Open zachmann opened 1 month ago
Presently if there is no delegation involved the TA publishes the list of trust mark ids it accepts in trust_mark_issuers
Like this:
"trust_mark_issuer": {
"ID1": [ "https://swamid.se"]
}
If the TA doesn't know or care who issues trust marks with a specific ID it can say:
"trust_mark_issuer": {
"ID1": []
}
Regarding delegation the order is turned around so a delegation is expressed, with the trust mark issuers entity_id as key, like this:
"trust_mark_owners": {
"https://swamid.se": {
"sub": "DELEGATED_ID.1",
"jwks: {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "key1",
"kty": "RSA",
"n": "pnXBOusEANuug6ewezb9J_...",
"use": "sig"
}
]
}
}
}
To express that anyone can issue a delegated trust mark could then be expressed by instead of having the trust mark issuers entity_id you could use "*". In which case you would get:
"trust_mark_owners": {
"*": {
"sub": "DELEGATED_ID.1",
"jwks: {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "key1",
"kty": "RSA",
"n": "pnXBOusEANuug6ewezb9J_...",
"use": "sig"
}
]
}
}
}
Regarding delegation the order is turned around so a delegation is expressed, with the trust mark issuers entity_id as key, like this:
No this is not correct, still the trust mark id is used as the key, and the trust mark owner's issuer id is in "sub". The following is hte example from figure 3 in the spec:
{
"https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf":
{
"sub": "https://refeds.org/sirtfi",
"jwks" : {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "key1",
"kty": "RSA",
"n": "pnXBOusEANuug6ewezb9J_...",
"use": "sig"
}
]
}
}
}
But that's not my point.
My point is that the cited paragraph requires TAs in the case of delegated trust marks to publish a list of trust mark issuers additionally to having trust_mark_owners
. I think this should not be a requirement.
I'm in the process of reworking the Trust Mark validation text in #153. Let's resolve this there. Can you please review it, @zachmann?
Section 7.3. "Validating a Trust Mark" contains the following paragraph:
I have my problems with this paragraph and want to have a discussion on it.
First of all I think it is placed weirdly in the "Validating a Trust Mark" section. While the information is also relevant for validation, it's more a requirement about what/when the TA has to publish certain claims.
Section 7.2. "Trust Mark Delegation" does talk about
trust_mark_owners
but not abouttrust_mark_issuers
.Also the claim description for
trust_mark_owners
andtrust_mark_issuers
in section 3 does not talk about a linkage between them. This is only the case in the quoted paragraph from section 7.3I see use-cases where a TA wants to have more control over who can issue a trust mark within their federation also in the case of delegation and limit the list of trust mark issuers down to a subset of what the trust mark owner delegated. However, I think there are equally valid use cases where the TA just wants to use a trust mark that is owned outside the federation, with various TMIs within the federation, and the TA does not want to list them all, because it wants to rely on the delegation.
Section 7.2. has the example of vehicle inspection as a reasoning for delegation. I think this is a very good example where the TA would publish the trust mark in the
trust_mark_owners
claim, but would not publish all the individual TMIs in thetrust_mark_issuers
. Because then it would need to (periodically) ask the TMO who all the TMIs are.TL;DR: I don't see the reason for having the requirement (MUST) to publish
trust_mark_issuers
in the case of a delegated trust mark, but I see use cases where this is not desired. Can we enable those cases, where the TA just wants to use a delegated trust mark and rely on the delegation from the TMO to the TMIs?