Skip to content

Commit

Permalink
Adjusts the allowed operator combinations (issue openid#11)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vdzhuvinov
vdzhuvinov committed Jan 15, 2025
1 parent c8da015 commit 273fdb2
Showing 1 changed file with 76 additions and 37 deletions.
113 changes: 76 additions & 37 deletions openid-federation-1_0.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -365,15 +365,15 @@
<t hangText="Trust Mark">
Statement of conformance to a
well-scoped set of trust and/or interoperability requirements
as determined by an accreditation authority.
as determined by an accreditation authority.
Each Trust Mark has a Trust Mark identifier.
</t>
<t hangText="Trust Mark Issuer">
A Federation Entity that issues Trust Marks.
</t>
<t hangText="Trust Mark Owner">
An Entity that owns the right to a Trust Mark identifier.
</t>
An Entity that owns the right to a Trust Mark identifier.
</t>
<t hangText="Federation Entity Keys">
Keys used for the cryptographic signatures required by
the trust mechanisms defined in this specification.
Expand Down Expand Up @@ -2042,9 +2042,9 @@
<spanx style="verb">null</spanx> value.
</t>
<t>
Metadata parameters and policies that conform to the JSON
Metadata parameters and policies that conform to the JSON
grammar but do not represent interoperable uses of JSON,
as per Sections 4 and 8 of <xref target="RFC8259"/>,
as per Sections 4 and 8 of <xref target="RFC8259"/>,
can cause unpredictable behavior.
</t>

Expand Down Expand Up @@ -2086,6 +2086,32 @@
<t>
Combination with other operators in a metadata parameter policy:
<list style="symbols">
<t>
MAY be combined with <spanx style="verb">add</spanx>,
in which case the values of <spanx style="verb">add</spanx>
MUST be a subset of the values of
<spanx style="verb">value</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">default</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">one_of</spanx>,
in which case the value of <spanx style="verb">value</spanx>
MUST be among the <spanx style="verb">one_of</spanx> values.
</t>
<t>
MAY be combined with <spanx style="verb">subset_of</spanx>,
in which case the values of <spanx style="verb">value</spanx>
MUST be a subset of the values of
<spanx style="verb">subset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">superset_of</spanx>,
in which case the values of <spanx style="verb">value</spanx>
MUST be a superset of the values of
<spanx style="verb">superset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">essential</spanx>.
</t>
Expand Down Expand Up @@ -2136,6 +2162,12 @@
<t>
Combination with other operators in a metadata parameter policy:
<list style="symbols">
<t>
MAY be combined with <spanx style="verb">value</spanx>,
in which case the values of <spanx style="verb">add</spanx>
MUST be a subset of the values of
<spanx style="verb">value</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">default</spanx>.
</t>
Expand All @@ -2146,10 +2178,7 @@
<spanx style="verb">subset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">superset_of</spanx>,
in which case the values of <spanx style="verb">add</spanx>
MUST be a superset of the values of
<spanx style="verb">superset_of</spanx>.
MAY be combined with <spanx style="verb">superset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">essential</spanx>.
Expand Down Expand Up @@ -2194,25 +2223,20 @@
<t>
Combination with other operators in a metadata parameter policy:
<list style="symbols">
<t>
MAY be combined with <spanx style="verb">value</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">add</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">one_of</spanx>, in
which case the <spanx style="verb">default</spanx> value
MUST be among the <spanx style="verb">one_of</spanx> values.
MAY be combined with <spanx style="verb">one_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">subset_of</spanx>,
in which case the <spanx style="verb">default</spanx> values
MUST be a subset of the <spanx style="verb">subset_of</spanx>
values.
MAY be combined with <spanx style="verb">subset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">superset_of</spanx>,
in which case the <spanx style="verb">default</spanx> values
MUST be a superset of the
<spanx style="verb">superset_of</spanx> values.
MAY be combined with <spanx style="verb">superset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">essential</spanx>.
Expand Down Expand Up @@ -2262,9 +2286,12 @@
Combination with other operators in a metadata parameter policy:
<list style="symbols">
<t>
MAY be combined with <spanx style="verb">default</spanx>,
in which case the value of default MUST be among the
<spanx style="verb">one_of</spanx> values.
MAY be combined with <spanx style="verb">value</spanx>,
in which case the value of <spanx style="verb">value</spanx>
MUST be among the <spanx style="verb">one_of</spanx> values.
</t>
<t>
MAY be combined with <spanx style="verb">default</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">essential</spanx>.
Expand Down Expand Up @@ -2322,17 +2349,20 @@
Combination with other operators in a metadata parameter policy:
<list style="symbols">
<t>
MAY be combined with <spanx style="verb">add</spanx>, in
which case the values of <spanx style="verb">add</spanx>
MAY be combined with <spanx style="verb">value</spanx>,
in which case the values of <spanx style="verb">value</spanx>
MUST be a subset of the values of
<spanx style="verb">subset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">default</spanx>, in
which case the values of <spanx style="verb">default</spanx>
MAY be combined with <spanx style="verb">add</spanx>, in
which case the values of <spanx style="verb">add</spanx>
MUST be a subset of the values of
<spanx style="verb">subset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">default</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">superset_of</spanx>,
in which case the values of
Expand Down Expand Up @@ -2390,16 +2420,16 @@
Combination with other operators in a metadata parameter policy:
<list style="symbols">
<t>
MAY be combined with <spanx style="verb">add</spanx>, in
which case the values of <spanx style="verb">add</spanx>
MAY be combined with <spanx style="verb">value</spanx>,
in which case the values of <spanx style="verb">value</spanx>
MUST be a superset of the values of
<spanx style="verb">superset_of</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">default</spanx>, in
which case the values of <spanx style="verb">default</spanx>
MUST be a superset of the values of
<spanx style="verb">superset_of</spanx>.
MAY be combined with <spanx style="verb">add</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">default</spanx>.
</t>
<t>
MAY be combined with <spanx style="verb">subset_of</spanx>,
Expand Down Expand Up @@ -2463,8 +2493,8 @@
Order of application: Last
</t>
<t>
Operator value merge: The result of merging the values of two
<spanx style="verb">essential</spanx> operators is the logical
Operator value merge: The result of merging the values of two
<spanx style="verb">essential</spanx> operators is the logical
disjunction (<spanx style="verb">OR</spanx>) of the operator values.
</t>
</section>
Expand Down Expand Up @@ -3257,7 +3287,7 @@
<spanx style="verb">typ</spanx> header parameter to prevent
cross-JWT confusion, per Section 3.11 of <xref target="RFC8725"/>.
The <spanx style="verb">typ</spanx> header parameter value MUST be
<spanx style="verb">trust-mark+jwt</spanx>
<spanx style="verb">trust-mark+jwt</spanx>
unless the trust framework in use defines a more specific
media type value for the particular kind of Trust Mark.
Trust Marks without a <spanx style="verb">typ</spanx> header parameter
Expand Down Expand Up @@ -5822,7 +5852,7 @@ Content-Type: application/json
by reference
(using the <spanx style="verb">request_uri</spanx> request parameter)
because allowing this would make it easier for attackers
to mount denial of service attacks against
to mount denial of service attacks against
OAuth 2.0 Authorization Servers or OpenID Providers.
They can do this by using the
<spanx style="verb">request_uri_parameter_supported</spanx>
Expand Down Expand Up @@ -10050,6 +10080,15 @@ Host: op.umu.se
<t>
-42
<list style="symbols">
<t>
Addresses #11:
Allows the following unconditional operator combinations:
value + default, add + superset_of.
Makes the following conditional operator combinations unconditional:
default + one_of, default + subset_of, default + superset_of.
Allows the following conditional operator combinations:
value + add, value + one_of, value + subset_of, value + superset_of.
</t>
<t>
Fixed #130: Allow multiple Trust Anchor values to be passed in resolve requests.
</t>
Expand Down

0 comments on commit 273fdb2

Please sign in to comment.