{"id":2597,"date":"2024-12-06T18:08:28","date_gmt":"2024-12-07T02:08:28","guid":{"rendered":"https:\/\/self-issued.info\/?p=2597"},"modified":"2024-12-06T18:08:28","modified_gmt":"2024-12-07T02:08:28","slug":"integrity-properties-for-federations","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=2597","title":{"rendered":"Integrity Properties for Federations"},"content":{"rendered":"<p><span class=\"plain\"><img decoding=\"async\" align=\"right\" alt=\"OpenID logo\" src=\"http:\/\/self-issued.info\/images\/openid-logo.png\"><\/span>I&#8217;m writing to highly recommend the article &#8220;<a href=\"https:\/\/connect2id.com\/blog\/how-to-link-an-app-protocol-to-an-openid-federation-trust-layer\">How to link an application protocol to an OpenID Federation 1.0 trust layer<\/a>&#8221; by <a href=\"https:\/\/www.linkedin.com\/in\/vladimirdzhuvinov\/\">Vladimir Dzhuvinov<\/a>.  In it, he defines two kinds of integrity for Federations, and describes how to achieve them:<\/p>\n<ul>\n<li><b>Federation Integrity<\/b>, which is defined as:<\/li>\n<blockquote><p>\nThis ensures mutual trust between two entities is established always from a common trust anchor. Any resolved metadata and policies that govern the client application and the OpenID provider in a transaction will then fall under the rules of the same federation and thus will be aligned and consistent with one another.\n<\/p><\/blockquote>\n<li><b>Metadata Integrity<\/b>, which is defined as:<\/li>\n<blockquote><p>\nIt ensures the trust chains for an entity to a given trust anchor will invariably result in consistent metadata and policies. The natural way to achieve this is for the federation topology under a trust anchor to form a tree. Topologies that lead to multiple paths from a leaf entity to a trust anchor are to be avoided.\n<\/p><\/blockquote>\n<\/ul>\n<p>The article also explores how application protocols, such as <a href=\"https:\/\/openid.net\/connect\">OpenID Connect<\/a> or digital <a href=\"https:\/\/openid.net\/specs\/openid-federation-wallet-1_0.html\">wallet protocols<\/a>, can achieve those properties in practice (and when they do and don&#8217;t need to).<\/p>\n<p>Finally, I&#8217;ll note that, as a result of Vladimir&#8217;s and others&#8217; thinking about the topic, we just added a section on <a href=\"https:\/\/openid.net\/specs\/openid-federation-1_0-41.html#name-federation-topologies\">Federation Topologies<\/a> to the OpenID Federation specification, which provides concrete guidance on how to achieve Metadata Integrity.<\/p>\n<p>I&#8217;ll stop here so as not to repeat all the useful content in Vladimir&#8217;s article.  By all means, <a href=\"https:\/\/connect2id.com\/blog\/how-to-link-an-app-protocol-to-an-openid-federation-trust-layer\">give it read<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;m writing to highly recommend the article &#8220;How to link an application protocol to an OpenID Federation 1.0 trust layer&#8221; by Vladimir Dzhuvinov. In it, he defines two kinds of integrity for Federations, and describes how to achieve them: Federation Integrity, which is defined as: This ensures mutual trust between two entities is established always [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,14,13,25],"tags":[],"class_list":["post-2597","post","type-post","status-publish","format-standard","hentry","category-federation","category-openid","category-people","category-specifications"],"_links":{"self":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2597"}],"version-history":[{"count":4,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2597\/revisions"}],"predecessor-version":[{"id":2601,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2597\/revisions\/2601"}],"wp:attachment":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}