Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete statement about validating Trust Mark Issuer #127

Open
selfissued opened this issue Oct 31, 2024 · 2 comments · May be fixed by #153
Open

Incomplete statement about validating Trust Mark Issuer #127

selfissued opened this issue Oct 31, 2024 · 2 comments · May be fixed by #153
Assignees
@selfissued

Comments

@selfissued
Copy link
Member

7.3. Validating a Trust Mark includes the statement:

"To validate a Trust Mark issuer, follow the procedure defined in Section 10."

where Section 10 is "Resolving the Trust Chain and Metadata".

This seems like an incomplete and confusing statement, because while resolving a trust chain is a necessary step to determine what Trust Anchor to use, that section doesn't describe how to validate a trust mark issuer.

What should we actually say that would be actionable to implementers and where should we say it?
@rohe
Copy link
Collaborator

rohe commented Nov 4, 2024
edited
Loading

To validate a trust mark issuer probably encompass these things:

  1. verify that the trust mark issuer is part of the federation and that it is possible to get verified metadata about it (section 10)
  2. verify that it is allowed to issue trust marks with a specific trust mark id (if no delegation)
  3. If it works on delegation verify the delegation. The delegation being expressed in the trust_mark_owners claim)

Have I missed something ?

@selfissued selfissued self-assigned this Nov 5, 2024
@selfissued selfissued linked a pull request Nov 30, 2024 that will close this issue
Draft
@peppelinux peppelinux moved this to Todo in Federation Jan 22, 2025
@peppelinux peppelinux moved this from Todo to In Progress in Federation Jan 22, 2025
@tgeoghegan
Copy link

Even with the updated text in #153, I think there's a couple things missing here.

(1) 7.3 says to "[u]se the Trust Mark Status endpoint to verify that the Trust Mark is still active" but it doesn't say whose endpoint to use. It seems obvious that you'd check with the trust mark issuer, but I feel like that should be explicit.
(2) The other path says to verify that the trust mark issuer is a trusted Federation member and then "[v]alidate the signature of the Trust Mark JWT and verify that it has not expired." But which key should be used? Presumably it's one of the keys in the jwks claim at the top level of the TMI's entity configuration, but once again I think this should be explicit, as it is for validation of the delegation JWT.

Correspondingly to (2), I couldn't find any text in the document explaining which key a TMI should use to sign trust marks. The only key(s) that makes sense is the one(s) in the TMI's top-level jwks claim but it'd be nice to be explicit, since one might otherwise think an entity should use distinct keys for signing entity statements vs. trust marks.

I'm happy to move these observations to a new issue if you want to keep this one focused on something else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@selfissued selfissued

Labels
None yet
Projects
Federation
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Explain Trust Mark Issuer validation in more detail openid/federation
3 participants
@rohe @selfissued @tgeoghegan