Which keys to use for signing trust marks.
In the specification it is stated:
“The validation of such a signed statement is performed in the same way that an Entity Configuration is validated.”
Signed statement refers to a trust mark.
When validating a entity configuration the keys published in the jwks parameter in the Entity Statement are used. The same is expected to be true for verifications of trust marks. This is not explicitly stated in the specification. I think it should be.
From this follow that trust marks MUST be signed by keys published in the jwks parameter in the Entity Statement.
Comments (5)
-
-
The original purpose of a trust mark was to create archival references that could be placed, for example, on a web site. This trust mark was not necessarily from an active trust registry. One use case was to indicate that the IDP had achieved conformance with NIST 800-63-2 level 2. One trust registry might well record approvals from different approving bodies. This is actually the case in US Health care today. The meaning of trust mark in this document is somewhat unique to the document and not closely related to its common meaning, I guess you could make up any rules you want for it.
-
- changed status to open
This issue was brought to the attention of the working group during the 12-Sep-22 working group call.
-
This issue will be closed by PR 308
https://bitbucket.org/openid/connect/pull-requests/308#Lopenid-connect-federation-1_0.xmlF2015T2019 -
- changed status to resolved
- Log in to comment
I agree we can improve the text to have this more explicit.
The Trust Mark issued by an Entity MUST be signed with the private key used to sign its Entity Configuration.
RP A get a Trust Mark issued by Federation Intermediary B, B signs the Trust Mark with its federation key, published in the jwks claim in its Entity Configuration.