anchor and it also does not need to be a trust anchor for the other party.
  • Is this an intended restriction of the explicit registration or can it be changed to be in line with automatic registration?
• Partly related: In 12.2.1 Point 1 the spec says: Once the RP has determined a set of Trust Anchors it has in common with the OP
  However, the spec does not mention how the RP can determine a set of TAs it has in common with the OP. This is because the spec also does not provide such a way. This would require that entities publish their trust anchors in their entity configuration, as it previously has been suggested e.g. through a ta_hints claim. In my opinion, if we require that a common TA must be used, we must provide means by which entities can determine common TAs.

For an additional comment that also involves trust anchors, see my comment in #87

[rohe]

About common trust anchor, this was a comment we got from the security evaluators. They wanted a way to assure that Both the RP and the OP (if we are using OIDC as application protocol) where using the same trust anchor when collecting trust chains and evaluating metadata policies.
For Explicit registration the OP can signal which TA it has chosen by using the ta_hints claim.

When it comes to automatic registration there is no way for the OP to signal back to the RP which TA it wants to be used.
The proposal we have tossed around so far is the ta_hints claim.

Obviously, as you state there is no way for the RP to determine which TAs it has in common with the OP. ta_hints could play a role here too.

[selfissued]

@rohe, can you write down what the definition of trust_anchor_hints would be and how it would be used?

[selfissued]

We should consider aligning whatever mechanism we use to get Trust Anchor consistency for Explicit Registration with whatever we use to do so for Automatic Registration. This is being discussed in #100.