[Openid-specs-ab] Issue #1531: Federation - trust_marks_issuers claim available for all entities (openid/connect)

[Francesco Marino]

New issue 1531: Federation - trust_marks_issuers claim available for all entities
https://bitbucket.org/openid/connect/issues/1531/federation-trust_marks_issuers-claim

Francesco Marino:

Regarding the trust\_marks\_issuers claim, the specification says that "_a trust anchor MAY use this claim to tell which trust mark identifiers and their issuers are trusted by the federation. This claim MUST be ignored if present in an entity statement of other entities than trust anchor._" In sec 5.3.2 it says that "_For other externally issued trust marks, it is an out-of-band process to define and announce accreditation authorities to other entities and it is left to the discretion of the receiving party to assign an appropriate level of trust to such trust marks._"

  
What if we consider the trust\_marks\_issuers also optional in the entity configuration of all entities? 

I mean, we could have different types of trust marks. The "federation" trust marks can be issued only by the entities in the trust\_marks\_issuers of the trust anchor, while external trust marks can be defined by other entity types independently. Each entity could define in its entity configuration its own trust mark that certifies, for example, a particular agreement with other parties defining also the accreditation authorities that are able to issue that trust mark.  
This trust mark would not be valid for the federation trust, so information about this trust mark \(including its issuers\) could not be provided by the trust anchor but only by the entity that defines it.