[Openid-specs-ab] Issue #1366: Support for ‘immediate’ exclusion of an entity from a federation (openid/connect)

[rolandh]

New issue 1366: Support for ‘immediate’ exclusion of an entity from a federation
https://bitbucket.org/openid/connect/issues/1366/support-for-immediate-exclusion-of-an

Roland  Hedberg:

Every trust chain has an expiration time. Depending on choices by the members involved in building a trust chain that expiration time can be minutes, hours or even days. What if the federation wants to be able to better control the timeliness of exclusions of entities from the federation? This is a proposal for how to accomplish that. The proposal is build on two things:

* A specific trust mark that marks an entity as member of a federation and
* that the trust mark issuer has an introspection endpoint \(RFC7662\) that members of the federation can use to verify if an entity is still a member of the federation.

If this is used in a federation, an entity is a member of that federation if:

* There is a verifiable trust path from the entity to the trust anchor
* The federation trust mark is still active.

In order to use the introspection endpoint the requestor must authenticate. This could be done by using private\_key\_jwt \(section 9 of OIDC Core\) with the entity\_id of the requestor as the issuer. To sign the JWT the requestor may use the key it uses to sign its self-signed entity statement.

The special trust mark would have id=federation\_entity and iss=entity\_id of trust anchor.

Responsible: Roland  Hedberg