Open zachmann opened 1 week ago
I agree that 3 is more of an alternative method and not a requirement.
A Trust Mark can generally be validated by:
or
I think the spec should leave it up to implementers and / or federations to decide which method to use. A Trust Mark that is revocable and critical may be better checked at the status endpoint. Or, one could decide that for a certain Trust Mark relying on JWT signature + claims (incl. "exp") check is entirely sufficient.
Section 7.3 says:
For me it's not clear what this list is:
For me 1. and 2. seem to belong together, you must do both in order to verify the trust mark. But 3. falls out (for me).
What is the intended usage of the trust mark status endpoint (keep in mind that it is optional):
Personally, I think the later is the case. But that's not clear from the description.