From cce4e419115d247ce22520165ff015b7027b048b Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Fri, 29 Nov 2024 20:36:17 -0800 Subject: [PATCH 1/2] Explain Trust Mark Issuer validation in more detail --- openid-federation-1_0.xml | 42 +++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index e263be5..4a16d70 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -3418,14 +3418,35 @@ -
+
An Entity SHOULD NOT try to validate a Trust Mark until it knows which Trust Anchor it is using. - To validate a Trust Mark Issuer, follow the procedure - defined in . + To determine this, first resolve the Trust Chain, + as described in . + (TBD THEN DO WHAT?) + + To validate a Trust Mark, either: + + + Use the Trust Mark Status endpoint to verify that the + Trust Mark is still active + as described in . + + + or perform these steps: + + Validate that the Trust Mark Issuer is part of the Federation + and that it is possible to get verified metadata about it + by using the procedure defined in . + + + If delegation is not being used (TBD HOW TO DETERMINE THIS?), + validate that the Trust Mark Issuer is entitled to issue Trust Marks + with the given Trust Mark identifier (TBD HOW TO DETERMINE THIS?). + Validate the signature of the Trust Mark JWT and verify that it has not expired. @@ -3436,7 +3457,7 @@ of the Trust Anchor's Entity Configuration, verify that the Trust Mark contains a delegation - claim. + claim. (TBD WHAT TO DO IF IT DOESN'T?) The claims for the Trust Mark identifier in the trust_mark_owners value are used in the following way: @@ -3453,15 +3474,7 @@ - or: - - - Use the Trust Mark Issuer status endpoint to verify that the - Trust Mark is still active - as described in . - - - + Note that the Entity representing the accreditation authority SHOULD be well known and trusted for a given Trust Mark identifier. @@ -9816,6 +9829,9 @@ Host: op.umu.se -41 + + Fixed #127: Explained Trust Mark Issuer validation in more detail. + Fixed #143: Added Trust Mark Issuer and Trust Mark Owner to Terminology section. From a13828520fa5858f85261f2b6a7dfac3932ac484 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Fri, 10 Jan 2025 07:37:09 -0800 Subject: [PATCH 2/2] Update openid-federation-1_0.xml Co-authored-by: Giuseppe De Marco --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 007a634..3800879 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -3434,8 +3434,8 @@ An Entity SHOULD NOT try to validate a Trust Mark until it knows which Trust Anchor it is using. To determine this, first resolve the Trust Chain, + about the Trust Mark Issuer, as described in . - (TBD THEN DO WHAT?) To validate a Trust Mark, either: