[Openid-specs-ab] Issue #2104: Allow trust marks in subordinate statements (openid/connect)
Stefan Santesson
issues-reply at bitbucket.org
Fri Jan 12 17:09:35 UTC 2024
New issue 2104: Allow trust marks in subordinate statements
https://bitbucket.org/openid/connect/issues/2104/allow-trust-marks-in-subordinate
Stefan Santesson:
Section 3. states:
> This claim MUST NOT be present in Subordinate Statements. Trust Marks are described in Section 6.3.
This requirement is an unnecessary restriction that prevents legitimate extensibility of the standard.
The standard already makes it possible to convey metadata for the subject in a subordinate Entity Statement
It should be equally possible to provide a list of Trust Marks. The risks are none as the Trust marks are signed and bound to the subject.
The reason for this is to allow extensibility where an end entity is supported even if it does not publish an Entity Configuration. This is possible to support as en extended implementation as the subordinate Entity Statement can carry complete information about the leaf entity if properly advertised. See separate issue.
Even if such extended support is not standardised. It should not be blocked as a voluntary extension marked critical to ensure interop.
More information about the Openid-specs-ab
mailing list