Guidance on how to respond to unknown trust mark on status endpoint

[MichaelFraser1999]

The trust mark status endpoint states that

The query MUST be sent to the Trust Mark Issuer.

And further down, we have

An error response is as defined in [Section 8.9](https://openid.net/specs/openid-federation-1_0.html#error_response)..

It isn't overly clear which error response a server is expected to return in the event they receive a request for the status of a trust mark it did not issue or is not aware of. I can see implementations currently picking one of invalid_request or not_found (though not_found does explicitly scope itself to an unknown Entity Identifier right now so perhaps not this one).

I'd like to know others thoughts on this but I would suggest we define a dedicated invalid_trust_mark error code for this use case and add guidance text to use it in the trust mark status response.

[zachmann]

I would not expect an error response at all, but instead an {"active": false} similar to RFC7662.

[MichaelFraser1999]

If we want to go the obscurity route, I'm not against that! I do think we should still document that as the correct behaviour in the text

[MichaelFraser99]

That said... I still don't think an {"active": false} response is correct when presented with a trust mark that the server didn't issue - i.e. an explicitly incorrect iss value within. Returning as such could lead to greater confusion

Edit: yes I changed accounts mid-way through conversation... whoops

[rohe]

So perhaps returning the HTTP status code 404 would be more appropriate.

[Razumain]

Or 418 ;)