From 737f6318b05c25e4561496279d287f7b9bfb598b Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Sun, 16 Nov 2025 22:39:11 -0300 Subject: [PATCH 01/14] fix: clarification on Explicit Registration explanation --- openid-federation-1_0.xml | 52 +++++++++++---------------------------- 1 file changed, 14 insertions(+), 38 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index d46e6af..41009ea 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -549,9 +549,6 @@ to sign Subordinate Statements about their Immediate Subordinates, and for other signatures made by Federation Entities, such as Trust Mark signatures. - This claim is only OPTIONAL for the Entity Statement returned - from an OP when the client is doing Explicit Registration; - in all other cases, it is REQUIRED. Every JWK in the JWK Set MUST have a unique kid (Key ID) value. It is RECOMMENDED that the Key ID be the JWK Thumbprint using the SHA-256 hash function of the key. @@ -617,14 +614,14 @@
+ title="Claims that MUST or MAY appear in Entity Configurations but not in Subordinate Statements"> - OPTIONAL. An array of strings representing - the Entity Identifiers of Intermediate Entities or Trust Anchors - that are Immediate Superiors of the Entity. + OPTIONAL. An array of strings containing + the Entity Identifiers of Immediate Superiors (Trust Anchors or Intermediate Entities) + of the Entity which is subject of the Entity Configuration. This claim is REQUIRED in Entity Configurations of the Entities that have at least one Superior above them, such as Leaf and Intermediate Entities. @@ -752,18 +749,6 @@
-
- - - - OPTIONAL. Its value MUST be the Entity Identifier of the Trust Anchor - that the OP selected to process the Explicit Registration request. - This claim is specific to Explicit Registration responses and is not a - general Entity Statement claim. - - -
-
Entity Statements MUST be validated in the following manner. @@ -932,19 +917,6 @@ to validate that this is the fetch endpoint from which the Entity Statement was issued. - - If the trust_anchor Claim is present, - validate that its value is a URL - using the https scheme. - Implementations SHOULD validate that the Entity Identifier matches - one of the Trust Anchors configured for the deployment. - Furthermore, implementations SHOULD validate that the - Entity Configuration for the Entity Identifier contains - information compatible with the configured Trust Anchor information - - especially the keys. - This Claim MUST NOT be present in Entity Statements that are not - Explicit Registration responses. - @@ -4879,7 +4851,7 @@ trust_mark=eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6 ... Additional Trust Mark Status claims MAY be defined and used - in addition to the one above. + in addition to those listed above. @@ -6908,8 +6880,8 @@ HTTP/1.1 302 Found REQUIRED. Its value MUST be the Entity Identifier of the OP. - This claim is only used in Explicit Registration requests, - since it is not a general Entity Statement claim. + This claim is used in Explicit Registration requests but it is not + a general Entity Statement claim. @@ -7179,7 +7151,7 @@ HTTP/1.1 302 Found explicit-registration-response+jwt (and not entity-statement+jwt) to prevent confusion between the Explicit Registration response - and normal Entity Statements. + and Entity Statements.
@@ -7213,8 +7185,12 @@ HTTP/1.1 302 Found The RP MUST verify that the - trust_anchor represents one - of its own Trust Anchors. + trust_anchor Entity Identifier matches one + of the Trust Anchors configured for the deployment. + Furthermore, implementations SHOULD validate + that the Entity Configuration for the Entity Identifier contains + information compatible with the configured Trust Anchor information + - especially the keys. The RP MUST verify that at least one of the From 174f0c29f4b92515396c39de373e65838917fe71 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 00:54:06 -0300 Subject: [PATCH 02/14] fix: adds section introducing Explicit Registration Response; back with modifications --- openid-federation-1_0.xml | 89 +++++++++++++++++++++++++-------------- 1 file changed, 58 insertions(+), 31 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 41009ea..a919249 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -473,17 +473,21 @@ The subject of the JWT is the Entity itself. The issuer of the JWT is the party that issued the Entity Statement. All Entities in a federation publish an Entity Statement about themselves - called an Entity Configuration. - Superior Entities in a federation publish Entity Statements about - their Immediate Subordinate Entities called Subordinate Statements. + called an Entity Configuration. + Superior Entities in a federation publish Entity Statements about + their Immediate Subordinate Entities called Subordinate Statements. + When a client is doing Explicit Registration on the OP, + the Explicit Registration Response returned from the OP, + as explained in , is also an Entity Statement, + composed of specific claims or common claims with specific semantics on their values. Entity Statement JWTs MUST be explicitly typed, by setting the typ header parameter to entity-statement+jwt to prevent cross-JWT confusion, per Section 3.11 of . - Entity Statements without a typ header parameter - or with a different typ value MUST be rejected. + Entity Statements without a typ header parameter + or with a different typ value MUST be rejected. The Entity Statement is signed using one of the private keys of the issuer @@ -549,6 +553,8 @@ to sign Subordinate Statements about their Immediate Subordinates, and for other signatures made by Federation Entities, such as Trust Mark signatures. + This claim is only OPTIONAL for the Explicit Registration Response, as stated in ; + in all other cases, it is REQUIRED. Every JWK in the JWK Set MUST have a unique kid (Key ID) value. It is RECOMMENDED that the Key ID be the JWK Thumbprint using the SHA-256 hash function of the key. @@ -562,12 +568,12 @@ openid_relying_party Entity Type Identifiers.) - + OPTIONAL. - JSON object that declares roles that the Entity plays - - its Entity Types - and that contains metadata for those Entity Types. - Each member name of the JSON + JSON object that declares roles that the Entity plays - + its Entity Types - and that contains metadata for those Entity Types. + Each member name of the JSON object is an Entity Type Identifier, and each value MUST be a JSON object containing metadata parameters according to the metadata schema of the Entity Type. @@ -597,6 +603,9 @@ metadata MUST be applied before the metadata_policy, as described in . + + This claim is REQUIRED for Explicit Registration Responses, as described in , + in which case it MUST contain the registered RP metadata. @@ -625,14 +634,13 @@ This claim is REQUIRED in Entity Configurations of the Entities that have at least one Superior above them, such as Leaf and Intermediate Entities. - Its value MUST contain the Entity Identifiers of - its Immediate Superiors and - MUST NOT be the empty array - []. + Its value MUST contain the Entity Identifiers of its Immediate Superiors and + MUST NOT be the empty array []. This claim MUST NOT be present in Entity Configurations - of Trust Anchors with no Superiors. + of Trust Anchors with no Superiors. As described in , this claim is REQUIRED + in Explicit Registration Responses and its value MUST be a single-element array. - + OPTIONAL. An array of JSON objects, each representing a Trust Mark. @@ -642,7 +650,7 @@ The value of this claim MUST be the same as the value of the trust_mark_type claim contained in the Trust Mark JWT that is the value of the - trust_mark claim in this object. + trust_mark claim in this object. REQUIRED. A signed JSON Web Token that represents a Trust Mark. @@ -659,8 +667,8 @@ for an Entity that is not a Trust Anchor. It is a JSON object with member names that are Trust Mark type identifiers and each corresponding value being an array of Entity Identifiers - that are trusted to represent the accreditation authority - for Trust Marks with that identifier. + that are trusted to represent the accreditation authority + for Trust Marks with that identifier. If the array following a Trust Mark type identifier is empty, anyone MAY issue Trust Marks with that identifier. Trust Marks are described in . @@ -748,6 +756,17 @@ +
+ + + + OPTIONAL. Its value MUST be the Entity Identifier of the Trust Anchor + that the OP selected to process the Explicit Registration request. + This claim is specific to Explicit Registration responses and is not a + general Entity Statement claim. + + +
@@ -917,6 +936,19 @@ to validate that this is the fetch endpoint from which the Entity Statement was issued. + + If the trust_anchor Claim is present, + validate that its value is a URL + using the https scheme. + Implementations SHOULD validate that the Entity Identifier matches + one of the Trust Anchors configured for the deployment. + Furthermore, implementations SHOULD validate that the + Entity Configuration for the Entity Identifier contains + information compatible with the configured Trust Anchor information + - especially the keys. + This Claim MUST NOT be present in Entity Statements that are not + Explicit Registration responses. + @@ -6880,8 +6912,8 @@ HTTP/1.1 302 Found REQUIRED. Its value MUST be the Entity Identifier of the OP. - This claim is used in Explicit Registration requests but it is not - a general Entity Statement claim. + This claim is used in Explicit Registration requests but it is not + a general Entity Statement claim. @@ -7179,18 +7211,13 @@ HTTP/1.1 302 Found in a Trust Chain that the RP successfully resolved for the OP when it prepared the Explicit Registration request. - - The RP MUST verify that the aud (audience) - claim value is its Entity Identifier. - - The RP MUST verify that the - trust_anchor Entity Identifier matches one - of the Trust Anchors configured for the deployment. - Furthermore, implementations SHOULD validate - that the Entity Configuration for the Entity Identifier contains - information compatible with the configured Trust Anchor information - - especially the keys. + The RP MUST verify that the aud (audience) + claim value is its Entity Identifier. + + + The RP MUST verify that the trust_anchor + represents one of its own Trust Anchors. The RP MUST verify that at least one of the From 63ff7c6e1db64288186ad602f8c7da6fb3802d6a Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:20:18 -0300 Subject: [PATCH 03/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index f7f908b..9d072be 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -7046,8 +7046,8 @@ HTTP/1.1 302 Found REQUIRED. Its value MUST be the Entity Identifier of the OP. - This claim is used in Explicit Registration requests and it is not - a general Entity Statement claim. + This Claim is used in Explicit Registration requests; it is not + a general Entity Statement Claim. From 29471fff0ede3475258960be540592c322fdf5af Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:20:54 -0300 Subject: [PATCH 04/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 9d072be..4f72c05 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -7380,7 +7380,7 @@ HTTP/1.1 302 Found The RP MUST verify that the aud (audience) - claim value is its Entity Identifier. + Claim value is its Entity Identifier. The RP MUST verify that the From 4cf0c4999573a45933889238c179120a78166ee3 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:22:22 -0300 Subject: [PATCH 05/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 4f72c05..85f3639 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -7350,7 +7350,7 @@ HTTP/1.1 302 Found explicit-registration-response+jwt (and not entity-statement+jwt) to prevent confusion between the Explicit Registration response - and Entity Statements. + and other kinds of Entity Statements.
From c6580e140f72a12876fc1348b6dbbbe36777d56d Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:22:48 -0300 Subject: [PATCH 06/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 85f3639..f6353b8 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -4943,7 +4943,7 @@ trust_mark=eyJ0eXAiOiJ0cnVzdC1tYXJrK2p3dCIsImFsZyI6 ... - Additional Trust Mark Status claims MAY be defined and used + Additional Trust Mark Status JWT Claims MAY be defined and used in addition to those listed above. From 7187183a58178398445c479da2833228b8219d64 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:24:49 -0300 Subject: [PATCH 07/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index f6353b8..2625f45 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -663,8 +663,8 @@ REQUIRED. Identifier for the type of the Trust Mark. The value of this Claim MUST be the same as the value of the trust_mark_type - claim contained in the Trust Mark JWT that is the value of the - trust_mark claim in this object. + Claim contained in the Trust Mark JWT that is the value of the + trust_mark Claim in this object. REQUIRED. A signed JSON Web Token that represents a Trust Mark. From b4d0271619a6464f3cda2091b2805846907e7be1 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:29:17 -0300 Subject: [PATCH 08/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 2625f45..0135235 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -476,10 +476,6 @@ called an Entity Configuration. Superior Entities in a federation publish Entity Statements about their Immediate Subordinate Entities called Subordinate Statements. - When a client is doing Explicit Registration on the OP, - the Explicit Registration Response returned from the OP, - as explained in , is also an Entity Statement, - composed of specific claims or common claims with specific semantics on their values. Entity Statement JWTs MUST be explicitly typed, by setting the From ef06b7848be5e9b456a51c40557d7247a771e278 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:29:37 -0300 Subject: [PATCH 09/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 3 --- 1 file changed, 3 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 0135235..047e466 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -600,9 +600,6 @@ metadata MUST be applied before the metadata_policy, as described in . - - This claim is REQUIRED for Explicit Registration Responses, as described in , - in which case it MUST contain the registered RP metadata. From 9bf9094d0f53eb0468019c52f8e3cca66f02a9da Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:30:06 -0300 Subject: [PATCH 10/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 047e466..26b476b 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -634,8 +634,7 @@ MUST NOT be the empty array []. This Claim MUST NOT be present in Entity Configurations - of Trust Anchors with no Superiors. As described in , this claim is REQUIRED - in Explicit Registration Responses and its value MUST be a single-element array. + of Trust Anchors with no Superiors. From 11e9520abc89909eae883ebe8131ca111b990962 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 18:47:29 -0300 Subject: [PATCH 11/14] Fixes ec-specific claims section title --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 26b476b..147f7bc 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -618,7 +618,7 @@
+ title="Claims that MUST or MAY appear in Entity Configurations but not in Subordinate Statements"> From ecbdd51b1c83604b6b9c91381803f78e4b19aa53 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 23:45:07 -0300 Subject: [PATCH 12/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 147f7bc..473831e 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -7372,7 +7372,7 @@ HTTP/1.1 302 Found The RP MUST verify that the aud (audience) - Claim value is its Entity Identifier. + Claim Value is its Entity Identifier. The RP MUST verify that the From 3d363c31d7399092bb4831b34ab14500877a41e0 Mon Sep 17 00:00:00 2001 From: Eduardo Perottoni Date: Fri, 28 Nov 2025 23:48:14 -0300 Subject: [PATCH 13/14] Update openid-federation-1_0.xml Co-authored-by: Michael B. Jones --- openid-federation-1_0.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 473831e..265837a 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -550,7 +550,8 @@ to sign Subordinate Statements about their Immediate Subordinates, and for other signatures made by Federation Entities, such as Trust Mark signatures. - This claim is only OPTIONAL for the Explicit Registration Response, as stated in ; + However, this claim is OPTIONAL for the Entity Statement returned + as an Explicit Registration Response, as defined in ; in all other cases, it is REQUIRED. Every JWK in the JWK Set MUST have a unique kid (Key ID) value. It is RECOMMENDED that the Key ID be the JWK Thumbprint From e1014f9110dc52dc8a7c7340e385a3f6f739d8c3 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Sat, 29 Nov 2025 14:19:48 -0800 Subject: [PATCH 14/14] Remove whitespace at end of line. --- openid-federation-1_0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openid-federation-1_0.xml b/openid-federation-1_0.xml index 265837a..c884075 100644 --- a/openid-federation-1_0.xml +++ b/openid-federation-1_0.xml @@ -7374,7 +7374,7 @@ HTTP/1.1 302 Found The RP MUST verify that the aud (audience) Claim Value is its Entity Identifier. - + The RP MUST verify that the trust_anchor represents one