Section 12.1.1.1.2. covers several cases regarding what OP has to do when processing an Authentication Request, distributed across multiple paragraphs:
No registration for Client ID: SHOULD resolve Trust Chain to RP
No registration for Client ID and RP included trust_chain: MAY use trust_chain as a hint.
Client ID already registered and RP included trust_chain: MAY use trust_chain as a hint to update registration. That same paragraph then continues with text that I suppose is meant to apply to all cases, e.g., OP may rely on a Trust Chain if it has been validated.
RP does not include trust_chain (or OP does not support that parameter): OP MUST validate as in Section 10
I think there is - and I do realize that this is somewhat nitpicky - a missing case: What if RP includes a trust_chain and OP supports this feature, but decides not to use the RP's trust_chain for some reason?
Regardless and more importantly, I think these paragraphs can be restructured to be more concise and clearer by starting with text that applies to all cases (e.g., "_A Trust Chain may be relied upon by the OP because it has validated all of its statements. This is true whether these statements are retrieved from their URLs or whether they are provided via the trust_chain request parameter in the Request Object._") and then covering the possible cases in terms of "is client ID already registered" and "did RP include a trust_chain (and does OP use/support that parameter)".
Section 12.1.1.1.2. covers several cases regarding what OP has to do when processing an Authentication Request, distributed across multiple paragraphs:
trust_chain
: MAY usetrust_chain
as a hint.trust_chain
: MAY usetrust_chain
as a hint to update registration. That same paragraph then continues with text that I suppose is meant to apply to all cases, e.g., OP may rely on a Trust Chain if it has been validated.trust_chain
(or OP does not support that parameter): OP MUST validate as in Section 10I think there is - and I do realize that this is somewhat nitpicky - a missing case: What if RP includes a
trust_chain
and OP supports this feature, but decides not to use the RP'strust_chain
for some reason?Regardless and more importantly, I think these paragraphs can be restructured to be more concise and clearer by starting with text that applies to all cases (e.g., "_A Trust Chain may be relied upon by the OP because it has validated all of its statements. This is true whether these statements are retrieved from their URLs or whether they are provided via the
trust_chain
request parameter in the Request Object._") and then covering the possible cases in terms of "is client ID already registered" and "did RP include atrust_chain
(and does OP use/support that parameter)".