Trust Chain
Full Title or Meme
An ordered sequence of Trust Links from the leaf to the root.
Context
Report from Roland Hedberg about the OIDF Trust Registry.
When a trust chain is collected a well defined pattern is used.
1. collect leaf Entity Configuration 2. for each entity\_id in authority\_hints collect the superiors Entity Configuration 3. Fetch the Entity Statement from the superior about the subordinate 4. Repeat from 2
This will result in collecting something like this
- Leaf Entity Configuration
- Intermediate \(A\) Entity Configuration
- Intermediate \(A\) Entity Statement about Leaf
- Intermediate \(B\) Entity Configuration
- Intermediate \(B\) Entity Statement about Intermediate \(B\)
- Trust Anchor’s Entity Configuration
- Trust Anchor’s Entity Statement about Intermediate \(B\)
Alternative Entity Configurations and Entity Statements.
The trust chain if defined to contain the element 1, 3, 5 and 7
Given that the entity that collects the trust chain has the key of the Trust Anchor the trust chain can be verified and the metadata can be constructed.
Now, it is assumed that the Trust Anchor rotates its signing keys. The new keys can be distributed to the federation entities in some out-of-bands way or possibly by adding the Trust Anchor’s Entity Configuration to the trust chain.
Adding the Trust Anchor’s Entity Configuration should be optional and if done should be added as the last element in the trust chain.
