diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 836fca3..3800879 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -3429,14 +3429,35 @@ -
+
An Entity SHOULD NOT try to validate a Trust Mark until it knows which Trust Anchor it is using. - To validate a Trust Mark Issuer, follow the procedure - defined in . + To determine this, first resolve the Trust Chain, + about the Trust Mark Issuer, + as described in . + + To validate a Trust Mark, either: + + + Use the Trust Mark Status endpoint to verify that the + Trust Mark is still active + as described in . + + + or perform these steps: + + Validate that the Trust Mark Issuer is part of the Federation + and that it is possible to get verified metadata about it + by using the procedure defined in . + + + If delegation is not being used (TBD HOW TO DETERMINE THIS?), + validate that the Trust Mark Issuer is entitled to issue Trust Marks + with the given Trust Mark identifier (TBD HOW TO DETERMINE THIS?). + Validate the signature of the Trust Mark JWT and verify that it has not expired. @@ -3447,7 +3468,7 @@ of the Trust Anchor's Entity Configuration, verify that the Trust Mark contains a delegation - claim. + claim. (TBD WHAT TO DO IF IT DOESN'T?) The claims for the Trust Mark identifier in the trust_mark_owners value are used in the following way: @@ -3464,15 +3485,7 @@ - or: - - - Use the Trust Mark Issuer status endpoint to verify that the - Trust Mark is still active - as described in . - - - + Note that the Entity representing the accreditation authority SHOULD be well known and trusted for a given Trust Mark identifier. @@ -10050,6 +10063,9 @@ Host: op.umu.se -42 + + Fixed #127: Explained Trust Mark Issuer validation in more detail. + Fixed #130: Allow multiple Trust Anchor values to be passed in resolve requests.