Add Option to Enforce Stricter Trust Mark Validation Requirements in Federations

[lj-raidiam]

Currently, the section Section 7.3 on Trust Mark Validation:

• doesn't require an Entity to know which Trust Anchor it is using prior to validation of a Trust Mark,
• doesn't require Trust Mark Issuer to be included in the trust_mark_issuers claim,
• doesn't require the connection between Trust Mark type and the corresponding Trust Mark Issuer to be published in the trust_mark_issuers claim in case of an on-behalf-of scenario,
• allows the use of the empty array to indicate that the trust mark can be issued by any Trust Mark Issuer.

In many federations, the first three will be required and while the fourth one will not be used. How do we make it more strict and make it discoverable that a federation follows these rules?

In other words, we have a couple of SHOULDs in there that in many federations will have to be MUSTs, and hence we need an option to control it and to indicate that this more strict approach applies.

[rohe]

We have metadata policies and federation topology constraints but nothing about the behaviour of entities.
If I remember correctly the Italian federation demands that every entity should have at least one active/valid trust mark.

It will not be easy to define a way of describing policies for federation entity behaviour but we can at least discuss it.

Do you have a proposal ?

[fkj]

At the WG meeting, @lj-raidiam raised a point asking why the language is "SHOULD NOT" in the following text:

An Entity SHOULD NOT try to validate a Trust Mark until it knows which Trust Anchor it is using.

If there is a good reason we can explain relatively concisely, it would be beneficial to add that explanation. If there is no good reason, we should consider turning it into a "MUST NOT".

[rohe]

My view is that an entity can use all trust anchors it has to verify trust marks that another entity has.

I doesn't have to use only one trust anchor for the trust mark issuer validation process, unless the federation it wants to use as trust layer has that demand in its profile.

Hence it can do trust mark issuer validation before it has decided on which federation to chose for the application protocol interaction.

[lj-raidiam]

@rohe, thank you for getting down to this and creating a PR for these issues that I reported. This more verbose explanation clarifies the intention better. Indeed, the case that you are describing may be possible.

[selfissued]

Addressed by #276