Clarify validation of Trust Marks

[Razumain]

Reading the spec with the updated Trust Mark Status endpoint. I see a clear risk of interop issues.

This endpoint is not very clear what it means for a Trust Mark to be active, if the Trust Mark passed to this endpoint is passed its expiration time.

1. It could med false because the Trust Mark presented is expired.
2. It could be true, because this entity still has the right to this trust_mark_type. All you need is to get a fresh Trust Mark.

This could be solved in several ways.

1. Clarify what "active" actually means.
2. Extend the response to give more elaborate information

The latter could provide information both on the status of the token (JWT) as well as the validity of the trust_mark_type for this subject. This could look like:

{
"token_status": "revoked"
"trust_mark_type": "active"
}

I would also like to get this response signed as it contains security critical information.

[Razumain]

I would like to add that if the response to an expired Trust Mark is a failure/invalid only, then we have a bigger problem.

As this endpoint has changed, it is now impossible to check via this endpoint if a subject has a specific Trust Mark, unless you possess such Trust Mark that is still valid.

It could be debated whether this is a problem, or a feature. If the intension is that unless you have a valid Trust Mark, you should aske for a new one, instead of using this endpoint.

If that is the intention, it should be described in the text.

[zachmann]

Indeed, my understanding is that the trust mark status endpoint is about the status of a single Trust Mark JWT.

There is also the trust marked entities listing endpoint - that still has a sub parameter and that could be used to check if an entity is trust marked with a particular trust mark type. IMO the change of the status endpoint made sense and (at least for me) it is now more clear what the purpose of all the different trust mark related endpoints is.

But I agree that the sentence This enables determining whether a Trust Mark that has been issued to an Entity is still active. would benefit from using the term Trust Mark Instance instead of only Trust Mark. Trust Mark Instance is also used in section 7.3

That section (now) also contains the answer to your initial question:

The Trust Mark Status endpoint will check if the instance has been issued by itself and that it is still valid, in both signature and expiration, and that it has not been revoked.

However, I agree that it would be good to also state this at the actual status endpoint.

[Razumain]

@zachmann Thanks for the clarifications. I didn't read the whole document here and I agree with your assessment.

This should be clarified in the endpoint description as a clarification of what "active" means. And what a failure means.

I would still propose changes to the response. The result "active" is a bit disconnected from what now is asked fro and responded to, which is not only if the trust_mark_type is "active" for this subject, but whether this Trust Mark instance is "valid". A successful response of course means, both, but a negative response may not.

With the current semantical change, I think it would be appropriate to change the syntax to:

{
"status": active
}
If the Trust Mark instance is valid, and the status is still "active"

{
"status": invalid
}
If the Trust Mark instance is invalid (expired or signature verification failure)

{
"status": revoked
}
If the Trust Mark instance is valid, but the Trust Mark status has been revoked for this subject.

AND

I really think this should be signed.

2 reasons:

1. Because it is security critical information
2. Because it can be stored as an evidence record if signed for audit purposes

[Razumain]

Reading the latest Editor's draft I find the following text in section 7.3:

Validate the signature of the instance and verify that it has not expired and/or send a query to the Trust Mark Issuer's Trust Mark Status endpoint. The Trust Mark Status endpoint will check if the instance has been issued by itself and that it is still valid, in both signature and expiration, and that it has not been revoked.

I have some problems with this:

"The instance has been issued by itself"
First I totally misread this first, and it seems to suggest that an instance can issue a Trust Mark instance. Finally I got that the text meant that the Issuer providing the endpoint has issued the instance. Maybe this could be written with more precision like:

The Trust Mark Status endpoint will check if the instance is still valid and has been issued by this Trust Mark Issuer.

Comparing operations with different purpose:
The statement "that it has not expired and/or send a query to the Trust Mark Issuer's Trust Mark Status endpoint" may be interpreted as equivalent checks (stated as and/or). Checking status if important if the Trust Mark is old but still non-expired. Perhaps this could be clarified as:

Validate the signature of the instance and verify that it has not expired by validating the instance, or by sending a query to the Trust Mark Issuer's Trust Mark Status endpoint.

This clarifies that the test here is just with respect to signature validity and expiration. Then add a new bullet:

Check the current status of the Trust Mark by sending a a query to the Trust Mark Issuer's Trust Mark Status endpoint and/or the Trust Marked Entities Listing endpoint. This check SHOULD be made unless the instance is issued recently. What is considered recently is at the discretion of the verifier.

With this this change, I think the last paragraph could be deleted:

If trust marks are issued without an expiration time, it is RECOMMENDED that a mechanism be provided to validate them, such as the Trust Mark Status endpoint and/or the Trust Marked Entities Listing endpoint.

[rohe]

These last text changes sounds reasonable.

In the comment before this last one you state 'which is not only if the trust_mark_type is "active" for this subject'.
The Trust Mark Status endpoint doesn't check anything like that.

It only works on individual trust mark instances.
It

1. verifies the signature of the trust mark instance,
2. checks if the trust mark instance is expired and finally
3. checks if the trust mark instance is revoked or not.

It DOES NOT check if the Trust Mark Issuer can issue a new trust mark of the trust_mark_type for the entity in question or not.

[rohe]

I agree that the response should be signed.

[Razumain]

These last text changes sounds reasonable.

In the comment before this last one you state 'which is not only if the trust_mark_type is "active" for this subject'. The Trust Mark Status endpoint doesn't check anything like that.

It only works on individual trust mark instances. It

1. verifies the signature of the trust mark instance,
2. checks if the trust mark instance is expired and finally
3. checks if the trust mark instance is revoked or not.

It DOES NOT check if the Trust Mark Issuer can issue a new trust mark of the trust_mark_type for the entity in question or not.

@rohe Yes you are right, I think we agree fully on what the status endpoint does is what you list.

From your list, I still think we need 3 separate outcomes of that check:

1. active/valid - if all checks pass (signature OK, non-expired, non-revoked)
2. invalid - if signature validation fails or instance has expired
3. revoked - if signature is OK, non-expired, but revoked.

[rohe]

When it comes to signing the response. Myself and Stefan are in favor of it.
What do the rest of you think ?

[rohe]

I'd like to move the discussion on signing to #257