[Openid-specs-ab] Issue #2086: Trust Mark Issuers (openid/connect)
rolandh
issues-reply at bitbucket.org
Mon Nov 6 16:13:25 UTC 2023
New issue 2086: Trust Mark Issuers
https://bitbucket.org/openid/connect/issues/2086/trust-mark-issuers
Roland Hedberg:
In the specification it is stated that about the Entity Statement claim trust\_mark\_issuers:
“If the value list bound to a Trust Mark identifier is empty, anyone can issue Trust Marks with that identifier.”
Then is Section 5.3 Trust Marks this text appears:
“The fact that a Trust Mark Issuer is accepted by the federation is expressed in the `trust_marks_issuers` claim of the Trust Anchor.”
Obviously if these are general statements they are contradictory.
Now, also in Section 5.3, we have this line:
“Note that a federation MAY allow an Entity to self-sign some Trust Marks.”
To get ride of the contradiction of the first two statements we could replace the first statement with:
“If the value list bound to a Trust Mark identifier is empty, then that Trust Mark identifier can only be used in self-signed trust marks and any entity within the Federation can issue a Trust Marks with that identifier.”
and rewrite the second statement to be something like:
“The fact that a Trust Mark Issuer is accepted by the federation, to issue Trust Marks that are not self-signed, is expressed in the `trust_marks_issuers` claim of the Trust Anchor.
Responsible: Roland Hedberg
More information about the Openid-specs-ab
mailing list