1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Trust Mark Introspection

Issue #1388 closed
Roland Hedberg created an issue

I think it’s reasonable to assume that some of not all Trust Marks will stop being active for some reason. They might for instance have an expiration time or they might be revoked.

Regarding the former that is covered by having the expiration time in the trust mark as is now defined here.

When it comes to it being revoked we don’t have a convenient way of doing it right now.

That is why I proposed that we add an operation called trust_mark to the ones we already have.

There are 4 items of informationen that together uniquely defines a trust mark

  • iss
  • sub
  • id
  • iat

If we assume that the host hosting the endpoint is the same as the trust mark issuer then iss is implicit. The rest would be mandatory. An example of a request would then be:

GET /status_endpoint?
sub=https%3A%2F%2Fopenid.sunet.se%2FRP
&id=https%3A%2F%2Frefeds.org%2Fsirtfi
&iat=1640776883
HTTP/1.1
Host: operations.swamid.se

And a response:

200 OK
Last-Modified: Wed, 29 Dec 2021 12:23:56 GMT
Content-Type: application/json

{
  "active"=true
}

Having the respons be JSON allows for easy addition of extra information.

Comments (9)

  1. David W Chadwick

    This is very similar to the TRAIN trust scheme used in VCs, in which the verifier asks if an entity (iss in your scheme, VC issuer in TRAIN) is a member of a trust scheme (id in your scheme). The differences are as follows:

    • trust scheme is identified by a DNS name instead of a URL
    • there is no iat in the request as the verifier wants to know the result for “now”
    • the result returns additional parameters, the main one being, in the VC case, a pointer to the issuer’s published schema for the VCs that it issues.

  3. Roland Hedberg reporter

    If the issuer periodically refreshes the trust mark then you need iat to distinguish between the different instances.

    Taking up on what @david writes I can imaging specifying that if iat is undefined and there are more the one trust mark with the same iss, sub and id combination then the query is about the latest emitted one.

  4. Giuseppe De Marco

    I’d consider to have only a response that tells that the trust mark is active right now, in the present.

    I was wondering if there could be also a way, via HTTP POST, to submit the trust mark as it is (signed JWT) and get the same result from the endpoint like it were been requested using the urlencoded paramenters

  5. Roland Hedberg reporter

    Yes, to submitting the trust mark instead of the parameters. That was part of my initial idea.

  7. Michael Jones
    • changed status to open

    As discussed during the 10-Jan-22 call, it's probably reasonable to add this operation. The exact syntax probably depends upon the outcome of issue #1387.

  10. Log in to comment
Assignee
Type
proposal
Priority
major
Status
closed
Component
Federation
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!