Versions Compared

Old Version 5

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version 6

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Inputs to Trust Mark Issuer:

    • id: The identifier for the Trust Mark (e.g., http://dc4eu.example.com/EHICCredential/se).
    • sub: The entity's unique identifier (entity_id).

  2. Steps:

    • Contact the Trust Mark Issuer:
      TBD

    • Supply the id and sub to the Trust Mark Issuer.

    • Retrieve the issued Trust Mark as a signed JWT.

  3. Validation:

    • Use a JWT library to verify the Trust Mark's signature using the Trust Mark Issuer's public key:
      • Retrieve public keys from the Trust Mark Issuer's .well-known/jwks.json endpoint.
      • Validate claims such as iss, sub, id, and iat for compliance.

  4. Include in Metadata: Add issued Trust Marks to your issuer’s metadata:

    Code Block
    languageyml
    trust_marks:
  - "eyJhbGciOiJIUzI1NiIsInR..."
  - "eyJhbGciOiJIUzI1NiIsInR..."

Testing Trust Marks
  1. Decode JWT: Use tools like jwt.io to inspect the Trust Mark's claims and ensure all required fields are present.
  2. Verify Signature: Validate the JWT signature against the Trust Mark Issuer's public key.
  3. Check Expiration: Ensure the exp claim (if present) has not expired.
  4. Validate References: Follow the ref URL (if provided) to confirm compliance with human-readable policy documents.
...
  1. Trust Anchor URL:
    • For your setup, the Trust Anchor URL is:
      https://openidfed-test-1.sunet.se:7001

  2. Trust Anchor Keys: Add the Trust Anchor’s public keys to your configuration: 
     Code Block
    languageyml
    trust_anchors:
  https://openidfed-test-1.sunet.se:7001:
    keys:
      - kty: RSA
        use: sig
        kid: UFpoajluZU42dTNUUXo5RnhBVEJnRk9JY2NtU1JKdlVYUk1RUFRyVkFFRQ
        n: p9S2whcSjmBdxerp80tIJreUUmZiGNGXIocJlNjx9pgD5_WD2l6mBNuEZMpP-QUB_TSV3VesNiqmOdydGp1wkfQ-NmVdoso29FjEdgrckLIwirAVmVQ6bGQQnXJrR56mRz0QqENi11vVpbDj6hsprxK1EZBQL-sQ2kem289B_BCNT-NvwVHrYJlaQA32z7cs1a7W8wt9eLxA10PeiYMgDVU_69wKBw4YrjjozOHKMRGchUQEjQhfSZfk49bip_5TNz4dmBmSCIbdE2yilFrfRSNrh7q2myuyDE3k2QZbSOXXGGT1LtHO74WIY58v-M3A7_zxp0f2Eo9ZD3N4h-InIw
        e: AQAB
      - kty: EC
        use: sig
        kid: Nm82cTJKMDkydXhxOUMtTm0teFpMWlZiR0ZVa2U3YVVtbkJTV3hBd3FqOA
        crv: P-256
        x: 69XlQkKYfWJDXAv_Vbrqyfz9gfAhu1qQ4mtLde18-Cg
        y: ntBwdhy4_cS2PRBS-xdKkNwcO1yQP8TdoOHbHN9Yjv8

    

  3. Include in Metadata: Add the Trust Anchor entity ID and keys to your issuer configuration:
    trust_anchors:
  - "https://openidfed-test-1.sunet.se:7001"

  4. Purpose: Trust Anchors validate Trust Marks’ signatures and establish trust within the federation.
...