Multiple Trust Mark objects with the same ID in Entity Statement and its handling

[cicnavi]

Just to consider if it is necessary to clarify...

In Entity Statement claim trust_marks https://openid.net/specs/openid-federation-1_0.html#section-3-6.23, in theory, an entity can put multiple JSON objects with the same "id" value, designating the same Trust Mark identifier.

Is it OK to do that, or one "should not" do that? In the validation process in case of multiple trust marks with same identifier, what if one fails validation and other passes - is that a "validation pass" or "validation fail" for the same Trust Mark ID? Should we then consider the trust mark that is issued later, etc...

[zachmann]

My opinion on this is that this SHOULD NOT or even MUST NOT be done.

For validating on the other hand I would say if there is a valid one, there is a valid one. I think it should not matter what else might be there.
However, I certainly can expect that implementation will just iterate through the list of trust marks looking for the one with a specific trust mark id, and stop at the first one they found with that id; if that one is invalid, I would not look for another one, since my assumption would be there is only one anyway.

[cicnavi]

Agree on most, but not sure about this:

For validating on the other hand I would say if there is a valid one, there is a valid one. I think it should not matter what else might be there.

as I imagine in theory there could be one issued earlier which never expires (and the signature checks out), and one issued later but which expired...

[selfissued]

@peppelinux @rohe what are your thoughts on this?

[peppelinux]

iterating upon an array of trust marks, provided within an Entity Configuration trust_marks parameter, the first valid trust mark matching a specific id would be enough for who evaluates that trust mark type presence and validity.

[peppelinux]

I am in favor of enabling multiple trust marks with the same id and with different trust mark issuers

I want to disallow the possibility to have the same trust mark type, issued by the same issuer, multiple times within the same Entity Configuration.

[Razumain]

I'm not sure I see the problem.

From an algorithmic standpoint I'm looking at a number of available proofs that this entity has been granted a number of defined Trust Marks.
My validation process will look at each proof individually and attempt to validate it. If it fails, it will just discard this proof and validate the next.
In the end it will gather all successfully validated proofs and make that a list of valid Trust Marks.

If I use a resolver, I expect the resolver to the same, and give me all Trust Marks that was successfully validated.

If the same entity collects Trust Marks with the same ID from different issuers, that seems highly redundant but I fail to see where it would break anything.

[zachmann]

I'm not sure I see the problem.

From an algorithmic standpoint I'm looking at a number of available proofs that this entity has been granted a number of defined Trust Marks. My validation process will look at each proof individually and attempt to validate it. If it fails, it will just discard this proof and validate the next. In the end it will gather all successfully validated proofs and make that a list of valid Trust Marks.

If I use a resolver, I expect the resolver to the same, and give me all Trust Marks that was successfully validated.

I agree that this is what the resolver should do (which is also basically stated in the spec (it must only return valid trust marks)). However, entities verifying trust marks for their own needs might implement another approach. Instead of validating all present trust marks (and checking if the desired ones are in the list) the entity might first filter for one (or more) particular trust marks and then only verify those.

If the implementation assumes that there is only one trust mark per trust mark id it will also only verify that one trust mark it finds. If the trust marked entity has a valid one and an invalid one present, the validation might or might not fail (depending on which jwt the implementation 'finds').

[cicnavi]

We talked about this at the Federation Interop, and the conclusion is that if there are multiple Trust Marks with the same ID, they would still be valid (or not) based on their individual status (valid or not).