[Federation][Resolve entity endpoint] feat: trust_chain claim as OPTIONAL
trust_chain
can be a new OPTIONAL claim to include in the resolve entity statement response.
With this claim the resolver make clear how It has build the final metadata.
trust_chain claim could contain an Array of signed jwt, the original entity statements collected during the Metadata Discovery.
This may improve the trust in the resolver, because its result (final metadata and trust marks) is verifiable with the original statements that makes the chain.
The response would be verifiable and would offer the path to be taken with metadata discovery, this would offer a shortcut for all the metadata discovery to calculate for each leaf that has multiple authority_hints.
This mechanism would suggest the path from the leaf to a trust anchor, from the resolver point of view.
Comments (6)
-
-
Giuseppe, can you please write a PR to do this?
-
reporter Pleased to do that, thank you
-
reporter trust_chain claim added in the resolve endpoint by this PR
https://bitbucket.org/openid/connect/pull-requests/171/federation-added-trust_chain-in-resolve -
- changed status to open
It will be closed by a related PR
-
reporter - changed status to resolved
- Log in to comment
Roland and I talked about this (in person!) and agree that this proposal would add more transparency to the results from the resolver.