Verifying a trust mark

[zachmann]

Section 7.3 says:

To validate a Trust Mark:

1. Check the signature of the signed JWT and verify that it has not expired.
2. If the Trust Mark identifier appears in the trust_mark_owners claim, verify that the Trust Mark contains a delegation claim. The claims for the Trust Mark identifier in the trust_mark_owners value are used in the following way:
   • The signature of the delegation JWT MUST verify with a key from jwks claim.
   • The issuer of the delegation JWT MUST match the sub value in this set of claims.
3. Using the Trust Mark issuer status endpoint to verify that the Trust Mark is still active is described in Section 8.4.

For me it's not clear what this list is:

• Is this a list of things an entity could do for validation?
• Is this a list of things an entity must do (in that order) for validation?

For me 1. and 2. seem to belong together, you must do both in order to verify the trust mark. But 3. falls out (for me).

What is the intended usage of the trust mark status endpoint (keep in mind that it is optional):

• Do entities MUST validate all trust marks there?
• Do entities SHOULD validate all trust marks there?
• Is it an additional thing to do apart from JWT verification?
• Is it an alternative to do JWT verification? (like the resolve endpoint)

Personally, I think the later is the case. But that's not clear from the description.

[selfissued]

I agree that 3 is more of an alternative method and not a requirement.

[vdzhuvinov]

A Trust Mark can generally be validated by:

• calling the TM status endpoint

or

• checking the JWT signature and validating the contained claims

I think the spec should leave it up to implementers and / or federations to decide which method to use. A Trust Mark that is revocable and critical may be better checked at the status endpoint. Or, one could decide that for a certain Trust Mark relying on JWT signature + claims (incl. "exp") check is entirely sufficient.