Incomplete statement about validating Trust Mark Issuer

[selfissued]

7.3. Validating a Trust Mark includes the statement:

"To validate a Trust Mark issuer, follow the procedure defined in Section 10."

where Section 10 is "Resolving the Trust Chain and Metadata".

This seems like an incomplete and confusing statement, because while resolving a trust chain is a necessary step to determine what Trust Anchor to use, that section doesn't describe how to validate a trust mark issuer.

What should we actually say that would be actionable to implementers and where should we say it?

[rohe]

To validate a trust mark issuer probably encompass these things:

1. verify that the trust mark issuer is part of the federation and that it is possible to get verified metadata about it (section 10)
2. verify that it is allowed to issue trust marks with a specific trust mark id (if no delegation)
3. If it works on delegation verify the delegation. The delegation being expressed in the trust_mark_owners claim)

Have I missed something ?

[tgeoghegan]

Even with the updated text in #153, I think there's a couple things missing here.

(1) 7.3 says to "[u]se the Trust Mark Status endpoint to verify that the Trust Mark is still active" but it doesn't say whose endpoint to use. It seems obvious that you'd check with the trust mark issuer, but I feel like that should be explicit.
(2) The other path says to verify that the trust mark issuer is a trusted Federation member and then "[v]alidate the signature of the Trust Mark JWT and verify that it has not expired." But which key should be used? Presumably it's one of the keys in the jwks claim at the top level of the TMI's entity configuration, but once again I think this should be explicit, as it is for validation of the delegation JWT.

Correspondingly to (2), I couldn't find any text in the document explaining which key a TMI should use to sign trust marks. The only key(s) that makes sense is the one(s) in the TMI's top-level jwks claim but it'd be nice to be explicit, since one might otherwise think an entity should use distinct keys for signing entity statements vs. trust marks.

I'm happy to move these observations to a new issue if you want to keep this one focused on something else.

[selfissued]

I will incorporate @tgeoghegan's suggestions into the PR.