Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trust_mark_owners and trust_mark_issuers with delegation #123

Open
zachmann opened this issue Oct 30, 2024 · 2 comments
Open

trust_mark_owners and trust_mark_issuers with delegation #123

zachmann opened this issue Oct 30, 2024 · 2 comments

Comments

@zachmann
Copy link
Collaborator

Section 7.3. "Validating a Trust Mark" contains the following paragraph:

If a Trust Mark issuer is issuing Trust Marks on behalf of a Trust Mark owner, then the Trust Anchor MUST publish the connection between the Trust Mark identifier and the corresponding Trust Mark issuer in the trust_mark_issuers claim. This signifies that the Trust Anchor has validated the Trust Mark owner and that the Trust Mark owner has delegated the right to issue Trust Marks with a designated Trust Mark identifier to a specified Trust Mark issuer.

I have my problems with this paragraph and want to have a discussion on it.

First of all I think it is placed weirdly in the "Validating a Trust Mark" section. While the information is also relevant for validation, it's more a requirement about what/when the TA has to publish certain claims.

Section 7.2. "Trust Mark Delegation" does talk about trust_mark_owners but not about trust_mark_issuers.

Also the claim description for trust_mark_owners and trust_mark_issuers in section 3 does not talk about a linkage between them.
This is only the case in the quoted paragraph from section 7.3

I see use-cases where a TA wants to have more control over who can issue a trust mark within their federation also in the case of delegation and limit the list of trust mark issuers down to a subset of what the trust mark owner delegated.
However, I think there are equally valid use cases where the TA just wants to use a trust mark that is owned outside the federation, with various TMIs within the federation, and the TA does not want to list them all, because it wants to rely on the delegation.

Section 7.2. has the example of vehicle inspection as a reasoning for delegation. I think this is a very good example where the TA would publish the trust mark in the trust_mark_owners claim, but would not publish all the individual TMIs in the trust_mark_issuers. Because then it would need to (periodically) ask the TMO who all the TMIs are.

TL;DR: I don't see the reason for having the requirement (MUST) to publish trust_mark_issuers in the case of a delegated trust mark, but I see use cases where this is not desired. Can we enable those cases, where the TA just wants to use a delegated trust mark and rely on the delegation from the TMO to the TMIs?
@rohe
Copy link
Collaborator

rohe commented Nov 4, 2024
edited
Loading

Presently if there is no delegation involved the TA publishes the list of trust mark ids it accepts in trust_mark_issuers
Like this:

"trust_mark_issuer": {
  "ID1": [ "https://swamid.se"]
}

If the TA doesn't know or care who issues trust marks with a specific ID it can say:

"trust_mark_issuer": {
  "ID1": []
}

Regarding delegation the order is turned around so a delegation is expressed, with the trust mark issuers entity_id as key, like this:

"trust_mark_owners": {
  "https://swamid.se": {
    "sub": "DELEGATED_ID.1",
    "jwks: {
        "keys": [
          {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
          }
        ]
      }
   }
}

To express that anyone can issue a delegated trust mark could then be expressed by instead of having the trust mark issuers entity_id you could use "*". In which case you would get:

"trust_mark_owners": {
  "*": {
    "sub": "DELEGATED_ID.1",
    "jwks: {
        "keys": [
          {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
          }
        ]
      }
   }
}

@zachmann
Copy link
Collaborator Author

zachmann commented Nov 4, 2024

Regarding delegation the order is turned around so a delegation is expressed, with the trust mark issuers entity_id as key, like this:

No this is not correct, still the trust mark id is used as the key, and the trust mark owner's issuer id is in "sub". The following is hte example from figure 3 in the spec:

{
  "https://refeds.org/wp-content/uploads/2016/01/Sirtfi-1.0.pdf":
    {
      "sub": "https://refeds.org/sirtfi",
      "jwks" : {
        "keys": [
          {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
          }
        ]
      }
    }
}

But that's not my point.
My point is that the cited paragraph requires TAs in the case of delegated trust marks to publish a list of trust mark issuers additionally to having trust_mark_owners. I think this should not be a requirement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rohe @zachmann