Lesson 4 — Trust Chains | Learn OpenID Federation

Build a Trust Chain — Step by Step

A Trust Chain is an ordered sequence of Entity Statements, starting with the subject's Entity Configuration and ending at a Trust Anchor's Entity Configuration (§4.1). Each intermediate link is a Subordinate Statement that cryptographically vouches for the entity below it.

Step 1 of 6

Step 1 — Leaf Entity Configuration

The leaf entity publishes its self-signed Entity Configuration at .well-known/openid-federation.

[0]Leaf Entity Config

iss: login.uni.edu

sub: login.uni.edu

signed with: K_leaf

Self-signed: iss == sub. Contains authority_hints: ["uni.edu"]

How Verification Works

Verification proceeds top-down — start from the Trust Anchor whose key you already trust, and work your way down to the leaf (§10.2).

Step 1 of 5

1. Start at Trust Anchor

Pre-configured K_ta is already trusted. Verify link [3] (TA Entity Config) is self-signed with K_ta.

SecuritySecurity consideration

Every Entity Statement MUST use the typ JWS header parameter with the value entity-statement+jwt. Statements with a missing or unrecognized typ MUST be rejected — this prevents cross-JWT confusion attacks per §3.2 and RFC 8725 §3.11.

§3.2

Real-World Analogy

Imagine applying for a job abroad. Your resume (Entity Config) is backed by your professor's recommendation letter (Subordinate Statement), which is backed by the university president's confirmation (another Subordinate Statement), which terminates at the university's own identity document (TA Config). Each letter is signed by a different person, and the employer verifies them in order from the top.